I've changed from using sudo to doas recently but I've been missing the passwdfb option I had set on my sudoers. It shows your password in asterisk form just like you would see when inputting a password through your browser.

Hi 👋

I'm trying to build this on prologic/ulinux and this fails with:

# pkg build
=> Saved checksums to build/.checksum
tcc -D_BSD_SOURCE -I/usr/lib/tcc/include -include compat/compat.h -Icompat  -c -o doas.o doas.c
doas.c:380: error: 'DOAS_CONF' undeclared
make: *** [<builtin>: doas.o] Error 1
#

Where does DOAS_CONF come from? Did I miss something in the build instructions?

My Pkgfile / script for building looks like this:

# cat Pkgfile
#!/bin/sh
# shellcheck disable=SC2034

# Description: allows a user to run a command as though they were another user
# URL:         https://github.com/slicer69/doas
# Maintainer:  James Mills, prologic at shortcircuit dot net dot au

name=doas
version=6.3p2
release=1
source="https://github.com/slicer69/doas/archive/${version}.tar.gz"

build() {
  cd "$name"-"$version" || exit 1

  make
  make DESTDIR="$PKG" install
}

Thanks!

Example doas.conf:

permit nopass nick as root cmd ls args -l

Then, running ls as root:

nick@nick-lenovo:[~/abs/doas]:$ doas ls -l
doas: invalid option -- 'l'
usage: doas [-ns] [-a style] [-C config] [-u user] command [args]

Side note: appreciate your efforts to bring this tool to Linux!

repro: echo foo | doas cat

This breaks piping something to a command via doas, and breaks tools (dw/mitogen) expecting it to behave like the BSD version

Specifying persist in doas.conf still results in a password prompt, even immediately after entering it for a preceding command. I believe this is due to FreeBSD not supporting the TIOCCHKVERAUTH ioctl that drives this feature.

I figure this is not something this project can easily fix but having a open issue might help anyone else that runs into it. It would be nice if persist was rejected where not supported or a warning issued instead.

Running '5.10.11-arch1-1'.
Trying to install from AUR 'doas-6.3p2-4' returns this warning messages:

/usr/include/unistd.h: In function ‘execvpe’:
compat/execvpe.c:110:10: warning: ignoring return value of ‘writev’ declared with attribute ‘warn_unused_result’ [-Wunused-result]
  110 |    (void)writev(STDERR_FILENO, iov, 3);
      |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
compat/execvpe.c:61:5: warning: ‘nonnull’ argument ‘name’ compared to NULL [-Wnonnull-compare]
   61 |  if ( (! name) || (*name == '\0') ){
      |     ^

I don't know if this warning is important, just reporting it.

The command I ran: permit [my username] as root
The result: zsh: command not found: permit
I am running this on Manjaro KDE.

> doas env | grep ^PATH | tr '\:' '\n' | grep '\/usr\/sbin'
/usr/sbin

> doas whereis pkg_delete
/usr/sbin/pkg_delete

> doas which pkg_delete
/usr/sbin/pkg_delete

> doas pkg_delete
doas: pkg_delete: command not found

> PATH=/bin:/usr/bin:/sbin:/usr/sbin doas pkg_delete
pkg_delete: No packages to delete

The same hols for any binary in /sbin and /usr/bin/.

I've decided I need a sudo replacement.

I was delighted to learn doas works perfectly fine on macOS, including authentication via smartcard, thank you. Just one thing: out of the box, it only worked with nopass. I figured I had to configure /etc/pam.d/doas (I copied the contents of /etc/pam.d/sudo). I feel like this could be added in README.md

I'm unable (probably due to SIP) to chmod setuid away on /usr/bin/sudo but I've been able to clear /etc/sudoers

I also added an alias in my ~/.config/fish/fish.config which is synced to different machines:
test (type doas 2>/dev/null); and alias sudo='doas'
In .bash_profile I went with (this would've worked in Fish as well if && is replaced with ; and)
which -s doas && alias sudo=doas

The idea here is that if doas is installed, it is configured, and sudo is aliased to doas. This is obviously not true the moment you install it, so if you use this alias at that point you need to use your current shell to configure /usr/local/etc/doas.conf, or alternative you need to call /usr/bin/sudo to configure /usr/local/etc/doas.conf (paths might differ per OS, YMMV).

Help please :(

cc -Wall -O2 -DUSE_PAM -DDOAS_CONF=\"/usr/local/etc/doas.conf\"  -D_GNU_SOURCE -include compat/compat.h -Icompat  -c -o doas.o doas.c
doas.c:48:10: fatal error: security/pam_appl.h: No such file or directory
   48 | #include <security/pam_appl.h>
      |          ^~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make: *** [<builtin>: doas.o] Error 1

I am unable to find any differences between these 2 implementations of doas. This repository has more stars, but less issues and commits. OpenDoas is also the version provided by most binary package repositories.

Duncaen/OpenDoas@1899c37

Please consider incorporating this timeout functionality

$ doas date
doas: syntax error at line 1

cat /usr/local/etc/doas.conf
permit keepenv { PKG_PATH ENV PS1 SSH_AUTH_SOCK } :wheel

doas on FreeBSD 11.0-RELEASE-p10

This worked for the last year or so. What changed?

Hello, i find this program awesome, it does almost everything i need, but the only thing keeping me from uninstalling sudo and running only doas is nopersist. There is a reason why you will not port that to linux? Will make the program too complex, or unsafe?

Thanks for your time and keep up the great work!

With Debian, doas does not use bash_autocomplete. Does anybody know how to fix that?

chmod 4755 $(DESTDIR)$(PREFIX)/bin/$(BIN)

shouldn't this be 4750? Or is this intended to be writable by everyone?

I can't open any GUI apps using doas.

I tried to run some apps using doas.

When I ran doas xeyes I got this error:

No protocol specified
Error: Can't open display: :0

When I ran doas drawing I got:

No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused
No protocol specified
Unable to init server: Could not connect: Connection refused

System Information

• OS: Linux Mint 20.1 x86_64
• Kernel: 5.4.0-65-generic
• Shell: bash 5.0.17

I first tried this on ubuntu 20.04 and it worked just fine, but I had to downgrade to 18.04 for a project and I noticed that I get asked to put my password in everytime I use the program but on 20 I didnt.

I have permit m as root in usr/local/etc/doas.conf

vidoas didnt report any problems when I ran it.

Is it supposed to ask for password everytime? On ubuntu 20 it doesn't and I liked that, I could run doas apt update and it just worked

I understand you don't have a Mac to test with, but wanted to see if it was likely there's a simple fix to allow this.

Sudo can be configured in /etc/pam.d/sudo to allow authentication using Touch ID by making this change:

 # sudo: auth account password session
+auth       sufficient     pam_tid.so
 auth       sufficient     pam_smartcard.so
 auth       required       pam_opendirectory.so
 account    required       pam_permit.so
 password   required       pam_deny.so
 session    required       pam_permit.so

I tried making the same change in /etc/pam.d/doas ands hoped I'd get the same behaviour but sadly a password prompt was still presented in the terminal.

Maybe someone cares, it has some more features (pam sessions, passwd, doas style prompt).
https://github.com/Duncaen/OpenDoas

I mainly focused to port it to linux and staying as close as possible to the doas code, adding shims for most missing bits instead of ifdeffing everything out.
This makes it easier to merge changes from upstream.

With Debian, doas does not use bash_autocomplete. Does anybody know how to fix that?

I came from sudo, where if you opened a terminal session it would say “ok so u used the password, I’m not going to ask again” but doas makes you enter it every time. I can see the point of doing this, but it’s annoying when trying to install something that asks for root privileges a lot. Thank you!

doas.conf.sample states in lines 17-18:
permit cindy as root cmd pkg update
permit cindy as root cmd pkg upgrade

It shall be:
permit cindy as root cmd pkg args update
permit cindy as root cmd pkg args upgrade

I just installed doas, trying it out as an alternative for sudo.

I followed the installation guide and it all seemed to work flawlessly. I aliased sudo to doas, uninstalled sudo and rebooted the pc.

Now when I call doas, terminal just stops and waits. I can interrupt out of it, but it doesn't execute anything it seems.

What's the problem here? Does doas need sudo to work?

In the program sudo I don't have to use quotation marks when passing in multiple arguments.
e.g. sudo pacman -S firefox.

With doas, the last time I saw it in action, you do have to use quotation marks when passing in multiple arguments.
e.g. doas "pacman -S firefox"

Is there a way to stop using quotation marks?

5.9.6-arch1-1

opendoas 6.6.1-2
sort (GNU coreutils) 8.32

Hi. I don't understand why sort behaves differently when coupled with doas. Can you help me make sense of this?

