{"id":14110352,"url":"https://github.com/LeChatP/RootAsRole","last_synced_at":"2025-08-01T10:33:28.852Z","repository":{"id":149048762,"uuid":"146460761","full_name":"LeChatP/RootAsRole","owner":"LeChatP","description":"A memory-safe and security-oriented alternative to sudo/su commands","archived":false,"fork":false,"pushed_at":"2024-05-22T12:19:20.000Z","size":5760,"stargazers_count":123,"open_issues_count":2,"forks_count":6,"subscribers_count":8,"default_branch":"main","last_synced_at":"2024-05-22T12:48:05.643Z","etag":null,"topics":["capabilities","linux","rbac","rust","su","sudo"],"latest_commit_sha":null,"homepage":"https://lechatp.github.io/RootAsRole/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LeChatP.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-28T14:35:23.000Z","updated_at":"2024-05-30T00:21:23.291Z","dependencies_parsed_at":"2023-09-23T04:25:28.378Z","dependency_job_id":"251c1119-0a58-4962-9ee0-dc09d3b70d01","html_url":"https://github.com/LeChatP/RootAsRole","commit_stats":null,"previous_names":["lechatp/rootasrole"],"tags_count":11,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LeChatP%2FRootAsRole","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LeChatP%2FRootAsRole/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LeChatP%2FRootAsRole/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LeChatP%2FRootAsRole/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LeChatP","download_url":"https://codeload.github.com/LeChatP/RootAsRole/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":228369248,"owners_count":17909217,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["capabilities","linux","rbac","rust","su","sudo"],"created_at":"2024-08-14T10:02:48.574Z","updated_at":"2025-08-01T10:33:28.712Z","avatar_url":"https://github.com/LeChatP.png","language":"Rust","funding_links":[],"categories":["Rust","Applications"],"sub_categories":["Security tools"],"readme":"\u003c!-- markdownlint-capture --\u003e\n\u003c!-- markdownlint-disable --\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"./RootAsRolev2.svg\" width=30%\u003e\n \u003c/p\u003e\n \u003cp align=\"center\"\u003e\n  \n\u003cimg alt=\"Build Status\" src=\"https://img.shields.io/github/actions/workflow/status/LeChatP/RootAsRole/build.yml?label=Build\"/\u003e\n\u003cimg alt=\"Test Status\" src=\"https://img.shields.io/github/actions/workflow/status/LeChatP/RootAsRole/tests.yml?label=Unit%20Tests\"\u003e\n\u003ca href=\"https://codecov.io/gh/LeChatP/RootAsRole\" \u003e\u003cimg src=\"https://codecov.io/gh/LeChatP/RootAsRole/branch/main/graph/badge.svg?token=6J7CRGEIG8\"/\u003e\u003c/a\u003e\n \u003cimg alt=\"GitHub\" src=\"https://img.shields.io/github/license/LeChatP/RootAsRole\"\u003e\n\n\u003c/p\u003e\n\u003c!-- The project version is managed on json file in resources/rootasrole.json --\u003e\n\u003c!-- markdownlint-restore --\u003e\n\n# RootAsRole (V3.1.1) — A better alternative to `sudo(-rs)`/`su` • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented\n\nRootAsRole is a Linux/Unix privilege delegation tool based on **Role-Based Access Control (RBAC)**. It empowers administrators to assign precise privileges — not full root — to users and commands.\n\n**[📚 Full Documentation for more details](https://lechatp.github.io/RootAsRole/)**\n\n\n## 🚀 Why you need RootAsRole?\n\nMost Linux systems break the [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege). Tools like `sudo` give **full root**, even if you just need one capability like `CAP_NET_RAW`.\n\nRootAsRole solves this:\n- Grants **only the required capabilities**\n- Uses **roles and tasks** to delegate rights securely\n- Better than `sudo`, `doas`, `setcap`, or `pam_cap`, see Comparison table below\n\n## ⚙️ Features\n\n* [A structured access control model based on Roles](https://dl.acm.org/doi/10.1145/501978.501980)\n  * [Role hierarchy](https://dl.acm.org/doi/10.1145/501978.501980)\n  * [Static/Dynamic Separation of Duties](https://dl.acm.org/doi/10.1145/501978.501980)\n* [Linux Capabilities](https://man7.org/linux/man-pages/man7/capabilities.7.html) support\n* [Highly configurable](https://lechatp.github.io/RootAsRole/chsr/file-config.html)\n* Command matching with [glob](https://docs.rs/glob/latest/glob/) for binary path and [PCRE2](https://www.pcre.org/) for command arguments\n* 🛠️ Configuration Helpers:\n   * [capable](https://github.com/LeChatP/RootAsRole-capable): Analyze command rights\n   * [gensr](https://github.com/LeChatP/RootAsRole-gensr): Generate policy from Ansible playbooks\n\n## 📊 Why It’s Better Than Others\n\n| Feature                                  | setcap??          | doas       | sudo                           | sudo-rs                       | sr (RootAsRole)                                          |\n|------------------------------------------|-------------------|------------|--------------------------------|--------------------------------|----------------------------------------------|\n| **Change user/groups**                   | N/A               | ✅  | ✅ | ✅ | ✅✅ mandatory or optional                       |\n| **Environment variables**                | N/A               | partial  | ✅ | partial                     | ✅                                    |\n| **Specific command matching**            | N/A               | strict | strict \u0026 regex            | strict \u0026 wildcard            | strict \u0026 regex                       |\n| **Centralized policy**                   | ❌                | ❌         | ✅                    | ❌                            | Planned                                          |\n| **Secure signal forwarding**             | N/A               | ❌         | ✅                            | ✅                            | Planned                                      |\n| **Set capabilities**                     | ⚠️ files     | ❌         | ❌                             | ❌                            | ✅                                 |\n| **Prevent direct privilege escalation**  | ❌                | ❌         | ❌                             | ❌                            | ✅                         |\n| **Untrust authorized users**             | ❌                | ❌         | ❌                             | ❌                            | ✅                   |\n| **Standardized policy format**       | ❌                | ❌     | ❌                         | ❌                        | ✅                                   |\n| **Scalable access control model**        | N/A               | ❌ ACL        | ❌ ACL                            | ❌ ACL                           | ✅ RBAC                                         |\n\n\n## 📥 Installation\n\n### 🔧 From Source\n\n### Prerequisites\n\n* [Rust](https://www.rust-lang.org/tools/install) \u003e= 1.76.0\n  * You can install Rust by running the following command:\n    ```sh\n    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh\n    ```\n    (Do not forget to add the cargo bin directory to your PATH with `. \"$HOME/.cargo/env\"` command)\n* [git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git)\n  * You can install git by running the following commands depending on your distribution:\n    Ubuntu : `sudo apt-get install git`, RedHat : `sudo yum install git`, ArchLinux : `sudo pacman -S git`\n* [clang](https://clang.llvm.org/get_started.html) (or gcc, but clang is highly recommended)\n  * You can install clang by running the following commands depending on your distribution:\n    Ubuntu : `sudo apt-get install clang`, RedHat : `sudo yum install clang`, ArchLinux : `sudo pacman -S clang`\n\n\n### Install Steps\n\n\n\u003e [!WARNING]\n\u003e **This installation process configures RaR with all privileges for the user who install the program. See [what it does](https://lechatp.github.io/RootAsRole/guide/installation.html#what-does-the-installation-script-do).**\n\u003e  1. `git clone https://github.com/LeChatP/RootAsRole`\n\u003e  1. `cd RootAsRole`\n\u003e  1. `cargo xtask install -bip sudo`\n\n### Install from Linux distributions\n\n**We really need your help to bring the project to Linux distributions repositories! Please contribute 🙏!**\n\n\n## 🧰 Usage\n\n\u003cpre\u003e\nExecute privileged commands with a role-based access control system\n\n\u003cu\u003e\u003cb\u003eUsage\u003c/b\u003e\u003c/u\u003e: \u003cb\u003esr\u003c/b\u003e [OPTIONS] [COMMAND]...