Thank you, Dan, Ben, and Frank. I see that I have left out some important information:
user2 is specified as a non-login class of user in /etc/login.conf, auth=reject: shell=/sbin/nologin, and has a default shell of /sbin/nologin in /etc/passwd . On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <joel.r...@gmail.com> wrote: > I have this rule in doas.conf: > > permit nopass user1 as user2 > > As user1, I try this at the command line: > > doas -u user2 whoami > > and it tells me I am user2, as I expect. And > > doas -u user2 ls > > tells me I don't have permission. I kind of expect this. > > I'm looking for a way to do the equivalent of > > sudo -u user2 -s "cd; ls" > > I don't see a way to do this with doas, at least not without a short > intermediary script, which script is not going to be able to do cd ~/. > > Should I assume that doas is not intended to do this sort of thing? With this intermediary script: #! /bin/sh export USER=user2 . /etc/ksh.kshrc printenv ls I get MAIL=/var/mail/user1 LOGNAME=user1 HOME=/home/classU/user1 PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:. DISPLAY=:0.0 TERM=xterm USER=user2 ls: .: Permission denied Which, I guess, does surprise me. > (And therefore [I should] do things "right" by setting up ssh with public-key > authentication to do the user switch?) Which would also require enabling login for user2. (I tried this without thinking yesterday.) > (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/ > ) Would this also require enabling login? -- Joel Rees Be careful when you look at conspiracy. Arm yourself with knowledge of yourself, as well: http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html