`doas` for running commands as `root` on FreeBSD

I’ve used sudo almost as long as I’ve been using Linux and related Unices. When bringing up a new system, it’s one of the packages I install first, along with a quick visudo to let the wheel group run commands as root with a password.

In a recent YouTube video from the FreeBSD Foundation about setting up a Raspberry Pi with FreeBSD to run as a NAS, I was surprised to see the presenter using a mysterious other command to run commands as root: doas.

The doas command has shipped in the base OpenBSD system for a while. According to the main page, it replaced sudo in OpenBSD 5.8.

Security improvements:

sudo in base has been replaced with doas(1), sudo is available as a package.

I wasn’t able to find an authoritative answer about why doas replaced sudo. Some ideas among the community:

sudo is massive and as a result has a large vulnerability surface. It has been the subject of a number of CVEs over the years.
sudo has never been part of the base OpenBSD system, and the engineers wanted something they could include in base. I’m not sure why they couldn’t just include sudo. 🤷‍♀️

doas emphasizes minimalism and utility. It has a simpler configuration syntax. than sudo. For single-user systems and simpler multi-user setups, it is perfectly adequate. sudo on the other hand has a rich set of configuration options that allows fine-grained control of users, groups, and sets of utilities they can access.

One more thing: the author of doas published a small “doas mastry” explainer, though as of this writing it seems to be unavailable.