# Doas: the Sudo Replacement

## Doas for Group Wheel

Normally, you don't want to log in as root for security reasons. OpenBSD does not come with _sudo_ by default; instead, it provides a small, simple utility called [doas](https://man.openbsd.org/doas).

First, let's use su to log in as root:

    $ su
    Password:


Next, we create [/etc/doas.conf](https://man.openbsd.org/doas.conf) using this command:

    # echo "permit persist :wheel" >> /etc/doas.conf


This allows any user in the group wheel to run doas. The shell's [redirection operator](/ksh/redirection) `>>` appends to the end of a file (or creates it if it does not already exist).

**Note**: The # sign means you run this command as root by first logging in using `su`. The $ sign means you run the command as your normal user. Do not literally type # or $.

**Note**: redirection with `>` and `>>` is done by your **shell**. This means that the command below probably does **NOT** work:

    $ doas echo "permit nopass :wheel" >> /etc/doas.conf


This is because your current non-root user will probably not have write permissions /etc/doas.conf.

Afterwards, exit su:

    # exit


You could also type `ctrl+d` to tell the shell you've reached the end-of-file and want to exit.

Next, test the configuration:

    $ whoami
    user
    $ doas whoami
    doas (user@user.coconut.ircnow.org) password: 
    root


For this configuration, you will need to provide your user password in order to use doas. The `persist` keyword means that after the password is first provided, doas will not ask again for some time.

## No password needed

Life is a lot easier when you don't require the user password.

Run doas with the `-s` argument to get a shell as root, then append to doas.conf:

    $ doas -s
    # echo "permit nopass :wheel" >> /etc/doas.conf
    # exit


The drawback to this configuration is that any user in the wheel group gets complete root access without requiring any password.

## Whitelisting users

You can also permit a specific user:

    # echo "permit nopass user" >> /etc/doas.conf


This allows user to login as root using `doas` without a password.

## Security

You should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, chances are you have a bug somewhere else that needs to be fixed.

As a precaution, we should not allow others to read doas.conf:

    $ doas chmod o-r /etc/doas.conf


See also:

[Ted Unangst's Doas Mastery](https://flak.tedunangst.com/post/doas-mastery)