Doas: the Sudo Replacement
Doas for Group Wheel
Normally, you don't want to log in as root for security reasons. OpenBSD does not come with sudo by default; instead, it provides a small, simple utility called doas.
First, let's use su to log in as root:
Next, we create /etc/doas.conf using this command:
# echo "permit persist :wheel as root" >> /etc/doas.conf
This line allows any user in the group wheel to run doas.
Note: The # sign means you run this command as root by first logging in using
su. The $ sign means you run the command as your normal user. Do not literally type # or $.
$ whoami user $ doas whoami doas (firstname.lastname@example.org) password: root
For this configuration, you will need to provide your user password in order to use doas. The
persist keyword means that after the password is first provided, doas will not ask again for some time.
No password needed
Life is a lot easier when you don't require the user password. We run this command:
# echo "permit nopass :wheel as root" >> /etc/doas.conf
The downside of this more relaxed permission is that anyone gets access to any user in the wheel group gets complete root access over the system. No passwords required for them either. Check if that makes sense with your security goals.
You can also permit a specific user:
# echo "permit nopass user as root" >> /etc/doas.conf
This allows user to login as root using
doas without a password.
You should avoid logging in as root or running programs as root unless absolutely necessary. Running insecure or malicious programs as root can lead to stolen data. If you find yourself using root when you should not need to, changes are you have a bug somewhere else that needs to be fixed.
As a precaution, we should not allow others to read doas.conf:
$ doas chmod o-r /etc/doas.conf