A simple guide for configuring sudo and doas

When doing work on an Unix system,it's advised to use as little privileges as posible,so as to avoid the risk of breaking anything by accident.But when you need to make any singificant changes to the system,like installing/updating packages or changing critical configs,that is a situation when having the right permissions is crucial.

In most cases this is done using sudo or doas,where sudo is preconfigured for distros like Ubuntu,Fedora,etc.If you're using a more Do-It-Yourself system like Arch or FreeBSD,that may not be the case.But fear not,since I can help you with configuring either of them in this post,with examples.

Wheel group

Often in this post,you'll see me mention the wheel group. This is a special group that is used with these tools ,for easily adding or removing access to these commands. If you're wondering about why it's named the wheel group,you can watch this video.

To see what groups your user is in run this command:

groups username

replacing username with the name of your user.The command should give you a list of groups your user is part of.If you see the wheel group there,you can continue.Otherwise run the following command as the root user:

usermod -a -G wheel username

Replace username with your username.

FreeBSD users should use the following command:

pw groupmod wheel -m username

where username is the name of your user.

If you are using sudo you may also want to add your user to the sudo group, which is done by replacing the wheel in the prevoius commands with sudo.

Sudo

sudo used to be the short form for superuser do but now it is called in the official project page as substitute user do,because it's used to run commands as a different user than the one you are currently logged in.Most of the time,however, it is used to access the super user or root (hence the original name).

Acording to wikipedia, the tool had its early origins around 1980, and was developed by Robert Coggeshall and Cliff Spencer at the Department of Computer Science at SUNY/Buffalo.
Sudo is ubiquitous in most Linux distros,and there's a good chance it's already installed and configured for your system.If not, this guide is for you.

Installation

First you'll want to ensure sudo is installed in the first place.To do that run this command:

sudo -V

This should show information about the current install of sudo.If the command runs succesfully,you can skip to configuration,otherwise we need to install it manually.This is done by running one of the following commands (depending on your distribution),logged in as the root user:

• Ubuntu/Debian :apt install sudo
• Arch:pacman -S sudo
• OpenSUSE:zypper install sudo
• RHEL/Fedora:dnf install sudo
• Void Linux:xbps-install sudo
• FreeBSD:pkg install sudo

Configuration using the sudoers file

There are two main ways to configure sudo.The first one is using the sudoers file.It is located at /etc/sudoers for Linux,and /usr/local/etc/sudoers for FreeBSD respectively.The paths are different,but the configuration works in the same way.

A typical sudoers file looks like this.

The sudoers file must be edited with the visudo command,which ensures the config is free of errors.Running this command as the root user will result in opening vi by default.If you want to use a different editor you can set the VISUAL environment varaible to the editor you want.
For example,if you want to use micro as the text editor run:

VISUAL=micro visudo

or you can run export VISUAL=micro before running visudo.

There are lots of things we can configure inside the sudoers file,but for this post we'll focus on giving users access to the sudo command.The basic syntax is the following:

User Host=(RunAs) Command

where User is the user this applies to,Host is the host this applies to,RunAs is the target user and Command is the Commands that can be used.

Most of the time,you'll use this:

username ALL=(ALL) ALL

This gives username (replace with the target user) access to all users, and all commands. Aditionally you can add NOPASSWD: before the last argument to allow the user to run sudo without having to type the password every time (THIS IS VERY DANGEROUS,DON'T DO THIS).

You can also replace the username with the name of a group preceeded by % to have the same effect over all of the users of the group.In fact,the default config contains lines which can be uncommented to give all users from the wheel and sudo groups access to the sudo command.

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) ALL

Configuration using the sudoers.d directory

Another way to configure sudo is using the sudoers.d directory.This is one way to separate the configuration.
The directory is located at /etc/sudoers.d/ for Linux and /usr/local/etc/sudoers.d/ for FreeBSD respectively.Here you can create multiple files,each with different configurations.

