doas的配置文件是/etc/doas.conf,配置规则如下
代码: 全选
permit|deny [options] identity [as target] [cmd command [args ...]]选项(options)部分有一下两个选择:
a. nopass , 表示用户无需输入密码
b. keepenv { [ variables ... ] },表示用户的使用环境将会被保持,如果不指定的话,默认是会重置的(除了这些变量: DISPLAY, HOME, LOGNAME, MAIL, PATH, TERM, USER and USERNAME.)。keepenv还可以指定具体那些变量被保持。将需要保持的变量名称放在大括号中,多个时以空格分开。
组以冒号加上组名称来表示,如 :wheel。
注释以#开始,直至该行结束。
下面再以示例来说明一下。 比如我们常用的让一个用户(如acheng)切换到root而无需知道root密码的配置:
代码: 全选
permit acheng as root代码: 全选
permit nopass acheng as root
代码: 全选
permit nopass :wheel as root规则配置完成后,可以用doas的‘-C'参数来验证一下是否有错误:
代码: 全选
doas -C /etc/doas.conf代码: 全选
doas su -代码: 全选
doas rcctl restart ntpd最后,我们看一下doas.conf的手册中给出的几个例子:
The following example permits users in group wsrc to build ports, wheel to execute commands as any user while keeping the environment variables ENV, PS1, and SSH_AUTH_SOCK, permits tedu to run procmap as root without a password, and additionally permits root to run unrestricted commands as itself.
# Non-exhaustive list of variables needed to
# build release(8) and ports(7)
permit nopass keepenv { \
FTPMODE PKG_CACHE PKG_PATH SM_PATH SSH_AUTH_SOCK \
DESTDIR DISTDIR FETCH_CMD FLAVOR GROUP MAKE MAKECONF \
MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_DBDIR \
PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \
SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc
permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel
permit nopass tedu as root cmd /usr/sbin/procmap
permit nopass keepenv root as root
