shutdown without password using doas

Question

I want to be able to shutdown (or restart) my system without having to enter my password. My /etc/doas.conf looks like this and my user is in the wheel group

permit nopass :wheel as root cmd /sbin/poweroff
permit nopass :wheel as root cmd /sbin/reboot

permit :wheel

I thought this would be enough so I can enter

$ poweroff

but I get the message

poweroff: must be superuser.

when I do

$ doas poweroff

I still have to enter my password.

How can I configure doas so that my user can poweroff or reboot without having to enter my password? And is it possible to configure it so that I don't have to enter doas at all?

Answer 1

The commands that you enter in the doas.conf file (which you should enter with a full path for safety) has to occur exactly like that on the command line. This means that to power off your system, you would type

doas /sbin/poweroff

You may obviously set up a handy alias for this:

alias poweroff='doas /sbin/poweroff'

With that alias in effect, you would just have to use poweroff to power off your system.

Additionally, the last match in the doas.conf file counts. In your case, the permit :wheel matches due to you being in the wheel group, and this does not specify nopass, which means that you will have to use your password with doas to run /sbin/poweroff.

Simply delete that last rule in the doas.conf file (or move it to the top):

permit        :wheel
permit nopass :wheel as root cmd /sbin/poweroff
permit nopass :wheel as root cmd /sbin/reboot

Answer 2

The doas devs do not believe in allowing specific programs. usually the specific program lines are just to enable PATH or some other env var. That's why they didn't bother implementing filter for parameters etc.

The 'nopass' was an after thought. It's not much used or supported.

My suggestions: enable some other authentication method via PAM to doas and be happy. For example, finger print reader.