Provided by: opendoas_6.8.2-1_amd64 bug


     doas.conf — doas configuration file


     The doas(1) utility executes commands as other users according to the rules in the doas.conf
     configuration file.

     The rules have the following format:

           permit|deny [options] identity [as target] [cmd command [args ...]]

     Rules consist of the following parts:

     permit|deny  The action to be taken if this rule matches.

     options      Options are:

                  nopass   The user is not required to enter a password.

                  nolog    Do not log successful command execution to syslogd(8).

                  persist  After the user successfully authenticates, do not ask for a password
                           again for some time.

                  keepenv  Environment variables other than those listed in doas(1) are retained
                           when creating the environment for the new process.

                  setenv { [variable ...] [variable=value ...] }
                           Keep or set the space-separated specified variables.  Variables may
                           also be removed with a leading ‘-’ or set using the latter syntax.  If
                           the first character of value is a ‘$’ then the value to be set is
                           taken from the existing environment variable of the indicated name.
                           This option is processed after the default environment has been

     identity     The username to match.  Groups may be specified by prepending a colon (‘:’).
                  Numeric IDs are also accepted.

     as target    The target user the running user is allowed to run the command as.  The default
                  is all users.

     cmd command  The command the user is allowed or denied to run.  The default is all commands.
                  Be advised that it is best to specify absolute paths.  If a relative path is
                  specified, only a restricted PATH will be searched.

     args [argument ...]
                  Arguments to command.  The command arguments provided by the user need to match
                  those specified.  The keyword args alone means that command must be run without
                  any arguments.

     The last matching rule determines the action taken.  If no rule matches, the action is

     Comments can be put anywhere in the file using a hash mark (‘#’), and extend to the end of
     the current line.

     The following quoting rules apply:

     -   The text between a pair of double quotes (‘"’) is taken as is.

     -   The backslash character (‘\’) escapes the next character, including new line characters,
         outside comments; as a result, comments may not be extended over multiple lines.

     -   If quotes or backslashes are used in a word, it is not considered a keyword.


     /etc/doas.conf                              doas(1) configuration file.
     /usr/share/doc/opendoas/examples/doas.conf  Example configuration file.


     The following example permits user aja to install packages from a preferred mirror; group
     wheel to execute commands as any user while keeping the environment variables PS1 and
     SSH_AUTH_SOCK and unsetting ENV; permits tedu to run procmap as root without a password; and
     additionally permits root to run unrestricted commands as itself while retaining the
     original PATH.

           permit persist setenv { PKG_CACHE PKG_PATH } aja cmd pkg_add
           permit setenv { -ENV PS1=$DOAS_PS1 SSH_AUTH_SOCK } :wheel
           permit nopass tedu as root cmd /usr/sbin/procmap
           permit nopass keepenv setenv { PATH } root as root


     doas(1), syslogd(8)


     The doas.conf configuration file first appeared in OpenBSD 5.8.


     Ted Unangst <>