Merge pull request #82 from LeChatP/dev

v3.2.1 - Documentation update

Author: LeChatP

.cargo/config.toml

@@ -41,6 +41,7 @@ coverage = [
 RAR_CFG_TYPE = "json"
 RAR_CFG_PATH = "/etc/security/rootasrole.json"
 RAR_CFG_DATA_PATH = "/etc/security/rootasrole.json"
+RAR_PAM_SERVICE = "dosr"
 RAR_BIN_PATH = "/usr/bin"
 RAR_CFG_IMMUTABLE = "true"
 RAR_CHSR_EDITOR_PATH = "/usr/bin/vim"
@@ -57,5 +58,6 @@ RAR_ENV_DELETE_LIST = "PS4,SHELLOPTS,PERLLIB,PERL5LIB,PERL5OPT,PYTHONINSPECT"
 RAR_ENV_SET_LIST = ""
 RAR_ENV_OVERRIDE_BEHAVIOR = "false"
 RAR_AUTHENTICATION = "perform"
+RAR_EXEC_INFO_DISPLAY = "hide"
 RAR_USER_CONSIDERED = "user"
 RAR_BOUNDING = "strict"

Cargo.toml

@@ -4,8 +4,8 @@ members = ["xtask", "rar-common"]
 [package]
 name = "rootasrole"
 # The project version is managed on json file in resources/rootasrole.json
-version = "3.2.0"
-rust-version = "1.76.0"
+version = "3.2.1"
+rust-version = "1.83.0"
 authors = ["Eddie Billoir <[email protected]>"]
 edition = "2021"
 default-run = "dosr"
@@ -68,9 +68,10 @@ unexpected_cfgs = { level = "allow", check-cfg = ['cfg(tarpaulin_include)'] }
 #bindgen = "^0.66.1"
 serde_json = "1.0"
 toml = "0.8"
+chrono = { version = "0.4", features = ["unstable-locales"] }
 
 [dependencies]
-rar-common = { path = "rar-common", version = "3.2.0", package = "rootasrole-core" }
+rar-common = { path = "rar-common", version = "3.2.1", package = "rootasrole-core" }
 log = "0.4"
 libc = "0.2"
 strum = { version = "0.26", features = ["derive"] }

README.md

@@ -14,7 +14,7 @@
 <!-- The project version is managed on json file in resources/rootasrole.json -->
 <!-- markdownlint-restore -->
 
-# RootAsRole (V3.2.0) — A better alternative to `sudo(-rs)`/`su` • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented
+# RootAsRole (V3.2.1) — A better alternative to `sudo(-rs)`/`su` • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented
 
 RootAsRole is a Linux/Unix privilege delegation tool based on **Role-Based Access Control (RBAC)**. It empowers administrators to assign precise privileges — not full root — to users and commands.
 
@@ -109,7 +109,8 @@ Execute privileged commands with a role-based access control system
   <b>-g, --group</b> &lt;GROUP<,GROUP...>&gt; Group(s) to execute the command as
   <b>-E, --preserve-env</b>          Keep environment variables from the current process
   <b>-p, --prompt</b> &lt;PROMPT&gt; Prompt to display
-  <b>-i, --info</b>         Display rights of executor
+  <b>-K</b>                 Remove timestamp file
+  <b>-i, --info</b>         Print the execution context of a command if allowed by a matching task
   <b>-h, --help</b>         Print help (see more with '--help')
   <b>-V, --version</b>      Print version
 </pre>

SECURITY.md

@@ -4,7 +4,60 @@
 
 If there are any vulnerabilities in **RootAsRole**, don't hesitate to _report them_.
 
