Single password root/user system with doas

Author: Jonathan Vasquez <>
Last Updated: 2023-05-04-0830
Running On: FreeBSD 14.0-CURRENT (main-n262716-d713e0891ff9/GENERIC/amd64)


For the majority of my time using UNIX-like systems, originally Linux, and now FreeBSD, I've always preferred to administer my system with root by using su -. During my daily computing, most of the processes (X11, etc) are going to be running as unprivileged users. However, when I'm using a computer, what I really like to do is actually jump deep into the machine world and explore it.. A world full of possibilities. So many things to explore, so many things to discover. Oh, where does 0x4000000 lead to?

With that said, it would be annoying to always have to type sudo <cmd> when I'm trying to just be immersed in the machine as root. I want to tinker with it. Change sysctls, create and destroy boot environments. Compile stable/13 and main, and easily just restart my computer, and check out how the system is running on my current hardware, without having to commit. Just reboot into my original boot environment, and I'm done!

For me to have that level of immersion and happiness, I have to be root all the time. As I said, when I'm browsing the web and paying bills, it's definitely gonna be as a normal user. But there will be an open Terminal that will usually also be a Root Terminal -;;-. Just know what you are doing and you'll be ok. And when you mess up, well.. it's fine because you are on ZFS. Just rollback lol. FreeBSD, ZFS, Boot Environmnents, and the way that FreeBSD system upgrading / administration are done, are just meant to be. It's bulletproof.

At the same time, there are a few other things on my mind:

# Example

root@leslie:~ # pw user mod root -w random
Password for 'root' is: xZehM8xUED
root@leslie:~ # pw user show root
root:$6$OB4oeqr/6slrckcf$Wq1JvSjFFM4zmHbYBnEkwu58SSOR.lGQHM2aNWJduD0Bde8nlTiqiBWyBM.CSsjFw3trinUy4y0ZqWFY5Vc8S1:0:0::0:0:Charlie &:/root:/bin/sh

# Commands to star root's password:

root@leslie:~ # pw user mod root -w no
root@leslie:~ # pw user show root
root:*:0:0::0:0:Charlie &:/root:/bin/sh

The problem here is that now you have sudo and its giant codebase. The alternative is to use doas (a lighter replacement for sudo developed by Ted Unangst from OpenBSD) and an alias to wrap su. Once you get doas set up though, you won't be able to use the persist feature which lets you use doas without it asking you for the password again for a period of time. This only works on OpenBSD.

After thinking about it for a bit, I decided that it's ok not to have persist, and it's not a feature that I truly want or need. Given the goals stated earlier, all I really want to do is essentially let my real user account be able to su - for itself, and accept that user account's password as root authorization. So if that's the case, let's basically replace su - (in a sense) with doas and get that benefit! So first switch to root either via su -, sudo -i, or sudo su -, whatever you want lol. Substitute any users below for your own. Make sure you got backups in case you screw something up :P :

Install doas

root@leslie:~ # pkg install doas

Tell doas to allow the user jon to run any commands as root.

root@leslie:~ # vim /usr/local/etc/doas.conf

permit jon as root

Disable root logins by removing root's password. You should see a :*: at the beginning:

root@leslie:~ # pw user mod root -w no
root@leslie:~ # pw user show root
root:*:0:0::0:0:Charlie &:/root:/bin/sh

Switch to user jon and remap su to be doas su. This allows us to wrap our long time friend su with doas, thus doas becoming our gatekeeper.

root@leslie:~ # su -l jon
jon@leslie:~ $ vim ~/.shrc

alias su="doas su"

Congrats you are now able to use a system that:

Seamless transition.


If when trying to remove the root password you get any of these messages:

root@leslie:/usr/home/jon # pw user mod root -w no
pw: entry inconsistent
pw: pw_copy(): Invalid argument


root@leslie:/usr/home/jon # passwd
Changing local password for root
New Password:
Retype New Password:
passwd: entry inconsistent
passwd: pam_chauthtok(): Error in service module

You'll want to use the vipw command to manually remove the password field from the root account, and then you can retry the commands above. It should be good afterwards.

In the example above, we had:

root:$6$OB4oeqr/6slrckcf$Wq1JvSjFFM4zmHbYBnEkwu58SSOR.lGQHM2aNWJduD0Bde8nlTiqiBWyBM.CSsjFw3trinUy4y0ZqWFY5Vc8S1:0:0::0:0:Charlie &:/root:/bin/sh

After removing the password field (second column), it would look like this:

root::0:0::0:0:Charlie &:/root:/bin/sh

and then if you star out the field with the above steps, it would look like this:

root:*:0:0::0:0:Charlie &:/root:/bin/sh

You could technically just manually star it out, but I kept it as is to allow one to re-use the system commands, and allow the documentation to flow better.