Philip Guenther (2016-04-01 23:47 +0200): > Sooo close. To quote doas.conf(5): > > The rules have the following format: > > permit|deny [options] identity [as target] [cmd command [args ...]] ... > 'args' is *literal* there, so the correct config line would be > permit nopass support as root cmd /usr/sbin/rcctl args restart ntpd
I think doas.conf(5) is misleading here: the ellipsis in "args ..." implies that "args" is an argument that may be given multiple times. Hence "args ..." should be replaced by "args [arg ...]" as done in the diff below. (Unfortunately, with this diff the rule format will no longer fit on one line.) Index: doas.conf.5 =================================================================== RCS file: /cvs/src/usr.bin/doas/doas.conf.5,v retrieving revision 1.18 diff -p -u -r1.18 doas.conf.5 --- doas.conf.5 2 Jan 2016 08:34:47 -0000 1.18 +++ doas.conf.5 3 Apr 2016 22:25:17 -0000 @@ -35,7 +35,7 @@ The rules have the following format: .Op Ar options .Ar identity .Op Ic as Ar target -.Op Ic cmd Ar command Op Ic args ... +.Op Ic cmd Ar command Op Ic args Op Ar arg ... .Ed .Pp Rules consist of the following parts: @@ -78,7 +78,7 @@ Be advised that it's best to specify abs If a cmd is specified, only a restricted .Ev PATH will be searched. -.It Ic args ... +.It Ic args Op Ar arg ... Arguments to command. If specified, the command arguments provided by the user need to match for the command to be successful.
