doas.1 (2930B)
- .\" $OpenBSD: doas.1,v 1.26 2022/12/22 19:53:22 kn Exp $
- .\"
- .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
- .\"
- .\"Permission to use, copy, modify, and distribute this software for any
- .\"purpose with or without fee is hereby granted, provided that the above
- .\"copyright notice and this permission notice appear in all copies.
- .\"
- .\"THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- .\"WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- .\"MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- .\"ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- .Dd $Mdocdate: December 22 2022 $
- .Dt DOAS 1
- .Os
- .Sh NAME
- .Nm doas
- .Nd execute commands as another user
- .Sh SYNOPSIS
- .Nm doas
- .Op Fl Lns
- .Op Fl C Ar config
- .Op Fl u Ar user
- .Ar command
- .Op Ar arg ...
- .Sh DESCRIPTION
- The
- .Nm
- utility executes the given command as another user.
- The
- .Ar command
- argument is mandatory unless
- .Fl C ,
- .Fl L ,
- or
- .Fl s
- is specified.
- .Pp
- The user will be required to authenticate by entering their password,
- unless configured otherwise.
- .Pp
- By default, a new environment is created.
- The variables
- .Ev HOME ,
- .Ev LOGNAME ,
- .Ev PATH ,
- .Ev SHELL ,
- and
- .Ev USER
- and the
- .Xr umask 2
- are set to values appropriate for the target user.
- .Ev DOAS_USER
- is set to the name of the user executing
- .Nm .
- The variables
- .Ev DISPLAY
- and
- .Ev TERM
- are inherited from the current environment.
- This behavior may be modified by the config file.
- The working directory is not changed.
- .Pp
- The options are as follows:
- .Bl -tag -width tenletters
- .It Fl C Ar config
- Parse and check the configuration file
- .Ar config ,
- then exit.
- If
- .Ar command
- is supplied,
- .Nm
- will also perform command matching.
- In the latter case
- either
- .Sq permit ,
- .Sq permit nopass
- or
- .Sq deny
- will be printed on standard output, depending on command
- matching results.
- No command is executed.
- .It Fl L
- Clear any persisted authentications from previous invocations,
- then immediately exit.
- No command is executed.
- .It Fl n
- Non interactive mode, fail if the matching rule doesn't have the
- .Ic nopass
- option.
- .It Fl s
- Execute the shell from
- .Ev SHELL
- or
- .Pa /etc/passwd .
- .It Fl u Ar user
- Execute the command as
- .Ar user .
- The default is root.
- .El
- .Sh EXIT STATUS
- .Ex -std doas
- It may fail for one of the following reasons:
- .Pp
- .Bl -bullet -compact
- .It
- The config file
- .Pa /etc/doas.conf
- could not be parsed.
- .It
- The user attempted to run a command which is not permitted.
- .It
- The password was incorrect.
- .It
- The specified command was not found or is not executable.
- .El
- .Sh SEE ALSO
- .Xr su 1 ,
- .Xr doas.conf 5
- .Sh HISTORY
- The
- .Nm
- command first appeared in
- .Ox 5.8 .
- .Sh AUTHORS
- .An Ted Unangst Aq Mt tedu@openbsd.org