For now, you may want to use the "nopass" keyword and set up
highly-restrictive rules. The last matching rule determines the action
taken, so you can have more general rules up top, and more specific ones
that don't require a password toward the end. For example, my wireless
network manager script relies on the ability to kill off the DHCP client
and do some other things with ifconfig.

permit nopass :wheel as root cmd /usr/bin/pkill args dhclient
permit nopass :wheel as root cmd /sbin/ifconfig
permit nopass :wheel as root cmd /sbin/dhclient

In -CURRENT, doas.conf has a "persist" keyword that will only prompt once
per session. This isn't available in OpenBSD 6.0, but should work when 6.1
is released. Here's a fairly minimal rule that would allow wheel group
users to do whatever they want with doas after authenticating once:

permit persist :wheel


On Thu, Dec 15, 2016 at 10:56 AM, jungle Boogie <jungleboog...@gmail.com>
wrote:

> Hi All,
>
> Should I be prompted for a password during this scenario?
>
> $ doas date
> doas (jun...@openbsd.my.domain) password:
> Thu Dec 15 08:55:39 PST 2016
> $ ./date.sh
> doas (jun...@openbsd.my.domain) password:
> Thu Dec 15 08:55:46 PST 2016
>
> As you see, only seconds past from both commands and yet, I'm prompted
> for my password again.
>
> --
> -------
> inum: 883510009027723
> sip: jungleboo...@sip2sip.info

Reply via email to