Attempt to create .deps directory every time we build objects.

[doas.git] / doas.conf.5

.\" $OpenBSD: doas.conf.5,v 1.31 2016/12/05 10:58:07 schwarze Exp $
.\"
.\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
.\"
.\"Permission to use, copy, modify, and distribute this software for any
.\"purpose with or without fee is hereby granted, provided that the above
.\"copyright notice and this permission notice appear in all copies.
.\"
.\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.Dd $Mdocdate: @ATIME@ $
.Dt DOAS.CONF 5
.Os
.Sh NAME
.Nm doas.conf
.Nd doas configuration file
.Sh SYNOPSIS
.Nm @DOAS_CONF@
.Sh DESCRIPTION
The
.Xr doas 1
utility executes commands as other users according to the rules
in the
.Nm
configuration file.
.Pp
The rules have the following format:
.Bd -ragged -offset indent
.Ic permit Ns | Ns Ic deny
.Op Ar options
.Ar identity as target
.Op Ic execute { Ar command line Oc Ic }
.Ed
.Pp
Rules consist of the following parts:
.Bl -tag -width 11n
.It Ic permit Ns | Ns Ic deny
The action to be taken if this rule matches.
.It Ar options
Options are:
.Bl -tag -width keepenv
.It Ic nopass
The user is not required to enter a password.
.It Ic nolog
Do not log successful command execution to
.Xr syslogd.
.It Ic persist
After the user successfully authenticates, do not ask for a password
again for some time. Works on Linux, FreeBSD and OpenBSD only.
.It Ic inheritenv
The user's environment is maintained.
The default is to reset the environment, except for the variables
.Ev DISPLAY
and
.Ev TERM .

Note: In order to be able to run most desktop (GUI) applications, the user needs to
have the inheritenv keyword specified. If inheritenv is not specified then key elements, like
the user's $HOME variable, will be reset and cause the GUI application to crash.
Users who only need to run command line applications can usually get away without
inheritenv. When in doubt, try to avoid using inheritenv as it is less secure to have
environment variables passed to privileged users.

Note: The target user's PATH variable can be set at compile time by adjusting the
GLOBAL_PATH variable in doas's Makefile. By default, the target user's path will
be set to "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:"
.It Ic setenv { Oo Ar variable=value ... Oc Ic }
In addition to the variables mentioned above, keep the space-separated
specified variables.
.It Ic keepenv { Oo Ar variable ... Oc Ic }
Keeps the variables in environ.
.It Ic unsetenv { Oo Ar variable ... Oc Ic }
Remove the variables from environ.
.El
.It Ar identity
It identitificates the user this rule can be applied by. User can be
identitificated by its username (or uid), or groupname (or gid), or all together:

.Bl -tag -width keepenv
.It Ar uid
.It Ar 'username'
The user with specified uid or username can apply this rule.
The user do not have to belong any special group.

.It Ic from Ar gid
.It Ic from Ar 'groupname'
Any user from the group with specified gid or groupname can apply this rule.

.It Ar uid Ic from Ar gid
.It Ar 'username' Ic from Ar gid
.It Ar uid Ic from Ar 'groupname'
The user with specified uid or username and belonging to specified group with gid or groupname
can apply this rule.
.El

.It Ic as Ar target
The target user the running user is allowed to run the command as.
The default is all users.
.It Ic execute { Ar [ command-list ] [argument1-list] ... Ic }
The command(s) the user is allowed or denied to run.
The default is all commands.
Be advised that it is best to specify absolute paths.
If a relative path is specified, only a restricted
.Ev PATH
will be searched.

Arguments lists are arguments to command.
The command arguments provided by the user need to match those specified.

Also, instead of any of the lists, the ellepsis
.Pq Sq \...
can be specified, which means that anything can be inthere.

The
.Ar list
is either just
.Ic "string"
or
.Ic [ "string", "list" ].
.El
.Pp
The last matching rule determines the action taken.
If no rule matches, the action is denied.
.Pp
Comments can be put anywhere in the file using a hash mark
.Pq Sq # ,
and extend to the end of the current line.
.Pp
The following quoting rules apply:
.Bl -dash
.It
The text between a pair of double quotes
.Pq Sq \&"
is taken as is.
.It
The backslash character
.Pq Sq \e
escapes the next character, including new line characters, outside comments;
as a result, comments may not be extended over multiple lines.
.It
If quotes or backslashes are used in a word,
it is not considered a keyword.
.El
.Sh NOTES

Usernames and groupnames must match
.Ar [a-z_][a-z0-9_\-]{0,30}[a-z0-9_\-$\]?
pattern and must be enclosed in single
.Pq Sq \&'
quotes.

To make editing the doas.conf file safer, a convenience script called
vidoas is included with the doas software. This script can be run as
the root user (or via doas or sudo) and automatically checks the syntax of the doas.conf file
before installing it on the system.

Please take note that it is a bad idea to assign permission to users
implicitly, even if blocking/denying exceptions are made.

.Sh EXAMPLES
The following example permits users in group wsrc to build ports;
wheel to execute commands as any user while keeping the environment
variables
.Ev PS1
and
.Ev SSH_AUTH_SOCK
and
unsetting
.Ev ENV ;
permits tedu to run procmap as root without a password;
and additionally permits root to run unrestricted commands as itself.
.Bd -literal -offset indent
# Non-exhaustive list of variables needed to
# build release(8) and ports(7)
permit nopass keepenv { \e
        "FTPMODE", "PKG_CACHE", "PKG_PATH", "SM_PATH", "SSH_AUTH_SOCK", \e
        "DESTDIR", "DISTDIR", "FETCH_CMD", "FLAVOR", "GROUP", "MAKE", \e
        "MAKECONF", "MULTI_PACKAGES", "NOMAN", "OKAY_FILES", "OWNER", \e
        "PKG_DBDIR", "PKG_DESTDIR", "PKG_TMPDIR", "PORTSDIR", "RELEASEDIR", \e
        "SHARED_ONLY", "SUBPACKAGE", "WRKOBJDIR", "SUDO_PORT_V1" } from 'wsrc'
permit unsetenv { "ENV" } keepenv { "PS1=$DOAS_PS1", "SSH_AUTH_SOCK" } from 'wheel'
permit nopass 'tedu' as 'root' execute { "/usr/sbin/procmap" ... }
permit nopass inheritenv 'root' as 'root'

.Ed
Let us clearify the meaning and usage of string lists:
.Bd -literal -offset indent
permit 'serge' as 'michael' execute { [ "/usr/bin/ls", "/usr/bin/cat" ] }
.Ed
Following this rule, Serge can execute as Michael two programs: /usr/bin/ls and /usr/bin/cat. This rule actually equal to rule below:
.Bd -literal -offset indent
permit 'serge' as 'michael' execute { "/usr/bin/ls" }
permit 'serge' as 'michael' execute { "/usr/bin/cat" }
.Ed

Keep in mind, that rules
.Bd -literal -offset indent
permit 'serge' as 'michael' execute { "/usr/bin/ls" }
.Ed
and
.Bd -literal -offset indent
permit 'serge' as 'michael' execute { [ "/usr/bin/ls" ] }
.Ed
are
.Ic absolutely equal .

.Sh SEE ALSO
.Xr doas 1
.Sh HISTORY
The
.Nm
configuration file first appeared in
.Ox 5.8 .
.Sh AUTHORS
.An Sergey Sushilin Aq Mt sergeysushilin@protonmail.com
.An Ted Unangst Aq Mt tedu@openbsd.org