{"id":21508858,"url":"https://github.com/oddlama/elewrap","last_synced_at":"2025-09-14T18:28:40.876Z","repository":{"id":178187115,"uuid":"661356400","full_name":"oddlama/elewrap","owner":"oddlama","description":"🥙 Controlled static privilege escalation utility with baked-in authentication rules. The most restrictive and lightweight replacement for sudo, doas or please.","archived":false,"fork":false,"pushed_at":"2024-11-24T00:31:41.000Z","size":52,"stargazers_count":19,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-09T16:53:56.346Z","etag":null,"topics":["authentication","doas","please","privilege-escalation","sudo"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oddlama.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-07-02T15:34:07.000Z","updated_at":"2025-01-28T19:55:10.000Z","dependencies_parsed_at":"2025-04-09T16:44:59.125Z","dependency_job_id":"e290180d-6c2d-43e8-94b9-ad81cd35eedb","html_url":"https://github.com/oddlama/elewrap","commit_stats":null,"previous_names":["oddlama/elewrap"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/oddlama/elewrap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Felewrap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Felewrap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Felewrap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Felewrap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oddlama","download_url":"https://codeload.github.com/oddlama/elewrap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oddlama%2Felewrap/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":275147011,"owners_count":25413574,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-14T02:00:10.474Z","response_time":75,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","doas","please","privilege-escalation","sudo"],"created_at":"2024-11-23T21:13:24.291Z","updated_at":"2025-09-14T18:28:40.863Z","avatar_url":"https://github.com/oddlama.png","language":"Nix","funding_links":[],"categories":[],"sub_categories":[],"readme":"[Building](#building) \\| [Installation and Usage](#installation-and-usage-on-nixos) \\| [Module options](#%EF%B8%8F-module-options)\n\n## 🥙 Elewrap\n\nThis is a tiny setuid wrapper program allowing for controlled elevation of privileges,\nsimilar to sudo, doas or please but with significantly less complexity and no dynamic configuration.\nThe authentication rules are kept simple and will be baked in at compile-time,\ncutting down any attack surface to the absolute bare minimum.\n\n- 🔐 All authentication rules will be baked in.\n- ❄️ Provides a NixOS module to easily declare wrappers using elewrap to get rid of sudo.\n- 🌱 Tiny and simple program that is easy to audit. [See for yourself](./src/main.rs).\n\n## Building\n\nYou can build an elewrap wrapper simply by cloning this repository and running cargo build:\n\n```bash\n# Export variables (see below)\n$ cargo build\n```\n\nTo set the authentication rules and target command, you will have to export\nsome environment variables before building. These variables are available:\n\n| Variable | Type | Default | Description |\n|---|---|---|---|\n`ELEWRAP_TARGET_USER` | Required | - | The target user to change to before executing the command.\n`ELEWRAP_TARGET_COMMAND` | Required | - | The command to execute after changing to the target user. The executable path be absolute. The given string will be split on configured delimiter to allow defining arguments.\n`ELEWRAP_TARGET_COMMAND_DELIMITER` | Optional | `\"\\t\"` | The delimiter on which to split the target command.\n`ELEWRAP_TARGET_COMMAND_SHA512` | Optional | Unset | If set, authenticates the target binary based on its sha512 hash before executing it.\n`ELEWRAP_ALLOWED_USERS` | Optional | Unset (empty list) | A comma separated list of users for which to allow elevation of privileges using this utility. Leave unset for an empty list.\n`ELEWRAP_ALLOWED_GROUPS` | Optional | Unset (empty list) | A comma separated list of groups for which to allow elevation of privileges using this utility. Leave unset for an empty list.\n`ELEWRAP_PASS_ENVIRONMENT` | Optional | Unset (empty list) | A comma separated list of environment variables which should be allowed to be passed to the target command.\n`ELEWRAP_PASS_ARGUMENTS` | Optional | `false` | Whether any additional runtime arguments should be appended to the executed command.