$ cat test

BBBBBBBBBB
aaaaaaaaaa
__________
AAAAAAAAAA
0000000000
----------
1111111111
bbbbbbbbbb

$ sort test

----------
__________
0000000000
1111111111
aaaaaaaaaa
AAAAAAAAAA
bbbbbbbbbb
BBBBBBBBBB

$ sudo sort test

----------
__________
0000000000
1111111111
aaaaaaaaaa
AAAAAAAAAA
bbbbbbbbbb
BBBBBBBBBB

$ doas sort test

----------
0000000000
1111111111
AAAAAAAAAA
BBBBBBBBBB
__________
aaaaaaaaaa
bbbbbbbbbb

$ doas sort -f test

----------
0000000000
1111111111
AAAAAAAAAA
aaaaaaaaaa
BBBBBBBBBB
bbbbbbbbbb
__________

I know the title is cryptic, but when I run doas before another command, then it asks me for my password, the following would happen,

Password: *Input* P
It then inserts a newline, and exposed the rest of "Password"
It would then fail the authentication check.
i can happily provide more info if this is not sufficient.

I have found that the latest snapshot of doas always succeeds for any permitted user in the doas.conf file, even when the wrong password has been provided. This means any user listed with "permit" in the doas file can run any command granted to them, even if they provide the wrong password.

the 'persist' command just doesnt work on linux mint 19.3 64bit cinnemen.

Repo:

$ echo -n "permit user" > conf
$ doas -C conf
doas: syntax error at line 1
$ echo "permit user" > conf
$ doas -C conf

<no warning>

Took me a while to figure out why it was failing. Would this be something that would be worth fixing/warning the user about?

I have gruvbox installed and working and it's directory is detected by nvim envar as in VIMINIT=":source $XDG_CONFIG_HOME/nvim/init.vim" so it matches my user and root when preserving envars, but when running nvim using doas it seems not find gruvbox:

Error detected while processing VimEnter Autocommands for "*":
E185: Cannot find color scheme 'gruvbox'
Press ENTER or type command to continue

I have these lines at doas.conf:

permit keepenv myuser as root
permit myuser as root

I've noticed the latest version supports persist keyword which can simplify doas usage greatly
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/doas/

everything works fine on arch Linux except whemever i try to doas pacman -Qqe > pkglist.txt i cant even finish to type my password and it says Password: cdoas: authentication failed can anyoneone help?

I had doas installed previously and it was working fine. I used to be able to run vidoas and save with my password.

Recently I set up my computer with a clean install and now vidoas complains the file is unreadable. The permissions of does.conf are root:admin 600 which I believe to be correct.

If the owner is not root then the file will not work with does doas: /usr/local/etc/doas.conf is not owned by root

If the permissions are changed (e.g. root:staff 640) then the file can be opened but on save this will show: override rw-r----- root/staff for /usr/local/etc/doas.conf? If no, the file will not update and if y the file owner will be changed to the current user, breaking doas.

If the permissions are changed to 660 then the file will be writable and the warning will not appear but the file will still save with a non-root owner.

TL;DR
Can no longer make changes to doas.conf with vidoas. The file will not open without changing the permissions to allow group read access. The file will then save with the user as owner rather than root.

Hello
for old version had
$ does id .... egid=20(staff)....
the new version does not have this
with same doas.conf
Thanks.

doas do not asks for password

test ~ $ cat /etc/doas.conf 
permit asurkov as root
test ~ $ doas ls
doas: authentication failed
test ~ $

Makefile:
...
PREFIX?=/
MANDIR?=/usr/share/man
SYSCONFDIR?=/etc
...

I changed the second line of the Makefile to

PREFIX?=/usr

However, the configuration file is still read from /usr/local/:

 ~ cat /etc/doas.conf
permit :wheel
 ~ doas whoami
doas: doas is not enabled, /usr/local/etc/doas.conf: No such file or directory
 ~ 

How can I fix this?

Pretty self-explanatory, when the output of a command created with doas is piped through another command, an authentication failure occurs immediately without asking for a password.

Good Morning!

I have two issues with vidoas.

1. for the editor issue, it states that i don't have a default editor, despite me editing the environment variable for the default editor being vim. Another issue i had is when I tried doing the same command, with the EDITOR=vim written before vidoas, and it doesn't let me. Why doesn't it recognize my editor environment file?
2. for the vidoas script itself, it states that it couldn't open config file /tmp/doas.conf: No such file or directory, and then i have to fix doas.conf. what should i do at this point? Do I start over with the doas.conf file?

