RootAsRole (V3.1.1) — A better alternative to sudo(-rs)/su • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented
RootAsRole is a Linux/Unix privilege delegation tool based on Role-Based Access Control (RBAC). It empowers administrators to assign precise privileges — not full root — to users and commands.
📚 Full Documentation for more details
Most Linux systems break the Principle of Least Privilege. Tools like sudo give full root, even if you just need one capability like CAP_NET_RAW.
RootAsRole solves this:
- Grants only the required capabilities
- Uses roles and tasks to delegate rights securely
- Better than
sudo,doas,setcap, orpam_cap, see Comparison table below
- A structured access control model based on Roles
- Linux Capabilities support
- Highly configurable
- Command matching with glob for binary path and PCRE2 for command arguments
- 🛠️ Configuration Helpers:
| Feature | setcap?? | doas | sudo | sudo-rs | sr (RootAsRole) |
|---|---|---|---|---|---|
| Change user/groups | N/A | ✅ | ✅ | ✅ | ✅✅ mandatory or optional |
| Environment variables | N/A | partial | ✅ | partial | ✅ |
| Specific command matching | N/A | strict | strict & regex | strict & wildcard | strict & regex |
| Centralized policy | ❌ | ❌ | ✅ | ❌ | Planned |
| Secure signal forwarding | N/A | ❌ | ✅ | ✅ | Planned |
| Set capabilities | ❌ | ❌ | ❌ | ✅ | |
| Prevent direct privilege escalation | ❌ | ❌ | ❌ | ❌ | ✅ |
| Untrust authorized users | ❌ | ❌ | ❌ | ❌ | ✅ |
| Standardized policy format | ❌ | ❌ | ❌ | ❌ | ✅ |
| Scalable access control model | N/A | ❌ ACL | ❌ ACL | ❌ ACL | ✅ RBAC |
- Rust >= 1.76.0
- You can install Rust by running the following command:
(Do not forget to add the cargo bin directory to your PATH with
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
. "$HOME/.cargo/env"command)
- You can install Rust by running the following command:
- git
- You can install git by running the following commands depending on your distribution:
Ubuntu :
sudo apt-get install git, RedHat :sudo yum install git, ArchLinux :sudo pacman -S git
- You can install git by running the following commands depending on your distribution:
Ubuntu :
- clang (or gcc, but clang is highly recommended)
- You can install clang by running the following commands depending on your distribution:
Ubuntu :
sudo apt-get install clang, RedHat :sudo yum install clang, ArchLinux :sudo pacman -S clang
- You can install clang by running the following commands depending on your distribution:
Ubuntu :
Warning
This installation process configures RaR with all privileges for the user who install the program. See what it does.
git clone https://github.com/LeChatP/RootAsRolecd RootAsRolecargo xtask install -bip sudo
We really need your help to bring the project to Linux distributions repositories! Please contribute 🙏!
Execute privileged commands with a role-based access control system Usage: sr [OPTIONS] [COMMAND]... Arguments: [COMMAND]... Command to execute Options: -r, --role <ROLE> Role to select -t, --task <TASK> Task to select (--role required) -u, --user <USER> User to execute the command as -g, --group <GROUP<,GROUP...>> Group(s) to execute the command as -E, --preserve-env Keep environment variables from the current process -p, --prompt <PROMPT> Prompt to display -i, --info Display rights of executor -h, --help Print help (see more with '--help') -V, --version Print version
If you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias :
alias sudo="sr"RootAsRole 3.1.0 introduced CBOR support, significantly boosting performance:
- ⚡ 77% faster than
sudowhen using a single rule - 📈 Scales 40% better than
sudoas more rules are added
📝 sudo-rs matches sudo performance but crashes with >100 rules (won’t fix for now)
When using Ansible (or any automation tool), every task that uses become: true will invoke sr on the target host.
With RootAsRole (RaR), each role and task introduces additional access control logic --- this doesn’t slow you down.
💡 Here’s the reality: You can reach the performance of 1 sudo rule with ~4000 RaR rules.
That means:
- You can define thousands of fine-grained rules
- You enforce better security (POLP) without degrading performance
- The system stays fast, even at scale
Use the chsr command to:
- Define roles and tasks
- Assign them to users or groups
More information in the documentation
Use the capable command to:
- Analyze specific command rights
- Generate "credentials" task structure
Use gensr for Ansible to:
- Auto-generate security policies for your playbooks
- Detect supply chain attacks by reviewing the generated policy
- Linux kernel >= 4.3
- Eddie Billoir : eddie.billoir@gmail.com
- Ahmad Samer Wazan : ahmad.wazan@zu.ac.ae
- Romain Laborde : laborde@irit.fr
- Rémi Venant: remi.venant@gmail.com
- Guillaume Daumas : guillaume.daumas@univ-tlse3.fr
This logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.
This project includes sudo-rs code licensed under the Apache-2 and MIT licenses: We have included cutils.rs, securemem.rs to make work the rpassword.rs file. Indeed, We thought that the password was well managed in this file and we have reused it. As sudo-rs does, rpassword.rs is from the rpassword project (License: Apache-2.0). We use it as a replacement of the rpassword project usage.
This project was initiated by IRIT and sponsored by both IRIT and Airbus PROTECT through an industrial PhD during 2022 and 2025.