Fixing doas: not installed setuid on macOS (MacPorts)
Date: 2026-02-08
Host: macOS (MacPorts prefix: /opt/local)
Component: doas (MacPorts)
My WireGuard client app failed to load profiles because the code path relies on doas for privilege escalation. This fix corrects the macOS (MacPorts) doas installation so the client can elevate properly.
doas: not installed setuid
…and exiting with status 1.
Root Cause
On macOS, MacPorts installs doas without the setuid bit by default.
Because doas is not setuid-root, it cannot elevate privileges. Any command relying on it will immediately fail, including:
- WireGuard interface bring-up scripts
- Because I depend on
doasand mostly ignoresudo - Any privileged system operation routed through
doas
This is not a WireGuard bug. It is a permissions issue.
Verify the Problem
Run:
/opt/local/bin/doas id
If you see:
doas: not installed setuid
Then the binary is missing required permissions.
Fix
Set correct ownership
sudo chown root:wheel /opt/local/bin/doas
Enable setuid
sudo chmod 4755 /opt/local/bin/doas
Verify
ls -l /opt/local/bin/doas
Expected output:
-rwsr-xr-x 1 root wheel ...
The s bit is mandatory.
Confirm doas Works
/opt/local/bin/doas id
Expected:
uid=0(root) gid=0(wheel) groups=0(wheel)
If this fails, nothing that depends on doas will work.
Verify Configuration
Ensure this file exists:
/opt/local/etc/doas.conf
Minimal safe configuration:
permit persist :wheel
User-specific alternative:
permit persist mcapella
Re-test WireGuard
/opt/local/bin/doas /Applications/WireGuardClient.app/Contents/Resources/scripts/wg-multi-macos.sh up skynet.conf
If there are further errors now, they are real WireGuard errors, not privilege failures.
Notes
- macOS updates or MacPorts upgrades can remove the setuid bit
- This fix may need to be re-applied after reinstalling
doas - WireGuard profiles and scripts were not at fault
Status
- ✅ Root cause identified
- ✅ Privilege escalation restored
- ✅ WireGuard scripts unblocked