Setting up doas
Enable doas
for user
It is generally not recommended on any *NIX-based system to login as root
on a regular basis. Apart from security reasons, not logging directly as root
also prevents you from making dumb mistakes and causing issues (with a less privileged account, usually less stuff can break). On Linux, this is solved by leveraging the sudo
program. It allows you to elevate privileges to root
, set which accounts are allowed to do so, perform actions on behalf of different accounts, restrict accounts to execute only some commands as root
etc. The amount of options makes sudo
rather bloated according to some people. To offer a simpler alternative to sudo
, doas
was created. Doas
's main fuction is essentially the same as sudo
- safely elevate privileges, run commands as another user etc. Due to it's simplicity and smaller codebase (easier to audit, less room for error), OpenBSD uses the simpler doas
program.
We currently have two accounts - root
and the user account you have created during the setup, let's say it's bob
.
Login as root
to create configuration file. Doas
comes preinstalled, but doesn't create the configuration file by default, we have to do it manually.
touch /etc/doas.conf
We are going to allow a special group called wheel
(which our account bob
should be part of by default) to execute commands as root
. To check if your account is in the wheel
group, use the groups {user}
command or groupinfo wheel
$ groups bob
bob wheel
$ groupinfo wheel
name wheel
passwd *
gid 0
members root bob
Open /etc/doas.conf in your favorite editor and add the following to the first line. For additional commands and information, run man doas.conf
.
permit
- We want to permit the wheel group to do certain things, use deny to denynopass
- I have a long password and I'm fine with typing in only to log in, this option makes sure that when I call doas, it doesn't ask for a password. To type password every time you want to use doas, omit this option. Alternatively, replace with persist so it won't ask you for a password for 5 minutes.:wheel
- Apply the previously mentioned options to the wheel group.
(root)$ nvim /etc/doas.conf
The command above will only work if you have neovim
installed. If not, use the default vi
.
permit nopass :wheel - /etc/doas.conf
To test your configuration file, run doas -C /etc/doas.conf {command}
, replace {command}
with anything like cat
, vi
etc. This will tell you whether you are allowed to run that specific command as root
. We should be now able to run all commands as root
. You may need to log in/log out if it doesn't work at first.
After you are done with the steps above, make sure /etc/doas.conf
is owned by root
and group wheel
and has sane permissions (only writable by root
). I also like tightening permissions even further, you might not want to do the same.
doas chmod 400 /etc/doas.conf