doas
or sudo
Yesterday I saw a poll on the FreeBSD forums: a survey about the usage of sudo
or doas
to execute commands as a privileged user.
So far,
doas
is winning as the “new” default choice.
But what is
doas
?
doas
as a sudo
replacement
doas
is a command appeared in OpenBSD 5.8, so it is not that old (around six years old), as a replacement for sudo
. Why? Well, sudo
was not in base, that is the minimal installed system, and therefore it was required to install from packages. OpenBSD developers wanted to provide a tool that could be shipped in base, hence the birth of doas
.
But it was not only a problem of “where” the command was:
sudo
is a quite complex beast and provides a lot of features that, quite frankly, I suspect many users don’t know or don’t use at all. Having a complex piece of code requires a deep introspection to prevent bugs and holes, and being OpenBSD a very accurate operating system, this has reached a point that was not tolerable any more.
sudo
public exposure
According to me, sudo
become popular when operating systems like Apple OS X and Ubuntu started to use it as a way to not let the normal user to log-in as the root
user. Quite frankly, in the beginning, I was disappointed by this choice because, especially with Ubuntu and derivates, the root
user was unchanged and no password was set at all for it. This made administration a little more complex, in my opinion.
Today, a lot of systems use
sudo
, but this command has a lot of features that go over the “simple” task of granting privileges. For example, sudo
allows for an host-aware configuration, so that a single configuration file can be shared across different machines in order to set different rules on all of them.
So far, even if I’ve different machines to orchestrate, I’ve never used such feature.
doas
vs sudo
doas
has a simpler approach than sudo
to the same problem, and provides a more readable configuration. In fact, the syntax for the configuration reminds that of a firewall, in particular of pf
, and is therefore simpler to read even if you don’t know about the command.
Of course,
doas
does support less options than sudo
, but so far I never missed sudo
on machines where I installed doas
.
Which to use?
Quite frankly, I tend to usedoas
as much as possible. The problem is that, on many platforms, the doas
is exactly in the same position sudo
is with regard to OpenBSD: it needs to be installed by packages.
That’s not a problem, because on certain systems (e.g., FreeBSD), both the commands are in packages.
Therefore, use the one that fits better for you, and for me it is
doas
. The only thing that I don’t like in doas
is that it reminds me the run as way of Microsoft Windows…
Conclusions
doas
is an interesting and simpler way of achieving many of the sudo
capabilities without having to deal with huge configuration files.
The only problem I see, and I have up to today, is that sharing machines with colleagues is not as simple as they are used to
sudo
instead of doas
. And having to bounce between the one or the other requires my fingers and my brain to stay focused!