The  utility  executes  commands  as other users according to the
rules in the configuration file.  The rules  have  the  following
format:  Rules  consist  of the following parts: The action to be
taken if this rule matches.  Options are: The  user  is  not  re‐
quired  to enter a password.  After the user successfully authen‐
ticates, do not ask for a password again for some time.  Environ‐
ment variables other than those listed in are retained when  cre‐
ating  the  environment  for  the  new  process.  Keep or set the
space‐separated specified variables.  Variables may also  be  re‐
moved  with  a  leading  or  set using the latter syntax.  If the
first character of is a then the value to be set  is  taken  from
the  existing  environment  variable of the indicated name.  This
option is processed after the default environment has  been  cre‐
ated.   The  username  to  match.   Groups  may  be  specified by
prepending a colon Numeric IDs are  also  accepted.   The  target
user  the running user is allowed to run the command as.  The de‐
fault is all users.  The command the user is allowed or denied to
run.  The default is all commands.  Be advised that it is best to
specify absolute paths.  If a relative path is specified, only  a
restricted  will be searched.  Arguments to command.  The command
arguments provided by the user need  to  match  those  specified.
The  keyword alone means that command must be run without any ar‐
guments.  The last matching rule determines the action taken.  If
no rule matches, the action is denied.  Comments can be put  any‐
where  in the file using a hash mark and extend to the end of the
current line.  The following quoting rules apply:  The  text  be‐
tween  a  pair  of  double  quotes is taken as is.  The backslash
character escapes the next character, including new line  charac‐
ters, outside comments; as a result, comments may not be extended
over  multiple  lines.   If  quotes  or backslashes are used in a
word, it isn’t considered a keyword.   doas  configuration  file.
The following example permits user aja to install packages from a
preferred  mirror;  group  wheel  to execute commands as any user
while keeping the environment variables and and unsetting permits
tedu to run procmap as root without a password; and  additionally
permits root to run unrestricted commands as itself while retain‐
ing  the  original  PATH.   permit  persist  setenv  {  PKG_CACHE
PKG_PATH } aja cmd pkg_add permit  setenv  {  ‐ENV  PS1=$DOAS_PS1
SSH_AUTH_SOCK   }   :wheel   permit   nopass  tedu  as  root  cmd
/usr/sbin/procmap permit nopass keepenv setenv { PATH }  root  as
root The configuration file first appeared in