-1. Send mail at <mailto:[email protected]>.
+1. Send mail at <mailto:[email protected]>. Below is the public PGP key to encrypt your message:
+```
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGN3U8UBEADbe0Wm75Ouew0WIIveLae8tWltIEvKr7rbCse8EHpDbWlESrGu
+tWo5SdIHDUu16YZyih1BrGRQ3AXnPJG/wmWP1Pz+vyMvwaHN0WWzhZS6b/24v0ai
+yLAXQUQCE02haTsn5mj8aMFP2dUhMQYsEYgjPcOJYhm5udxXJeYQAeZTcUnKjrji
+ECR3VErfjjW0SFsI4YkqhFpeOCcXhUR38NszpXPUZ9WcEgsvGB8N8nPqscEYQngI
+Xkk0WvJhkVmJk5NlPTUyhxhuxz7h4ADuYTnmbk5gZK3HKpmDXMVz0fQik6YKUNFv
+UowYA+QhLI892j62HTcBuCc8x9DB0kKTH/nuRjPYnX8tKyOPhgq9NKkOxSC4dOe9
+gTogSdhVA6TZvnbpssvBSz6WPYeIm/jfJdCEMbih2CteireTuyYLMCK2zstKFnnN
+GBrUVdFGdXwuxM5TJB5LotLQ/E/xxstGphGaHi+gKRLSiKV7wlFEhlgWB2l8RuWo
+F9KSOTm81mqCsMF6D4+on72uJV52Tumomc4eU8ESodHAsSiR9QkZ55BnnLu+Y8Wg
+b/axlTI1j2UV1ABxrqaxpb4V/z2DQNtnM/vNhuDi0maXHrUDHQRehwvTn/4mGsbA
+zXUMfOrFqCnh2QXXoCUSOVlgb2quLEJ2xQqr1j01yccPY/8iOC9I/0R0vwARAQAB
+tBxMZUNoYXRQIDxsZWNoYXRwQG91dGxvb2suZnI+iQJNBBMBCAA3FiEEdPQ8V3S+
+HzUn3vpINcFV6gUlEE0FAmN3U8cFCQWjmoACGwMECwkIBwUVCAkKCwUWAgMBAAAK
+CRA1wVXqBSUQTffYD/0Qi/WephoN7JjLEYMID2mBFfdE4Lz6uHjhSEcLAKIrEZF3
+VaNQa7sTug94j9Rkjdk6/GBk3SwHTAtRiTyw+ReNOW5LH3SbUO/we7quexPhZDON
+NbeJmCUX811okJL2av/52swE+MPYJNbn4BX3lWSzgN5fQZ9I/0QUm2yQnjq5vxar
+vbP144GW+ni9MvFYfcYZ6hSRpEhFlbJTJsJAZS4lTxkevg5ZdoIvMo63ZJ3CHTuN
+EfXmPvYxtKvo9h9ESQbMV2A++LDq4/JdBfBSQrXFJq8XL+75aQ7QkakiGp72DwTQ
+ds/MtAXe/3G2tjt7b/ytcNW4C8yPYiCbYdjBkS7aKIRF1XbRsgpARdOfCKsN/9Gu
+iIb/Oy2XqwLq0xTgl9wS9XldSX7sNVyM1DDRm6t1/cLWmqZCroApoIWpQX4SznRe
+3QCZ44eTHq+6b+eSiQZyrqaNDyVUdmXCTrQqXiotI7qQ00Hjigv6K2MInKGaN9Dw
+/nfGxBD3KJOVnTYzSTacB5vbS3NQv0nKBtg3wjaE5/l7Cq6ZQmd4SgGYX3F5wuuz
+jGtBmxe7gcZJzmodBLFflSbo0OFDmERcXyUls8jSEnbzRy8OVP2C2YOvXtxoL86g
