On Fri, Apr 1, 2016 at 2:33 PM, Tor Houghton <t...@bogus.net> wrote: > Now that sudo is out of base, I am wondering -- do I need to add it again, > or does doas.conf allow for specifying commands with arguments? > > Obviously not like this (doas doesn't like that), but akin to: > > permit nopass support as root cmd /usr/sbin/rcctl restart ntpd > > I don't want the support user to be able to use rcctl on any daemon process, > basically.
Sooo close. To quote doas.conf(5): The rules have the following format: permit|deny [options] identity [as target] [cmd command [args ...]] ... cmd command The command the user is allowed or denied to run. The default is all commands. Be advised that it's best to specify absolute paths. If a cmd is specified, only a restricted PATH will be searched. args ... Arguments to command. If specified, the command arguments provided by the user need to match for the command to be successful. Specifying args alone means that command should be run without any arguments. 'args' is *literal* there, so the correct config line would be permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd Philip Guenther