Doas

doas (“dedicated openbsd application subexecutor”) is a program to execute commands as another user. The system administrator can configure it to give specified users privileges to execute specified commands. It is free and open-source under the ISC license and available in Unix and Unix-like operating systems.

doas was developed by Ted Unangst for OpenBSD as a simpler and safer sudo replacement. Unangst himself had issues with the default sudo config, which was his motivation to develop doas. doas was released with OpenBSD 5.8 in October 2015 replacing sudo. However, OpenBSD still provides sudo as a package.

Configuration
Definition of privileges should be written in the configuration file, /etc/doas.conf. The syntax used in the configuration file is inspired by the packet filter configuration file.

Examples
Allow user1 to execute procmap as root without password: permit nopass user1 as root cmd /usr/sbin/procmap Allow members of the wheel group to run any command as root: permit :wheel as root Simpler version (only works if default user is root, which it is after install): permit :wheel To allow members of wheel group to run any command (default as root) and remember that they entered the password: permit persist :wheel

Ports and availability
Jesse Smith’s port of doas is packaged for DragonFlyBSD, FreeBSD, and NetBSD. According to the author, it also works on illumos and macOS.

OpenDoas, a Linux port, is packaged for Debian, Alpine, Arch, CRUX, Fedora, Gentoo, GNU Guix, Hyperbola, Manjaro, Parabola, NixOS, Ubuntu, and Void Linux. Starting with Alpine Linux v3.16 release, OpenDoas became the suggested replacement for sudo, which got its security maintenance time reduced within the distribution.