{"id":20751446,"url":"https://github.com/p-gen/sys","last_synced_at":"2025-04-28T13:32:25.220Z","repository":{"id":222027348,"uuid":"521996955","full_name":"p-gen/sys","owner":"p-gen","description":"sys is a kind of alternative to sudo when many users need to be able to temporarily act as other users, including root, in a controlled way.","archived":false,"fork":false,"pushed_at":"2024-05-25T13:54:03.000Z","size":320,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-30T10:04:35.827Z","etag":null,"topics":["sudo"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/p-gen.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-08-06T16:24:33.000Z","updated_at":"2025-02-20T10:11:25.000Z","dependencies_parsed_at":null,"dependency_job_id":"1a81426e-14bb-47c5-a13c-d5e7127e15a3","html_url":"https://github.com/p-gen/sys","commit_stats":null,"previous_names":["p-gen/sys"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p-gen%2Fsys","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p-gen%2Fsys/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p-gen%2Fsys/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/p-gen%2Fsys/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/p-gen","download_url":"https://codeload.github.com/p-gen/sys/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251319792,"owners_count":21570456,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["sudo"],"created_at":"2024-11-17T08:33:35.187Z","updated_at":"2025-04-28T13:32:25.176Z","avatar_url":"https://github.com/p-gen.png","language":"C","readme":"..\n  ###################################################################\n  Copyright 2022, Pierre Gentile (p.gen.progs@gmail.com)\n\n  This Source Code Form is subject to the terms of the Mozilla Public\n  License, v. 2.0. If a copy of the MPL was not distributed with this\n  file, You can obtain one at https://mozilla.org/MPL/2.0/.\n  ###################################################################\n\n**************************************************************************\nsys, an alternative tool to sudo.\n**************************************************************************\n\nTL;DR\n=====\n**sys** is a **sudo**-like tool optimized for multi-users\nenvironments where users need to gain temporarily another user's\nprivilege based on a set of conditions.\n\nThe **sys** configuration files are command-based, not user-based like\n**sudo** but, like **sudo**, **sys** can allow certain categories of users\nto run any command if they meet all the required conditions.\n\n**sys** also has some additional features such as the possibility\nto force or restrict the environment and the command line\narguments using patterns and regular expressions.\n\nRead on to find out more about its features.\n\nDisclaimer.\n===========\nPlease feel free to comment, especially on security aspects and potential\nvulnerabilities.\n\nRemark.\n=======\nSome specifications are still subject to change, so please let me know if\nyou have any comments.\n\nConcepts.\n=========\n**sys** runs commands as root or as another user. in order to do that, it\nlocates and interprets *rules* stored in data files or in its cache.\nIt was designed for an environment with many end users but is easy to\nuse even if there is only one user in addition to root.\n\nHere is a correct example of a possible rule to launch a root bash shell.\nAll users, except *pierre*, will be asked to enter a password::\n\n  bash\n    cmd:bash $*\n    environment:\n    users:pierre\n    password:\n\nAccording to this rule, you can enter at the shell prompt (here ``$``\nis the non-root shell prompt)::\n\n  $ sys bash [bash_options...]\n\nHere is another way to do a similar thing using ksh instead of bash with a\nmore elaborate rule in a `.dat` file.\nThe first four lines do not belong to the rule but explain how variables\ncan be created and used in data files::\n\n  @ADM_GRP:sys,wheel\n  @ESC:$'\\e'\n  @RED:@{ESC}[32m\n  @NO_COLOR:@{ESC}[0m\n\n  root_shell\n    cmd:ksh $*\n    uid:root\n    gid:root\n    $ENV:false\n    $PS1:{@{RED}sys@{NO_COLOR}}@${HOSTNAME}\" # \"\n    environment:\n    users:pierre\n    groups:@{ADM_GRP}\n    paths:/usr/bin,/bin,/usr/local/bin\n\nThis rule can be searched and interpreted using the following command line::\n\n  $ sys root_shell [ksh_options...]\n\nwhich will run the *ksh* executable as root if the current user belongs\nto the *sys* or *wheel* group and if the *ksh* executable is in one of\nthe listed paths.\nThe current environment will be transmitted unchanged at the exception\nof the ``PS1`` variable which will be added or overridden.\n\nDirect command invocation, as in **sudo**, is possible with a wildcard\nlike rule.\n\nData files are interpreted once and cached. They are, of course,\ninterpreted again if their content changes, and the cache is then\nupdated.\n\nSee the manual for details on rule syntax, wildcard rule and so on.\n\nA global configuration file names ``sys.cfg`` must also be provided.\n\nCompilation and installation.\n=============================\nThe script ``build.sh``, based on the traditional configure from GNU,\nis provided. You can get some help using the ``--help`` option.\n\nBuilding **sys** requires some attention as configuration directories\nhave to be given to the build mechanism:\n\n- The directory where sys will search for the file ``sys.cfg`` (*CFGDIR*).\n  This directory also defaults to ``/etc``.\n- On most systems it is also highly recommended to enable the\n  authentication using PAM using the ``--enable-pam`` option.\n\n  When not using ``--enable-pam`` nor ``--enable-pam=yes`` or when PAM\n  is not available or its development components are not installed,\n  the standard authentication method using the password/shadow mechanism\n  is automatically selected as if ``--enable-pam=no`` has been used``.\n- Plugins, as dynamically loadable code, can be used to add custom\n  filtering parameters in a rule. They are disabled by default.\n\nExample::\n\n  $ ./build.sh --with-cfgdir=/etc         \\\n               --enable-pam               \\\n               --enable-plugins           \\\n               --other_configure_settings...\n\nA list of directories in which **sys** will search the data files\ncontaining the rules must also be added in the ``sys.cfg`` file,\nas in the example below.\n\n::\n\n  ...\n  [Directories]\n\n  Data    = /opt/etc/sys /etc/sys\n  Logs    = /var/log/sys\n  Plugins = /etc/sys/plugins\n  ...\n\nConfiguration.\n==============\nRefer to the ``sys(8)`` and ``sys.cfg(5)`` manual pages to create and\npopulate data directories with rules and fill in the configuration file.\n\nPermissions.\n============\nThe permissions of the directory identified as *CFGDIR* in the previous\nsection must be **0700**.\nTheir owner must be **root**:**root**.\nThis is not automatically done during the installation to avoid\naccidentally changing the permission of existing directories.\n\nThe directories indicated in the *Directories* section of ``sys.cfg``\nmust also belong to **root**:**root** and have their permissions set to\n**0700**.\nAll the files in these directories must have their permissions set\nto **0600**.\n\nExample using the setting above::\n\n  [root:root drwx------] /opt/etc/sys\n  [root:root -rw-------]   base.dat\n  [root:root -rw-------]   default.dat\n\n  [root:root drwx------] /etc/sys\n  [root:root -rw-------]   main.dat\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp-gen%2Fsys","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fp-gen%2Fsys","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fp-gen%2Fsys/lists"}