For additional information, this is the output when running doas vidoas:

➤ doas vidoas
Password: 
No default editor, assuming vi.
doas: could not open config file /tmp/doas.conf: No such file or directory
An error was found in the configuration file. Please fix doas.conf.

This is the second output when running doas EDITOR=vim vidoas:

➤ doas EDITOR=vim vidoas
Password: 
doas: EDITOR=vim: command not found

Thank you for your support.

Hello,

doas is great. And I was glad to find out a Linux port for it.

However all my systems are PAM-less (and I don't use Slackware, which is PAM-less too).

Do you think it's possible to make PAM support non-mandatory in doas for Linux?

echo "testing" | doas tee file

this prompts for a password but after entering shell becomes inactive.. features useful especially inside vim
:w !doas tee %

on openBSD, the same commands works as intended echoes "testing" to stdout and writes "testing" to file.

Hi,
firstly, thank for porting doas, it's a usefull and simple tool.
I successfully installed on my Ubuntu 16.04 machine, most of the command works fine, but the one with "-arg" switch throw me an error:

doas chsh "-s sh"
doas: invalid option -- ' '
usage: doas [-ns] [-a style] [-C config] [-u user] command [args]

so things like doas shutdown -p now doesn't work, however doas shutdown now works fine
I think the problem is due to the argument parsing. It would be great someone can fix it, I'm not good at c though.

Hi
after deep testing, I found a couple more problems with PATH and env.
pkg-config in /opt/local/bin
doas make install
pkg-conf not found etc.
sudo make install - everything is good

path for ocaml bin/libs is /opt/local
doas make install
trying to install to /usr/local with errors instead /opt/local
sudo make install - everything is good

With old version of your doas no problem at all
Regards.

Doas cannot seam to run graphical apps on Wayland (have not tested on X11/Xorg yet). I have attached a screenshot below.

OS: Arch Linux
Kernel: 5.8.14-zen
GPU: AMD RX 5700

Hello!
The last times I tried to compile a new version of doas with a new released version I noticed that I get this strange behavior on my machines: both are with Fedora 32; When I pull the new updates from Github and compile on my main machine by running make && doas/sudo make install, /usr/local/bin/doas is not replaced by the new version even if I remove /usr/local/bin/doas before compiling. If I compile on my secondary machine one it works. As I am not familiar with compiling I am not sure if it's some sort of cache happening.
Comparing the files on both machines I get:

Main machine

ls -alt doas $(command -v doas)
-rwsr-xr-x. 1 root    root    45328 ago  8 16:33 /usr/local/bin/doas
-rwxrwxr-x. 1 marcelo marcelo 45328 ago  8 16:33 doas

My secondary machine

ls -alt doas $(command -v doas)
-rwsr-xr-x. 1 root    root    46528 ago  8 15:42 /usr/local/bin/doas
-rwxr-xr-x. 1 marcelo marcelo 46528 ago  8 15:42 doas

Which also made me think if the other necessary files are being replaced/updated.

It should go to stderr, so that e.g. doas ls > ls.out works and ls.out does not contain the Password: prompt. OpenBSD's doas does the right thing here.

I think this can be setup with PAM somehow, so this is likely related to #2.

I have installed xcode command line tools and used:

• make, make install
• make, sudo make install

I then installed make from homebrew and used:

• gmake, gmake install
• gmake, sudo gmake install

On both of these I get the error: doas: not installed setuid
I get this error when running vidoas: install: /usr/local/etc/doas.conf: chown/chgrp: Operation not permitted.

I've also tried creating doas.conf using sudo by running sudo nvim /usr/local/etc/doas.conf as well as sudo vidoas.

Is there anything that I am doing wrong? Perhaps I need to disable System Integrity Protection (SIP) for this to work? Or should I changed the prefix of the makefile to install to /usr/ instead of /usr/local/?

make uninstall is missing:

 ~ sudo make uninstall
make: *** No rule to make target 'uninstall'.  Stop.

Should I manually remove the files installed by make install?

It would be handy to provide a sample doas.conf in sources. This would save the user time figuring it out from the man pages or coming back to the Github page for this project.

An example could be the one in OpenBSD base:
https://cvsweb.openbsd.org/src/etc/examples/doas.conf?rev=1.1&content-type=text/x-cvsweb-markup

Thanks.