OpenBSD doas

By Ronald Valente. Published

Overview

OpenBSD ships with a refreshingly minimal approach to running commands as another user called doas. Typically Sudo is used for this. While sudo is great, it brings a great deal of complexity. If you're using sudo I high recommend reading Sudo Mastery by Michael W Lucas.

The motivation for replacing sudo with doas is the same motivation I have in using OpenBSD. It truly delivers on quality over quantity, keeping everything simple, and an undying focus on security.

Installation

Good news, doas ships with OpenBSD, nothing needed to install!

Configuration

The configuration for doas is extremely easy to understand. This is imperative for such a critical piece of security software on your systems.

From the doas.conf(5) manpage, the format for a config line is as follows:

permit|deny [options] identity [as target] [cmd command [args ...]]

So a very basic config, that would allow your primary user (bob) run commands as root would be:

permit bob as root

There are other options as well and I encourage you to head over to the man page for more details.

Audit

So, one key aspect of both sudo and doas is the ability to audit who ran what, and when they ran it.

So for this exercise, we will have bob try and change the hostname of our machine...

dev$ hostname foo
hostname: sethostname: Operation not permitted
dev$

As you can see, the operation was not permitted. Now let us prefix the command with doas.

dev$ doas hostname foo
foo$

There, our hostname is now foo!

If we want to see the log, we just need to view /var/log/secure.

# /var/log/secure
Aug 19 20:09:28 dev doas: bob ran command hostname foo as root from /home/bob

Resources