In this tutorial, I will walk you step by step on how to install doas in FreeBSD and configure it for your needs – with examples. The process is simple, straightforward, and you can have doas up and running in FreeBSD in less than a minute.
However, I will show you some cool things you can do with doas in your system to get the best out of it.
But first, let’s look at what is doas and why we should use it instead of something like sudo.
What is doas?
In a nutshell, the doas [“do as”] utility allows a user to perform commands on behalf of another user [e.g., root]. Doas provides almost the same functionality as the sudo command but has a much lighter codebase – an essential factor in improving your system security and stability.
The doas utility was initially developed on OpenBSD and eventually ported for other UNIX and Linux systems. It is simple, easy to configure, and ideal for using single-user machines such as your personal computer.
NOTE: If you plan to run doas only for command-line applications, you might get away without using keepenv.
Install doas in FreeBSD
The doas utility is available in FreeBSD repositories as well as ports. First, open a terminal and log in as the root user:
To install doas from the FreeBSD repository:
pkg install doas
Alternatively, you can install doas from ports using the command:
cd /usr/ports/security/doas/ && make install clean
To test if doas was installed on your FreeBSD system, execute doas in the terminal. The doas command should output the expected syntax.
Now that we installed doas in FreeBSD, we need to tell the system how and what conditions should be applied when executing it. You won’t be able to use doas just now, and you will receive an error like this when using doas without configuring it.
Configure doas in FreeBSD
First, we need to make sure your user is in the wheel group:
pw groupshow wheel
My user name is “freebsd,” and you can see it is already a member of the wheel group.
If your user is not a member of the wheel group, add it by issuing the following command. Replace “freebsd” with your username.
pw groupmod wheel -m <your username>
Now your username should be listed as part of the wheel group.
Next, generate and configure the doas.conf file located in /usr/local/etc/ directory. To configure doas in FreeBSD, execute the following command:
Here you can specify the conditions to allow the execution of the doas command in your system.
For instance, if you want to authenticate using your user password each time you invoke the doas command, add the following line in the doas.conf file.
Replace <your username> with your actual user name.
permit keepenv :<your username>
If you want to invoke the doas command without authentication on your system, add the following line instead:
permit nopass keepenv :<your username>
Take note that using doas without any authentication can be a serious security risk for your system.
You can also choose exactly which service can use the doas command and in which conditions. Here are some more examples you could use in your doas.conf file on FreeBSD.
EXAMPLE 1: Allow doas to execute pkg update without asking for authentication:
permit nopass :<your username> cmd pkg args update
EXAMPLE 2: Allow doas to mount and umount drives in your system:
permit nopass :<your username> cmd mount permit nopass :<your username> cmd umount
EXAMPLE 3: Allow doas to run personal scripts located in a specific directory as root without asking for authentication. Note that you must specify the full path of the script when executing it using doas:
permit nopass :<your username> cmd /home/username/bin/yourscript
I am the only user on my machine, so I like to use doas with authentication for all the tasks requiring root privileges, so my doas.conf file contains only one line [where “freebsd“ is my user name]:
Once you finished editing your doas.conf file, press the ESC key and hit the letter “a” twice to save and exit the editor.
The doas configuration changes take effect upon saving the doas.conf file, and there is no need to log out or reboot your FreeBSD system.
The doas utility is an excellent replacement for sudo on UNIX or Linux operating systems. One of the main reasons to use doas in FreeBSD instead of sudo is the ease of use and better security due to its lighter codebase.
I hope you found this doas setup guide on FreeBSD useful. You may also want to check the following link for more awesome FreeBSD guides and tutorials.