Avoid expensive production outages

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Doas Command - Execute Commands as Another User

Learn how to use the doas command to execute commands as another user, with examples for running as root and configuring permissions in /etc/doas.conf.

Doas Command

The doas command is a lightweight alternative to sudo, originating from OpenBSD. It simplifies the process of executing commands as another user, particularly as the root user, addressing the complexity often associated with sudo's default configurations.

Execute Commands as Another User

The primary function of doas is to allow users to run commands with the privileges of another user. By default, if no user is specified, doas will attempt to execute the command as the root user.

# Execute COMMAND as USER. If the -u option is not specified, `doas` will by
# default operate as the 'root' user.
doas -u USER COMMAND

Running Commands as Root

A common use case is executing commands that require root privileges. For instance, viewing the contents of the sensitive /etc/shadow file can be done securely using doas.

# Show the contents of '/etc/shadow' as root
doas cat /etc/shadow

You can also execute your default shell as root using the -s option.

# Execute the shell defined in `$SHELL` as root
doas -s

Configuring Doas Permissions

Permissions for executing commands as other users are managed in the configuration file /etc/doas.conf. This file allows for fine-grained control over who can run what commands as whom.

Granting Permissions to a Group

To allow all users in the wheel group to execute commands as root, you can add the following line to /etc/doas.conf. The permit directive grants access. The persist option means doas will only prompt for a password once per shell session. Using a colon (:) before wheel signifies it's a group.

# permit persist keepenv :wheel

The keepenv option ensures that current environment variables are preserved.

Denying Permissions

Conversely, you can explicitly deny permissions. The following line would prevent a specific user from running commands as anon (or root if no target user is specified).

# deny user as anon

Permitting Specific Commands without Password

For certain administrative tasks, you might want to allow a user to execute a specific command as root without requiring a password. This is achieved using the nopass option.

# permit nopass user cmd shutdown

doas offers a streamlined and secure way to manage elevated privileges on systems where it is available, providing a simpler alternative to more complex privilege escalation tools.

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments