$ cat /etc/doas.conf
permit persist :wheel
doas is a simple and easy to configure replacement for sudo. It's built by
the OpenBSD developers (same ones who make
OpenSSH, OpenNTPD, and
LibreSSL), so you can be quite confident in its
security/simplicity standards. On a basic level, it allows for running a command
as a different user. Typically, that means allowing an "unprivileged" user to
run "privileged" commands such as installing packages or updating the web
server. The configuration syntax is very simple and straightforward, making
complicated setups easy to understand.
doas accomplishes about 95% of what sudo is used for with a fraction of the
code and complexity. I quickly checked the lines of code in the current stable
version of each program using David A. Wheeler's sloccount. sudo is at
version 1.9.5p2 and doas is at 6.8.1.
$ cd OpenDoas
$ sloccount .
SLOC Directory SLOC-by-Language (Sorted)
3479 OpenDoas ansic=2423,sh=667,yacc=290,perl=99
Totals grouped by language (dominant language first):
ansic: 2423 (69.65%)
sh: 667 (19.17%)
yacc: 290 (8.34%)
perl: 99 (2.85%)
$ cd sudo-1.9.5p2
$ sloccount .
SLOC Directory SLOC-by-Language (Sorted)
47841 plugins ansic=43243,yacc=2118,lex=1295,sh=843,python=342
28060 lib ansic=28060
10339 src_top_dir ansic=10339
8081 scripts sh=7761,perl=320
5193 logsrvd ansic=5193
3140 top_dir sh=3140
3091 include ansic=3091
245 doc sed=229,sh=16
203 src_regress ansic=203
32 etc sh=32
0 examples (none)
0 m4 (none)
0 po (none)
Totals grouped by language (dominant language first):
ansic: 90129 (84.85%)
sh: 11792 (11.10%)
yacc: 2118 (1.99%)
lex: 1295 (1.22%)
python: 342 (0.32%)
perl: 320 (0.30%)
sed: 229 (0.22%)
In terms of C code, sudu is over 37 times larger than doas. I would
argue it is not 37 times more useful to make up for the larger attack
surface. The vast majority of extra code implements rarely used features, which
are likely not as actively maintained. This might explain why sudo has around
58 CVEs since January 2019, including a fairly serious one a few days
ago,
in the same time the portable version of doas has had 3. None of which apply
to the native version on OpenBSD.
One may argue sudo is audited more intensely due to its prevalence. It's true
that doas certainly doesn't share the same popularity as sudo, but it comes
default on OpenBSD and is very common on NetBSD, FreeBSD, and linux distros --
including the tiny and extremely prevalent Alpine -- which are at the heart of
many major
targets.
The other big source of issues with sudo comes from trying to configure it to
do anything more complicated than allow the wheel group to run commands as root.
Its manual is like 10,000 lines long and includes the following man sudoers | grep -C1 despair.
The sudoers file grammar will be described below in Extended Backus-Naur Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly simple, and the definitions below are annotated.
Configure
Configuring doas is dead simple. The manual is under 200 lines and OpenBSD
prides itself on well written, easy to understand manuals. In fact, documentation
issues are considered critical since they're just as likely to cause serious
vulnerabilities and issues as technical problems.
The basic config to allow all members of the wheel group to run commands as
root is this:
$ cat /etc/doas.conf
permit persist :wheel
persist is an option that allows elevated commands to be run multiple times in
a session, only authenticating with a password on the first attempt.
permit/deny and an identity are the only required entries. An identity can
be a group or a user - groups are prefixed with :. You may also add a command
to limit the scope to a single command rather than all commands. Read man 5 doas.conf for more information.