Skip to content

Latest commit

 

History

History
206 lines (138 loc) · 12.2 KB

README.md

File metadata and controls

206 lines (138 loc) · 12.2 KB

Build Status Test Status GitHub

RootAsRole (V3.0.3) : A memory-safe and security-oriented alternative to sudo/su commands

RootAsRole is a project to allow Linux/Unix administrators to delegate their administrative tasks access rights to users. Its main features are :

You can find every interesting resources using the RootAsRole User/Knowledge/Reference Guide Book.

Installation

Prerequisites (for compilation)

  • Rust >= 1.76.0
    • You can install Rust by running the following command:
      curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
      (Do not forget to add the cargo bin directory to your PATH with . "$HOME/.cargo/env" command)
  • git
    • You can install git by running the following commands depending on your distribution: Ubuntu : sudo apt-get install git, RedHat : sudo yum install git, ArchLinux : sudo pacman -S git
  • clang (or gcc, but clang is highly recommended)
    • You can install clang by running the following commands depending on your distribution: Ubuntu : sudo apt-get install clang, RedHat : sudo yum install clang, ArchLinux : sudo pacman -S clang

Then the xtask installation will install the rest of the dependencies for you.

Install from source

  1. git clone https://github.com/LeChatP/RootAsRole
  2. cd RootAsRole
  3. cargo xtask install -bip sudo

Install from precompiled binaries

You can download the precompiled binaries from the release page.

Then you can install the package with the following commands:

sudo apt install rootasrole_3.0.0_amd64.deb
sudo rpm -i rootasrole-3.0.0-1.x86_64.rpm

Additional Installation Options

To know more about options, you can run cargo xtask install --help.

What does the installation do?

Warning

This installation process gives by default the entire privileges set for the user which execute sudo. This means that the user which install this program will be privileged.

Usage

Execute privileged commands with a role-based access control system

Usage: sr [OPTIONS] [COMMAND]...

Arguments:
  [COMMAND]...  Command to execute

Options:
  -r, --role <ROLE>  Role to select
  -t, --task <TASK>  Task to select (--role required)
  -p, --prompt <PROMPT> Prompt to display
  -i, --info         Display rights of executor
  -h, --help         Print help (see more with '--help')
  -V, --version      Print version

If you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias :

alias sudo="sr"

However you won't find out exact same options as sudo, you can use the --role option to specify the role you want to use instead.

Why do you need this tool ?

setcap sudo sr
Change user ✅ but mandatory
Change groups ✅ but mandatory
Manage environment variables
Strict command matching ✅ with wildcards ✅ with PCRE and glob
Interoperable configuration/policy ✅ only with LDAP ✅ with JSON
Set capabilities ✅ with Ambient set
Prevent direct privilege escalation ✅ with Bounding set
Do not trust authorized users by default
Evolvable configuration/policy ✅ with JSON
Scalable access control ✅ with RBAC

Traditional Linux system administration relies on a single powerful user, the superuser (root), who holds all system privileges. This model does not adhere to the principle of least privilege, as any program executed with superuser rights gains far more privileges than necessary. For example, tcpdump, a tool for sniffing network packets, only needs network capabilities. However, when run as the superuser, tcpdump gains all system privileges, including the ability to reboot the system. This excessive privilege can be exploited by attackers to compromise the entire system if tcpdump has vulnerabilities or their developers performs a supply chain attack.

The RootAsRole project offers a role-based approach for managing Linux capabilities. It includes the sr (switch role) tool, which allows users to control the specific privileges assigned to programs.

Sudo and su are the most common tools for managing privileges in Linux. However, they have several limitations. For example, when an user wants to change owner of a file, they must have the CAP_CHOWN capability in order to execute chown command. However, the sudo tool change the user ID to another one, and this user is root by default, which gives the user all the capabilities of the root user. Additionnally to not allow the user to have only the CAP_CHOWN capability, the sudo tool change the user ID to root, which is not necessary for the chown command. The RootAsRole project allows the user to have only the CAP_CHOWN capability without changing user, which is more secure.