\n\nAfterwards, it is recommended to rename the executable to be able to identify the target command in case several wrappers are built.\nThe ownership of the resulting executable must then be given to `root:root` and the setuid bit must\nbe set. Ideally, set the permissions `4001` to allow execution by anyone while denying any read or write attempts.\n\n## Installation and Usage on NixOS\n\nThis project's flake.nix exposes a module to simplify usage on NixOS.\nTo use it, add elewrap to your own `flake.nix` and use the module in your nixos system configurations.\n\n```nix\n{\n inputs = {\n nixpkgs.url = \"github:NixOS/nixpkgs/nixos-unstable\";\n elewrap.url = \"github:oddlama/elewrap\";\n elewrap.inputs.nixpkgs.follows = \"nixpkgs\";\n };\n\n outputs = { self, nixpkgs, elewrap }: {\n # Add the module to your system(s)\n nixosConfigurations.yourhostname = nixpkgs.lib.nixosSystem {\n system = \"x86_64-linux\";\n modules = [\n ./configuration.nix\n elewrap.nixosModules.default\n ];\n };\n };\n}\n```\n\nIf you use a preinitialized `pkgs` package set, make sure to add `elewrap.overlays.default` to your overlays.\n\nLets say you now want to allow `telegraf` to run `sensors` with elevated permissions.\nThis is achieved simply by defining a new wrapper for the target executable in `security.elewrap` and\npointing telegraf to the new executable.\n\n```nix\n{ config, ... }: {\n # Define a new wrapper to elevate privileges, refer to the module\n # options for more information about the options.\n security.elewrap.sensors = {\n # We already specify the necessary parameters here\n # and (by default) ignore any arguments passed at runtime\n command = [\"${pkgs.lm_sensors}/bin/sensors\" \"-A\" \"-u\"];\n # Run as root\n targetUser = \"root\";\n # Only allow telegraf to elevate privileges\n allowedUsers = [\"telegraf\"];\n };\n\n # Set the path for the sensors executable to the resulting wrapper\n services.telegraf.extraConfig.inputs.sensors.path = config.security.elewrap.sensors.path;\n}\n```\n\n## ❄️ Module options\n\n## `security.elewrap`\n\nTransparently wraps programs to allow controlled elevation of privileges.\nLike sudo, doas or please but the authentication rules are kept simple and will\nbe baked into the wrapper at compile-time, cutting down any attack surface\nto the absolute bare minimum.\n\n## `security.elewrap.\u003cname\u003e.path`\n\n| Type | `str` |\n|---------|-----|\n\nThe resulting wrapper that may be executed by the allowed users and groups\nto run the given command with elevated permissions.\n\n## `security.elewrap.\u003cname\u003e.command`\n\n| Type | `listOf (either str path)` |\n|---------|-----|\n| Example | `[\"${pkgs.lm_sensors}/bin/sensors\"]` |\n\nThe command that is executed after elevating privileges.\nMay include arguments. The first element (the executable) must be a path.\n\n## `security.elewrap.\u003cname\u003e.targetUser`\n\n| Type | `str` |\n|---------|-----|\n| Example | `\"root\"` |\n\nThe user to change to before executing the command.\n\n## `security.elewrap.\u003cname\u003e.allowedUsers`\n\n| Type | `listOf str` |\n|---------|-----|\n| Default | `[]` |\n| Example | `[\"user1\" \"user2\"]` |\n\nThe users allowed to execute this wrapper.\n\n## `security.elewrap.\u003cname\u003e.allowedGroups`\n\n| Type | `listOf str` |\n|---------|-----|\n| Default | `[]` |\n| Example | `[\"group1\" \"group2\"]` |\n\nThe groups allowed to execute this wrapper.\n\n## `security.elewrap.\u003cname\u003e.passEnvironment`\n\n| Type | `listOf str` |\n|---------|-----|\n| Default | `[]` |\n| Example | `[\"SOME_ALLOWED_VAR\"]` |\n\nThe environment variables in this list will be allowed to be passed\nto the target command. Anything else will be erased.\n\n## `security.elewrap.\u003cname\u003e.passArguments`\n\n| Type | `listOf str` |\n|---------|-----|\n| Default | `false` |\n\nWhether any given arguments should be appended to the target command.\nThis will be added to any static arguments given in the command, if any.\n\n## `security.elewrap.\u003cname\u003e.verifySha512`\n\n| Type | `listOf str` |\n|---------|-----|\n| Default | `true` |\n\nWhether to verify the sha512 of the target executable at runtime before executing it.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foddlama%2Felewrap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foddlama%2Felewrap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foddlama%2Felewrap/lists"}