+pq2pA+HJRzP6oso2EwXdE8HxBLoZ1tu2vgKv6xduEmkw14cvSeoVzrm8aWxXf7kC
+DQRjd1PHARAA14voBlK6KAaQ2oz+i1e9tiEUFFn5ZXxFdS4uH30Bttidugl1Ccdy
+AeTCSrG5WU/zPilttjjHG+KCBxdFGCVV+r7xYAtuVFfasKVSJyGqDZN6nI9MdKMA
+s3k7t9oz8RVvKWRpnLaxElvrE+k0n38t5LWQAyVrDeBQD0k0yneVZIc6OSaqANV6
+nuy4Z0LWsoC8EIfjIQ+Swx/OrhluwSMObChIh1QU6tZ+S6pp2mZl4hHlRnEA9Ivz
+LOZ2nB4IQ2SJL5jo5l9wFmzEseAsQPlSDowNNdPGik2b00UWfuMdM4BYjG140og9
+5FW87c0LzSYQZ66rmQqOb6c9tAMzjvaeCaaeFW8vIQP3/C1MXYiiLCFKTLg1vG9b
+sasT5nQVmq9ADjXf5uFk6UNKuXf0foUK5m8FTV5uvaZebekDPRUaEcuj8HSUaoER
+TIR59k5rm4Ha9/ZJTspAtv1pyCU/MwLPAWXc1e7Tl0yvnJz6s2/RB88YWd95YfN/
+h3pgKk8RaGkVKFv4bns7SIT4Ni4qxI1vqx07+t2CRQQOiqd9yXehAOsssQCI/p4a
+CIBjeeDxGjqpH6Nho5TlXywvzb50vez6b7P5F2iW5/owqEBn8Rz+LqUeUia9ChAT
+b7AAUeXeBhSq/xC8l3+bstvmTpcjW0kWLn+yovwTJCgB/eR7xALchPsAEQEAAYkC
+PAQYAQgAJhYhBHT0PFd0vh81J976SDXBVeoFJRBNBQJjd1PIBQkFo5qAAhsMAAoJ
+EDXBVeoFJRBNspQQAJK0m4gw3lFv0Vj3q5nIr8HcBn6L995BQwqvVrzAP/Bjl1xH
+s1YmBZoU6zydQybMP6lkh0STwXtzOlTsUxh454vrUp/CzB+Q6mJvXSCyN8gYZiqz
+q4GRNFx2Qppbui6Y+aMXoCtBv410wFxdE0U7i/+ZSf4U6cOi3y34QtBkicRdfPe/
+hb6pe8WAqfzdkv+20lC/aM9sPjdM9r9/KYU6JPZ2knG9T4IJHMXEoxuk/TDZgM5P
+Hl8pAY2LqN4ctbEclN0Z907baLkPBQDdbr38lD2H1isXsEZZxVuk8yoFOHyv2ey0
+amf60BVX/kZgAUO+8v+eMXM+TrQJlRVOj0Jk0qL5HUJZ1yfE1Dzv4OwrVdkGI5e4
+HGu7UgViAT5nQE7ATn7yoH31I00CWDfD1LPXrDsQeFsSYOJdfNFao+yPAYvE8XXL
+AIWocEDRE1ANDJ0rNclgpn4kUtvqbYqdWxW97Ba5+6d9dHFc4CnXHHv6WFoEFTCH
+RGufVgK54ynTLWi87jPoC371KOW3abjoWcsr5m57C2cil9nimjSTID+5w5zWXHip
+0hp8q7N1rChsvkmoU5ZFnF8QjmbLOM2VFIW7hnT5WfXWkSOJLjCExEQuYJEcL7YC
+nfacdGU6XXuJGhgFXCP7BYVQ5e8PlUowe/92T2NSPC7ZGCW0nsa3hH9wr8Jz
+=K6/W
+-----END PGP PUBLIC KEY BLOCK-----
+```
 2. Describe the vulnerability.
 
