This is a follow-up to a recent discussion on misc@: https://marc.info/?t=143800094500002&r=1&w=2
I suggest two small changes to the example in doas.conf(5): a. make it explicit that the rule allows the users in group wheel to run commands as any user (not just root). b. modify the rule to restrict tedu's use of procmap to root only in order to match the description of the rule's purpose. Index: usr.bin/doas/doas.conf.5 =================================================================== RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v retrieving revision 1.13 diff -u -p -r1.13 doas.conf.5 --- usr.bin/doas/doas.conf.5 27 Jul 2015 21:44:11 -0000 1.13 +++ usr.bin/doas/doas.conf.5 30 Jul 2015 10:14:49 -0000 @@ -105,7 +105,7 @@ it isn't considered a keyword. .El .Sh EXAMPLES The following example permits users in group wsrc to build ports, -wheel to execute commands as root while keeping the environment +wheel to execute commands as any user while keeping the environment variables .Ev ENV , .Ev PS1 , @@ -122,7 +122,7 @@ permit nopass keepenv { \e PKG_DESTDIR PKG_TMPDIR PORTSDIR RELEASEDIR SHARED_ONLY \e SUBPACKAGE WRKOBJDIR SUDO_PORT_V1 } :wsrc permit nopass keepenv { ENV PS1 SSH_AUTH_SOCK } :wheel -permit nopass tedu cmd /usr/sbin/procmap +permit nopass tedu as root cmd /usr/sbin/procmap .Ed .Sh SEE ALSO .Xr doas 1