What is DOAS?

doas is a utility, that can permit users to execute commands as root or as another user. Groups as well as users can be permitted to do.

Installing DOAS on FreeBSD.

# pkg install doas

The manual for doas is nice and simple.

# man doas.conf

Configuring DOAS.

In this example, I will configure doas to permit members of the wheel group to use the FreeBSD service command script, that can start and stop services, such as an nginx web server, without a password. This is a safe and trivial command to disable password requirement for.

# nano /usr/local/etc/doas.conf
permit nopass :wheel as root cmd service

If I wanted to limit, which arguments, that can be passed to the command, I could specifiy this with the args feature.

# nano /usr/local/etc/doas.conf
permit nopass :wheel as root cmd service args nginx onestart

Testing.

$ doas service nginx onestart
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx

Be aware, that doas requires, that the command is matched exactly. The following definition will not work.

# nano /usr/local/etc/doas.conf
permit nopass :wheel as root cmd /usr/sbin/service args nginx onestart
$ doas service nginx onestart
doas: Operation not permitted