HyperWiki

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
en:system:userspace:open_doas [2023/02/20 23:03]
i3_relativism [Bash tab completion] 		en:system:userspace:open_doas [2025/04/21 02:01] (current)
throgh [Usage]
Line 12: Line 12:
 ===== Installation ===== ===== Installation =====
  
-To install [[https://www.hyperbola.info/packages/core/x86_64/opendoas/|opendoas]] just use:+To install [[https://www.hyperbola.info/packages/?q=opendoas|opendoas]] just use:
  
 <code bash> <code bash>
-pacman -S doas+pacman -S opendoas
 </code> </code>
  
-<note important>dont forget to update your local package database before installing</note>+<note important>Don'forget to update your local package database before starting the installation!</note>
  
 ===== Usage ===== ===== Usage =====
Line 29: Line 29:
  
 <code bash> <code bash>
-$ doas ''cmd''+$ doas COMMAND
 </code> </code>
  
Line 61: Line 61:
 The configuration file must end with a newline The configuration file must end with a newline
 </note> </note>
 +
 +For example, to allow members of the <color #620BB9/#EEDDFF>libre</color> group to run **smartctl** without password as **Root user**.
 +
 +Edit <color #620BB9/#EEDDFF>/etc/doas.conf</color>:
 +
 +<code bash>
 +permit nopass :libre as root cmd /usr/bin/smartctl
 +</code>
 ==== Basic setup ==== ==== Basic setup ====
  
Line 76: Line 84:
 </code> </code>
  
 +<note tip>
 To check <color #620BB9/#EEDDFF>/etc/doas.conf</color> for syntax errors, run: To check <color #620BB9/#EEDDFF>/etc/doas.conf</color> for syntax errors, run:
  
Line 81: Line 90:
  # doas -C /etc/doas.conf && echo "config ok" || echo "config error"   # doas -C /etc/doas.conf && echo "config ok" || echo "config error" 
 </code> </code>
 +</note>
  
 <note important> <note important>
 It is imperative that <color #620BB9/#EEDDFF>/etc/doas.conf</color> is free of syntax errors! It is imperative that <color #620BB9/#EEDDFF>/etc/doas.conf</color> is free of syntax errors!
 </note> </note>
- 
-To allow members of the <color #620BB9/#EEDDFF>libre</color> group to run **smartctl** without password as **Root user**. 
- 
-Edit <color #620BB9/#EEDDFF>/etc/doas.conf</color>: 
- 
-<code bash> 
-permit nopass :libre as root cmd /usr/bin/smartctl 
-</code> 
- 
-WIP??!question 
-what is smartctl is this systemd related? 
-endWIP??! 
 ==== Rulesets ==== ==== Rulesets ====
  
Line 300: Line 298:
  
 ==== Authentication ==== ==== Authentication ====
 +=== Nopass feature ===
  
 The **<color #816E00/#FAE65B>nopass</color>** keyword provides the ability to perform actions without having to enter a password. The **<color #816E00/#FAE65B>nopass</color>** keyword provides the ability to perform actions without having to enter a password.
Line 309: Line 308:
 </code> </code>
  
-<note warning> +=== Persist feature ===
-Due to OpenBSD-specific kernel API required by **doas** to set and clear timeouts, the **<color #816E00/#FAE65B>persist</color>** feature is disabled by default in the ''OpenDoas'' port. +
-</note>+
  
-With the **<color #816E00/#FAE65B>persist</color>** keyword **doas** can remember an authenticated user and will not require confirmation by password for **five minutes**.+**doas** provides the <color #620BB9/#EEDDFF>persist</color> feature: after the user successfully authenticates. There will be presistance and an authenticated user, will be remember, and not be prompted or a password will not require be required confirmation for **five minutes** . It is disabled by default, enable it with the **<color #816E00/#FAE65B>persist</color>** option.
  
 Edit  <color #620BB9/#EEDDFF>/etc/doas.conf</color>, to not require passwords for five minutes for all users in the //wheel//: Edit  <color #620BB9/#EEDDFF>/etc/doas.conf</color>, to not require passwords for five minutes for all users in the //wheel//:
Line 321: Line 318:
 </code> </code>
  
 +<note warning>
 +Due to OpenBSD-specific kernel API required by **doas** to set and clear timeouts, the **<color #816E00/#FAE65B>persist</color>** feature is disabled by default in the ''OpenDoas'' port, and because it is new and potentially dangerous. In the original ''doas'', a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the **<color #816E00/#FAE65B>persist</color>** feature is implemented using timestamp files similar to ''sudo''.
 +</note>
 ==== Testing ==== ==== Testing ====
  
Line 359: Line 359:
 ===== Bash tab completion ===== ===== Bash tab completion =====
  
-By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users WIP.bashrc, or the global /etc/bash.bashrc:+By default Bash will only tab complete files and directories within the current or referenced directory. To tell Bash to complete arguments as if they were separate commands (also leveraging the tab completion settings of other commands) the following can be added to either the users .bashrc, or the global /etc/bash.bashrc:
  
 <code bash> <code bash>
Line 365: Line 365:
 </code> </code>
  
-===== Tips and tricks ===== 
- 
-==== doas persist feature ==== 
- 
-''doas'' provides a "persist" feature: after the user successfully authenticates, they will not be prompted for a password again for some time. It is disabled by default, enable it with the **<color #816E00/#FAE65B>persist</color>** option in <color #620BB9/#EEDDFF>/etc/doas.conf</color>: 
- 
-<code bash> 
-permit persist :wheel 
-</code> 
- 
-<note> 
-The **<color #816E00/#FAE65B>persist</color>** feature is disabled by default and because it is new and potentially dangerous. In the original ''doas'', a kernel API is used to set and clear timeouts. This API is OpenBSD specific and no similar API is available on other operating systems. As a workaround, the **<color #816E00/#FAE65B>persist</color>** feature is implemented using timestamp files similar to ''sudo''. 
-</note> 
  
-==== Smooth transition sudo to doas ====+===== Smooth transition sudo to doas =====
  
 For a smooth transition from ''sudo'' to ''doas'' and to stay downward compatible, you could add to your environment: For a smooth transition from ''sudo'' to ''doas'' and to stay downward compatible, you could add to your environment:
Line 405: Line 392:
 </note> </note>
  
-==== See also ====+===== See also =====
  
   * See also [[en:philosophy:sudo_complexity|sudo]].   * See also [[en:philosophy:sudo_complexity|sudo]].
Line 413: Line 400:
 ==== External resources ==== ==== External resources ====
  
-WIP 
 "It would not have been possible to finish doas without the support of many other OpenBSD developers and users. In particular, Vadim Zhukov contributed immensely to the config parser and regress testsuite; Todd Miller, Damien Miller, and Martijn van Duren provided ideas and inspiration; Theo de Raadt provided backup to rejecting feature requests; Henning Brauer gave me the idea for tying authorization persistence to the terminal; and I owe Michael Lucas for stealing a catchy title." "It would not have been possible to finish doas without the support of many other OpenBSD developers and users. In particular, Vadim Zhukov contributed immensely to the config parser and regress testsuite; Todd Miller, Damien Miller, and Martijn van Duren provided ideas and inspiration; Theo de Raadt provided backup to rejecting feature requests; Henning Brauer gave me the idea for tying authorization persistence to the terminal; and I owe Michael Lucas for stealing a catchy title."