only need to restrict exec path if the rule specifies a command.

add a hint about path restrictions to man page.
ok deraadt espie

2 files changed, 10 insertions, 5 deletions

diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c
index 5c36116925f..9482ad7874f 100644
--- a/usr.bin/doas/doas.c
+++ b/usr.bin/doas/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.39 2015/08/27 16:31:02 tedu Exp $ */
+/* $OpenBSD: doas.c,v 1.40 2015/09/01 13:20:53 tedu Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -433,8 +433,10 @@ main(int argc, char **argv, char **envp)
 	syslog(LOG_AUTHPRIV | LOG_INFO, "%s ran command %s as %s from %s",
 	    myname, cmdline, pw->pw_name, cwd);
 
-	if (setenv("PATH", safepath, 1) == -1)
-		err(1, "failed to set PATH '%s'", safepath);
+	if (rule->cmd) {
+		if (setenv("PATH", safepath, 1) == -1)
+			err(1, "failed to set PATH '%s'", safepath);
+	}
 	execvpe(cmd, argv, envp);
 	if (errno == ENOENT)
 		errx(1, "%s: command not found", cmd);
diff --git a/usr.bin/doas/doas.conf.5 b/usr.bin/doas/doas.conf.5
index 3f269274a8f..bb0407b02b9 100644
--- a/usr.bin/doas/doas.conf.5
+++ b/usr.bin/doas/doas.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: doas.conf.5,v 1.15 2015/08/28 13:19:50 reyk Exp $
+.\" $OpenBSD: doas.conf.5,v 1.16 2015/09/01 13:20:53 tedu Exp $
 .\"
 .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -13,7 +13,7 @@
 .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd $Mdocdate: August 28 2015 $
+.Dd $Mdocdate: September 1 2015 $
 .Dt DOAS.CONF 5
 .Os
 .Sh NAME
@@ -73,6 +73,9 @@ The default is all users.
 The command the user is allowed or denied to run.
 The default is all commands.
 Be advised that it's best to specify absolute paths.
+If a cmd is specified, only a restricted
+.Ev PATH
+will be searched.
 .It Ic args ...
 Arguments to command.
 If specified, the command arguments provided by the user