RootAsRole
A better alternative to sudo(-rs)/su β’ β‘ Blazing fast β’ π‘οΈ Memory-safe β’ π Security-oriented
Install / Use
/learn @LeChatP/RootAsRoleREADME
RootAsRole β A better alternative to sudo(-rs)/su β’ β‘ Blazing fast β’ π‘οΈ Memory-safe β’ π Security-oriented
RootAsRole is a Linux/Unix privilege delegation tool based on Role-Based Access Control (RBAC). It empowers administrators to assign precise privileges β not full root β to users and commands.
π Full Documentation for more details
π Why you need RootAsRole?
Most Linux systems break the Principle of Least Privilege. Tools like sudo give full root, even if you just need one capability like CAP_NET_RAW.
RootAsRole solves this:
- Grants only the required capabilities
- Uses roles and tasks to delegate rights securely
- Better than
sudo,doas,setcap, orpam_cap, see Comparison table below
βοΈ Features
- A structured access control model based on Roles
- Linux Capabilities support
- Highly configurable
- Command matching with glob for binary path and PCRE2 for command arguments
- π οΈ Configuration Helpers:
π Why Itβs Better Than Others
| Feature | setcap?? | doas | sudo | sudo-rs | dosr (RootAsRole) | |------------------------------------------|-------------------|------------|--------------------------------|--------------------------------|----------------------------------------------| | Change user/groups | N/A | β | β | β | β β mandatory or optional | | Environment variables | N/A | partial | β | partial | β | | Specific command matching | N/A | strict | strict & regex | strict & wildcard | strict & regex | | Centralized policy | β | β | β | β | Planned | | Secure signal forwarding | N/A | β | β | β | Planned | | Set capabilities | β οΈ files | β | β | β | β | | Prevent direct privilege escalation | β | β | β | β | β | | Untrust authorized users | β | β | β | β | β | | Standardized policy format | β | β | β | β | β | | Scalable access control model | N/A | β ACL | β ACL | β ACL | β RBAC |
π₯ Installation
Install from Linux distributions
We really need your help to bring the project to Linux distributions repositories! Please contribute π!
Arch Linux (AUR)
git clone https://aur.archlinux.org/dosr.git
cd dosr
makepkg -si
you can also use yay AUR manager or any other one you like. Please vote for the AUR if you want it into pacman extra repo! All you need is an Arch AUR account and you could vote for the AUR π
π§ From Source
Prerequisites
- Rust >= 1.83.0
- You can install Rust by running the following command:
(Do not forget to add the cargo bin directory to your PATH withcurl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh. "$HOME/.cargo/env"command)
- You can install Rust by running the following command:
- git
- You can install git by running the following commands depending on your distribution:
Ubuntu :
sudo apt-get install git, RedHat :sudo yum install git, ArchLinux :sudo pacman -S git
- You can install git by running the following commands depending on your distribution:
Ubuntu :
- clang (or gcc, but clang is highly recommended)
- You can install clang by running the following commands depending on your distribution:
Ubuntu :
sudo apt-get install clang, RedHat :sudo yum install clang, ArchLinux :sudo pacman -S clang
- You can install clang by running the following commands depending on your distribution:
Ubuntu :
Install Steps
[!WARNING] This installation process configures RaR with all privileges for the user who install the program. See what it does.
git clone https://github.com/LeChatP/RootAsRolecd RootAsRolecargo xtask install -bip sudo
π§° Usage
<pre> Execute privileged commands with a role-based access control system <u><b>Usage</b></u>: <b>dosr</b> [OPTIONS] [COMMAND]... <u><b>Arguments</b></u>: [COMMAND]... Command to execute <u><b>Options</b></u>: <b>-r, --role</b> <ROLE> Role to select <b>-t, --task</b> <TASK> Task to select (--role required) <b>-u, --user</b> <USER> User to execute the command as <b>-g, --group</b> <GROUP<,GROUP...>> Group(s) to execute the command as <b>-E, --preserve-env</b> Keep environment variables from the current process <b>-p, --prompt</b> <PROMPT> Prompt to display <b>-K</b> Remove timestamp file <b>-i, --info</b> Print the execution context of a command if allowed by a matching task <b>-h, --help</b> Print help (see more with '--help') <b>-V, --version</b> Print version </pre>If you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias :
alias sudo="dosr"
alias sr="dosr"
ποΈ Performance
RootAsRole 3.1.0 introduced CBOR support, significantly boosting performance:
- β‘ 77% faster than
sudowhen using a single rule - π Scales 40% better than
sudoas more rules are added
π sudo-rs matches sudo performance but crashes with >100 rules (wonβt fix for now)
Why Performance Matters
When using Ansible (or any automation tool), every task that uses become: true will invoke dosr on the target host.
With RootAsRole (RaR), each role and task introduces additional access control logic --- this doesnβt slow you down.
π‘ Hereβs the reality: You can reach the performance of 1 sudo rule with ~4000 RaR rules.
That means:
- You can define thousands of fine-grained rules
- You enforce better security (POLP) without degrading performance
- The system stays fast, even at scale
𧱠Configuration
Use the chsr command to:
- Define roles and tasks
- Assign them to users or groups
More information in the documentation
Use the capable command to:
- Analyze specific command rights
- Generate "credentials" task structure
Use gensr for Ansible to:
- Auto-generate security policies for your playbooks
- Detect supply chain attacks by reviewing the generated policy
β Compatibility
- Linux kernel >= 4.3
π₯ Contributors
- Eddie Billoir : eddie.billoir@gmail.com
- Ahmad Samer Wazan : ahmad.wazan@zu.ac.ae
- Romain Laborde : laborde@irit.fr
- RΓ©mi Venant: remi.venant@gmail.com
- Guillaume Daumas : guillaume.daumas@univ-tlse3.fr
πΌοΈ Logo
This logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.