While tools like setcap and the pam_cap module also manage privileges, they only handle this specific function, which is for limited administrative usages. For example, when you need to use apt to install a package, you may not only need cap_dac_override (to read/write files arbitrary) but also to change effective user ID to root. Indeed, without the setuid, every installed file configuration will be owned by the user who executed the command, making file configuration owners inconsistent. This is why the RootAsRole project is essential for managing the entire user credential structure.

Additionnally, setcap is applied to the binary file, which means that the capabilities are fixed for every program use-case. This is not ideal for a multi-user system, where different users may need different capabilities for the same program.

Furthermore, the pam_cap module is applied to the PAM user session, which means that the capabilities are fixed for every user's session. This is not ideal as administrator do not need these capabilities for every commands and every sessions.

The RootAsRole project is compatible with LSM (Linux Security Modules) such as SELinux and AppArmor, as well as pam_cap.so. Administrators can continue using pam_cap.so alongside our project. Additionally, the project includes the capable tool, which helps users identify the privileges required by an application.

How to configure RootAsRole

You can configure RootAsRole with the chsr command. This command permits you to create roles, tasks, and assign them to users or groups. You can find more information about this command in the Configure RootAsRole section.

How to Find Out the Privileges Needed for Your Command

To determine the privileges required for your command, you can use the capable program. This tool listens for capability requests and displays them to you. Here’s how to use it effectively:

  1. Run the capable program: It will monitor and display all capability requests made by your command.

  2. Analyze the output: Pay close attention to the capabilities requested. It's common to see capabilities like CAP_DAC_OVERRIDE and CAP_DAC_READ_SEARCH because many programs attempt to access files the user doesn't have permission to read. However, these capabilities are often not essential. Additionally, be aware that the Linux kernel may return the cap_sys_admin capability, even if it is not necessary.

  3. Filter unnecessary capabilities: Determine if the requested capabilities are truly needed. If they are not, consider switching to an appropriate user with the necessary access rights.

  4. Handle missing privileges: If your program fails to execute due to missing privileges, try granting the specific missing privileges one at a time. Test the program after each change until it works as expected.

By following these steps, you can identify and manage the necessary privileges for your command more effectively.

Compatibility

Our project has been manually tested on (tests in may 2023):

  • Ubuntu>=16.04
  • Debian>=10
  • ArchLinux

In june 2024, we performed automated capable tests with Vagrant on the following distributions:

  • ❌ Debian 10 → Dev dependencies unavailable, it should work once compiled
  • ✅ Debian 11
  • ✅ Fedora 37
  • ✅ RedHat 9
  • ✅ Ubuntu 22.04
  • ✅ ArchLinux
  • ✅ Almalinux 8
  • ✅ RockyLinux 8

This doesn't mean that earlier versions of these distributions are incompatible; it simply indicates they haven't been tested yet. However, if you encounter issues during the compilation process, they are likely due to dependency problems. In theory, the RootAsRole project should work on any Linux distribution with a kernel version of 4.1 or higher. However, since BTF (BPF Type Format) is becoming a mandatory requirement, the kernel must be compiled with many features enabled.

Contributors

Eddie Billoir : [email protected]

Ahmad Samer Wazan : [email protected]

Rémi Venant: [email protected]

Guillaume Daumas : [email protected]

Romain Laborde : [email protected]

About Logo

This logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.

Licence notice

This project includes sudo-rs code licensed under the Apache-2 and MIT licenses: We have included cutils.rs, securemem.rs to make work the rpassword.rs file. Indeed, We thought that the password was well managed in this file and we have reused it. As sudo-rs does, rpassword.rs is from the rpassword project (License: Apache-2.0). We use it as a replacement of the rpassword project usage.