First ensure this line is in your sudoers file:

• Linux - @includedir /etc/sudoers.d
• FreeBSD - @includedir /usr/local/etc/sudoers.d

Next,you may create as many configs as you need ,using any editor you like ,related to many users or groups.For example:

echo "username ALL=(ALL) ALL" >> /etc/sudoers.d/username

is the simplest way to give username access to sudo.You don't have to name it the same as the user,but it's good to keep things organised.

Doas

Doas was created by Ted Unangst for OpenBSD,as a simpler and safer alternative to sudo.doas is not configured by default on most distros,but configuring it is much easier than sudo.

Installation

To check if doas is installed run

doas -s

which should drop you in a root shell.If the command is not installed,use one of the following to install it:

• Ubuntu/Debian :apt install doas
• Arch:pacman -S opendoas
• OpenSUSE:zypper install doas
• RHEL/Fedora:dnf install opendoas
• Void Linux:xbps-install opendoas
• FreeBSD:pkg install doas

Configuration

The default config is located at /etc/doas.conf for Linux and /usr/local/etc/doas.conf for FreeBSD.Unlike sudo,this file is not created when you install doas,and without it the command is useless.So we need to create it,and populate it with appropriate rules.

After creating the file,we need to ensure it has the correct permissions.For Linux:

chown -c root:root /etc/doas.conf
chmod -c 0400 /etc/doas.conf

and for FreeBSD:

chown -c root:root /usr/local/etc/doas.conf
chmod -c 0400 /usr/local/etc/doas.conf

Aditionally,ensure the config file ends with a newline.

The basic structure for giving access to the doas command is as follows:

permit|deny [options] identity [as target] [cmd command [args ...]]

where identity is the target user, target (if specified) is the user identity can run commands as and command are the commands the user is allowed to use.If command is ommited,the user can run any commands.

You can also add various options after permit/deny for various functions.Here are the more commonly used ones:

• keepenv : keep environment variables
• nopass : use doas without a password (BAD IDEA!).
• persist : don't prompt the user to type the password again after some time (potentially unsafe)

For example:

permit persist keepenv : username

allows username (replace with your username) to run any commands using doas.

You may also want to allow users of the wheel group to run doas, which is acheived using:

permit persist keepenv : wheel

Once you're done with editing your config,you need to make sure the config does not have any syntax errors,that may prevent doas from running properly.You can do this by running the following command as the root user:

doas -C /etc/doas.conf && echo "config ok" || echo "config error" 

(change /etc/doas.conf for /usr/local/etc/doas.conf for FreeBSD)

Environment variables

Keep in mind that doas does not retain all the environment variables that sudo does. Notably, XAUTHORITY, LANG and LC_ALL are omitted, which makes using X11 harder. So it's good to use this line to fix that:

permit setenv { XAUTHORITY LANG LC_ALL } :wheel

Aditionally,because doas was developed for OpenBSD,it also retains some of its quirks,like how user-installed executables are stored in /usr/local/bin,in contrast to /usr/bin where Linux stores them. As a result,doas can have problems on Linux so the following workaround can be used:

permit setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin} :wheel

Note that you don't need to do this workaround on FreeBSD or OpenBSD.

Combining the two lines we get:

permit persist setenv {PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin XAUTHORITY LANG LC_ALL} :wheel

Conclusion

I hope this tutorial was helpful. I will be posting more tutorials and opinion posts in 2024. Happy new year!

Sources

• https://www.sudo.ws/docs/man_all/
• https://www.bsdcan.org/2014/schedule/attachments/283_2014-04-29%20sudo%20tutorial%20-%20bsdcan%202014.pdf
• https://wiki.debian.org/Doas
• https://manpages.debian.org/bookworm/opendoas/doas.conf.5.en.html
• https://wiki.archlinux.org/title/Doas

Comments

[Emmy Steven]

Thanks for the guy, I'll surely refer to this post when I'm working on a Linux environment