\n\n\u003cu\u003e\u003cb\u003eArguments\u003c/b\u003e\u003c/u\u003e:\n  [COMMAND]...  Command to execute\n\n\u003cu\u003e\u003cb\u003eOptions\u003c/b\u003e\u003c/u\u003e:\n  \u003cb\u003e-r, --role\u003c/b\u003e \u0026lt;ROLE\u0026gt;  Role to select\n  \u003cb\u003e-t, --task\u003c/b\u003e \u0026lt;TASK\u0026gt;  Task to select (--role required)\n  \u003cb\u003e-u, --user\u003c/b\u003e \u0026lt;USER\u0026gt;  User to execute the command as\n  \u003cb\u003e-g, --group\u003c/b\u003e \u0026lt;GROUP\u003c,GROUP...\u003e\u0026gt; Group(s) to execute the command as\n  \u003cb\u003e-E, --preserve-env\u003c/b\u003e          Keep environment variables from the current process\n  \u003cb\u003e-p, --prompt\u003c/b\u003e \u0026lt;PROMPT\u0026gt; Prompt to display\n  \u003cb\u003e-i, --info\u003c/b\u003e         Display rights of executor\n  \u003cb\u003e-h, --help\u003c/b\u003e         Print help (see more with '--help')\n  \u003cb\u003e-V, --version\u003c/b\u003e      Print version\n\u003c/pre\u003e\n\nIf you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias : \n```sh\nalias sudo=\"sr\"\n```\n\n## 🏎️ Performance\n\nRootAsRole **3.1.0** introduced **CBOR** support, significantly boosting performance:\n\n- ⚡ **77% faster** than `sudo` when using a single rule\n- 📈 **Scales 40% better** than `sudo` as more rules are added\n\n[![Performance comparison](https://github.com/LeChatP/RaR-perf/raw/main/result_25-07-04_15.44.png)](https://github.com/LeChatP/RaR-perf)\n\n\u003e 📝 sudo-rs matches sudo performance but crashes with \u003e100 rules ([won’t fix for now](https://github.com/trifectatechfoundation/sudo-rs/issues/1192))\n\n### Why Performance Matters\n\nWhen using **Ansible** (or any automation tool), every task that uses `become: true` will invoke `sr` on the target host.\nWith **RootAsRole (RaR)**, each role and task introduces additional access control logic --- this doesn’t slow you down.\n\n💡 **Here’s the reality**: You can reach the performance of **1 `sudo` rule** with **~4000 RaR rules**.\n\nThat means:\n- You can define thousands of fine-grained rules\n- You **enforce better security** (POLP) without degrading performance\n- The system stays **fast, even at scale**\n\n## 🧱 Configuration\n\nUse the `chsr` command to:\n* Define roles and tasks\n* Assign them to users or groups\n\nMore information in the [documentation](https://lechatp.github.io/RootAsRole/chsr/file-config.html)\n\nUse the [capable](https://github.com/LeChatP/RootAsRole-capable) command to:\n* Analyze specific command rights\n* Generate \"credentials\" task structure\n\nUse [gensr](https://github.com/LeChatP/RootAsRole-gensr) for Ansible to:\n* Auto-generate security policies for your playbooks\n* Detect supply chain attacks by reviewing the generated policy\n\n## ✅ Compatibility\n\n* Linux kernel \u003e= 4.3\n\n## 👥 Contributors\n\n* Eddie Billoir : \u003ceddie.billoir@gmail.com\u003e\n* Ahmad Samer Wazan : \u003cahmad.wazan@zu.ac.ae\u003e\n* Romain Laborde : \u003claborde@irit.fr\u003e\n* Rémi Venant: \u003cremi.venant@gmail.com\u003e\n* Guillaume Daumas : \u003cguillaume.daumas@univ-tlse3.fr\u003e\n\n## 🖼️ Logo\n\nThis logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.\n\n## 📜 Licence notice\n\nThis project includes [sudo-rs](https://github.com/memorysafety/sudo-rs) code licensed under the Apache-2 and MIT licenses: \nWe have included cutils.rs, securemem.rs to make work the rpassword.rs file. Indeed, We thought that the password was well managed in this file and we have reused it. As sudo-rs does, rpassword.rs is from the rpassword project (License: Apache-2.0). We use it as a replacement of the rpassword project usage.\n\n## 🧪 Sponsored research\n\nThis project was initiated by **IRIT** and sponsored by both **IRIT** and **Airbus PROTECT** through an industrial PhD during 2022 and 2025.\n\n\n## [Link to References](https://lechatp.github.io/RootAsRole/bibliography.html)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLeChatP%2FRootAsRole","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FLeChatP%2FRootAsRole","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLeChatP%2FRootAsRole/lists"}