"doas" allow user to run command with other user and set environment variables

Question

There are two normal users on my OpenBSD machine ("user" and "TESTUSER") and I have this doas config:

# cat /etc/doas.conf                                                                                                                                                                           
permit setenv { DISPLAY=:0 } nopass user /usr/X11R6/bin/xcalc as TESTUSER
# 

But when I try to run the "xcalc" with the "user" (as "TESTUSER") I only got a syntax error:

$ id
uid=1000(user) gid=1000(user) groups=1000(user), 0(wheel)
$ doas /usr/X11R6/bin/xcalc
doas: syntax error at line 1
$ 

The Question: what syntax error did I make?

https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/doas.1 https://man.openbsd.org/doas.conf

Answer 1

Your configuration

permit setenv { DISPLAY=:0 } nopass user /usr/X11R6/bin/xcalc as TESTUSER

does not follow the format in the manual (this is where the syntax error comes from):

permit|deny [options] identity [as target] [cmd command [args ...]]

The command should come last:

permit setenv { DISPLAY=:0 } nopass user as TESTUSER cmd /usr/X11R6/bin/xcalc

Then you will need to invoke doas as

$ doas -u TESTUSER /usr/X11R6/bin/xcalc

https://man.openbsd.org/doas.conf