    If you have a fix, that is most welcome -- please attach or summarize it in your message!
@@ -17,9 +70,12 @@ If there are any vulnerabilities in **RootAsRole**, don't hesitate to _report th
 
 ## Supported Versions
 
-For now, RootAsRole is not distributed widely on repositories because the software is not meant to be production-ready. The objective of 3.0.0 stable version is to be available on linux distributions repositories. So we'll only consider security issues when the software is broadly distributed.
+Here are the supported version for security updates:
+
+| Version | Supported          | End of support (DD-MM-YYYY format) |
+| ------- | ------------------ | -------------------- |
+| >=3.2.0 | :white_check_mark: | N/A
+| < 3.2.0 | :warning:| 31-12-2026         |
+| < 3.0.0 | :x:  | 13-09-2024
 
-| Version | Supported          |
-| ------- | ------------------ |
-| >=3.0.0 | :white_check_mark: |
-| < 3.0.0 | :x:                |
+Starting the version 3.2.0, we start following the [Debian Long Term Support](https://wiki.debian.org/LTS) policy. As 3.2.0 is the first version packaged for Debian repository, we updated this table to support only this version and future versions.

book/src/HISTORY.md

@@ -2,7 +2,7 @@
 
 ## 1.0.0 (August 2018)
 
-RootAsRole initiated by SIERA IRIT CNRS research team with Ahmad Samer WASAN as owner of the proof of concept. It is presented for the first time at "Le capitole du libre" in Toulouse. A paper is published%%cite{wazanRootAsRoleSecureAlternative2021}.
+RootAsRole initiated by SIERA IRIT CNRS research team with Ahmad Samer WAZAN as owner of the proof of concept. It is presented for the first time at "Le capitole du libre" in Toulouse. A paper is published%%cite{wazanRootAsRoleSecureAlternative2021}.
 
 ## 2.0.0 (August 2019)
 

book/src/README.md

@@ -35,14 +35,11 @@ In 2022, we published a journal article about our finding with the `capable` too
 
 In 2023, we published a third article about explaining linux kernel issues @@billoirImplementingPrincipleLeast2023. This article proposes enhancements to achieving a balance between usability and the principle of least privilege, emphasizing the need for precise capability definitions.
 
-In May 2024, we published a more general article about the Administrative privilege on various OS @@billoirImplementingPrincipleLeast2024. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD, and Solaris) to control the privileges of system administrators in order to enforce the principle of least privilege. We define a set of requirements to manage these privileges properly, striving to balance adherence to the principle of least privilege and usability. We also present a deep analysis of each administrative privilege system based on these requirements and exhibit their benefits and limitations.
+In May 2024, we published a more general article about the Administrative privilege on various OS @@billoirImplementingPrincipleLeast2024. This article explores the different approaches implemented by the main operating systems (namely Linux, Windows, FreeBSD, and Solaris) to control the privileges of system administrators in order to enforce the principle of least privilege.
 
-In July 2024, we studied how to integrate RootAsRole on today's production environment as the project becomes a mature project. This article presents a semi-automated process that improves Ansible-based deployments to have fine-grained control on administrative privileges granted to Ansible tasks. This article is not yet published.
-
-## Comparison with sudo 
-
-By using a role-based access control model, this project allows us to better manage administrative tasks. With this project, you could distribute privileges and prevent them from escalating directly. Unlike sudo does, we don't want to give entire privileges for any insignificant administrative task. You can configure our tool easily with `chsr` command. To find out which capability is needed for a administrative command, we provide the `capable` command. With these two tools, administrators could configure its system to respect the least privilege principle.
+In July 2024, we studied how to integrate RootAsRole on today's production environment as the project becomes a mature project. This article presents a semi-automated process that improves Ansible-based deployments to have fine-grained control on administrative privileges granted to Ansible tasks @@billoirImplementingPrincipleLeast2024b.
 
+In September 2025, we decided to generalize our RootAsRole policy to all Linux access control mechnanisms. This article presents how we unified DAC, DBus within our RaR policy. This article is being published in September 2025 for the ESORICS conference.
 
 ## Scenarios
 

book/src/chsr/README.md

@@ -11,6 +11,9 @@ Chsr is a command-line tool to configure roles, permissions and execution option
   <b>-h, --help</b>                    Show help for commands and options.
   <b>list, show, l</b>                 List available items; use with specific commands for detailed views.
   <b>role, r</b>                       Manage roles and related operations.
+  <b>options, o</b>                    Manage global options.
+  <b>convert, c</b>                    Convert policy file format (json, cbor).
+  <b>editor, e</b>                     Open the configuration file with vim.
 
 
 <u><b>Role Operations:</b></u>