Skip to main content

Setting up doas

Enable doas for user

It is generally not recommended on any *NIX-based system to login as root on a regular basis. Apart from security reasons, not logging directly as root also prevents you from making dumb mistakes and causing issues (with a less privileged account, usually less stuff can break). On Linux, this is solved by leveraging the sudo program. It allows you to elevate privileges to root, set which accounts are allowed to do so, perform actions on behalf of different accounts, restrict accounts to execute only some commands as root etc. The amount of options makes sudo rather bloated according to some people. To offer a simpler alternative to sudo, doas was created. Doas's main fuction is essentially the same as sudo - safely elevate privileges, run commands as another user etc. Due to it's simplicity and smaller codebase (easier to audit, less room for error), OpenBSD uses the simpler doas program.

We currently have two accounts - root and the user account you have created during the setup, let's say it's bob.

Login as root to create configuration file. Doas comes preinstalled, but doesn't create the configuration file by default, we have to do it manually.

touch /etc/doas.conf

We are going to allow a special group called wheel (which our account bob should be part of by default) to execute commands as root. To check if your account is in the wheel group, use the groups {user} command or groupinfo wheel 

$ groups bob
bob wheel
$ groupinfo wheel
name	wheel
passwd	*
gid		0
members root bob

Open /etc/doas.conf in your favorite editor and add the following to the first line. For additional commands and information, run man doas.conf.

  • permit - We want to permit the wheel group to do certain things, use deny to deny
  • nopass - I have a long password and I'm fine with typing in only to log in, this option makes sure that when I call doas, it doesn't ask for a password. To type password every time you want to use doas, omit this option. Alternatively, replace with persist so it won't ask you for a password for 5 minutes.
  • :wheel - Apply the previously mentioned options to the wheel group. 
(root)$ nvim /etc/doas.conf

The command above will only work if you have neovim installed. If not, use the default vi.

permit nopass :wheel - /etc/doas.conf

To test your configuration file, run doas -C /etc/doas.conf {command}, replace {command} with anything like cat, vi etc. This will tell you whether you are allowed to run that specific command as root. We should be now able to run all commands as root. You may need to log in/log out if it doesn't work at first.

After you are done with the steps above, make sure /etc/doas.conf is owned by root and group wheel and has sane permissions (only writable by root). I also like tightening permissions even further, you might not want to do the same.

doas chmod 400 /etc/doas.conf
Back to top