OpenBSD ships with a refreshingly minimal approach to running commands as another user called
Typically Sudo is used for this. While sudo is great, it brings a great deal of
complexity. If you're using sudo I high recommend reading Sudo Mastery by Michael W Lucas.
The motivation for replacing
doas is the same motivation I have in using OpenBSD. It truly delivers on
quality over quantity, keeping everything simple, and an undying focus on security.
doas ships with OpenBSD, nothing needed to install!
The configuration for doas is extremely easy to understand. This is imperative for such a critical piece of security software on your systems.
From the doas.conf(5) manpage, the format for a config line is as follows:
permit|deny [options] identity [as target] [cmd command [args ...]]
So a very basic config, that would allow your primary user (bob) run commands as root would be:
permit bob as root
There are other options as well and I encourage you to head over to the man page for more details.
So, one key aspect of both
doas is the ability to audit who ran what, and when they ran it.
So for this exercise, we will have bob try and change the hostname of our machine…
dev$ hostname foo hostname: sethostname: Operation not permitted dev$
As you can see, the operation was not permitted. Now let us prefix the command with doas.
dev$ doas hostname foo foo$
There, our hostname is now foo!
If we want to see the log, we just need to view
# /var/log/secure Aug 19 20:09:28 dev doas: bob ran command hostname foo as root from /home/bob