V3.0.5: Add -u and -E options

.github/workflows/build.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - 'main'
+      - 'dev'
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/quality.yml

@@ -20,6 +20,7 @@ on:
   pull_request:
     branches:
       - 'main'
+      - 'dev'
 
 jobs:
 

.github/workflows/tests.yml

@@ -7,6 +7,7 @@ on:
   pull_request:
     branches:
       - 'main'
+      - 'dev'
 
 jobs:
   rust-coverage:

Cargo.toml

@@ -4,7 +4,7 @@ members = ["xtask", "rar-common"]
 [package]
 name = "rootasrole"
 # The project version is managed on json file in resources/rootasrole.json
-version = "3.0.4"
+version = "3.0.5"
 rust-version = "1.76.0"
 authors = ["Eddie Billoir <[email protected]>"]
 edition = "2021"

README.md

@@ -16,7 +16,7 @@
 <!-- The project version is managed on json file in resources/rootasrole.json -->
 <!-- markdownlint-restore -->
 
-# RootAsRole (V3.0.4) : A memory-safe and security-oriented alternative to sudo/su commands
+# RootAsRole (V3.0.5) : A memory-safe and security-oriented alternative to sudo/su commands
 
 **RootAsRole** is a project to allow Linux/Unix administrators to delegate their administrative tasks access rights to users. Its main features are :
 

book/src/chsr/file-config.md

@@ -91,7 +91,12 @@ The following example shows a RootAsRole config without plugins when almost ever
           "name": "t_complete", // Task name, must be unique in the role
           "purpose": "complete", // Task purpose, just a description
           "cred": {
-            "setuid": "user1", // User to setuid before executing the command
+            "setuid": {
+              "fallback": "thefallbackuser", // Fallback user if the -u option is not set
+              "default": "none", // The sr user cannot use -u option in general
+              "add": ["theuser"], // the sr user can use "-u theuser" option
+              "sub": ["anotheruser"] // the sr user cannot use "-u anotheruser" option (overrides add, applies only if default is all)
+            }, // User to setuid before executing the command
             "setgid": [ // Groups to setgid before executing the command, The first one is the primary group
               "group1",
               "group2"

book/src/sr/README.md

@@ -13,6 +13,8 @@
 <u><b>Options</b></u>:
   <b>-r, --role</b> &lt;ROLE&gt;  Role to select
   <b>-t, --task</b> &lt;TASK&gt;  Task to select (--role required)
+  <b>-u, --user</b> &lt;USER&gt;  Specify the user to execute the command as
+  <b>-E, --preserve-env</b>  Preserve environment variables
   <b>-p, --prompt</b> &lt;PROMPT&gt; Prompt to display
   <b>-i, --info</b>         Display rights of executor
   <b>-h, --help</b>         Print help (see more with '--help')

rar-common/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rootasrole-core"
-version = "3.0.4"
+version = "3.0.5"
 edition = "2021"
 description = "This core crate contains the RBAC and main features for the RootAsRole project."
 license = "GPL-3.0-or-later"
@@ -26,6 +26,7 @@ hex = "0.4"
 log = "0.4"
 syslog = "7.0"
 env_logger = "0.11"
+bon = { version = "3.3.2", features = ["experimental-overwritable"] }
 
 [dev-dependencies]
 log = "0.4"

rar-common/src/api.rs

@@ -9,9 +9,13 @@
 use strum::EnumIs;
 
 #[cfg(feature = "finder")]
-use crate::database::finder::{Cred, ExecSettings, FilterMatcher, TaskMatch, UserMin};
+use crate::database::finder::{ActorMatchMin, Cred, ExecSettings, TaskMatch};
+use crate::database::FilterMatcher;
 
-use crate::database::structs::{SActor, SConfig, SRole, STask};
+use crate::database::{
+    actor::SActor,
+    structs::{SConfig, SRole, STask},
+};
 use once_cell::sync::Lazy;
 static API: Lazy<Mutex<PluginManager>> = Lazy::new(|| Mutex::new(PluginManager::new()));
 
@@ -52,7 +56,7 @@
     matcher: &mut TaskMatch,
 ) -> PluginResultAction;
 #[cfg(feature = "finder")]
-pub type UserMatcher = fn(role: &SRole, user: &Cred, user_struct: &Value) -> UserMin;
+pub type UserMatcher = fn(role: &SRole, user: &Cred, user_struct: &Value) -> ActorMatchMin;
 
 pub type RoleInformation = fn(role: &SRole) -> Option<String>;
 pub type ActorInformation = fn(actor: &SActor) -> Option<String>;
@@ -200,15 +204,15 @@
     }
 
     #[cfg(feature = "finder")]
-    pub fn notify_user_matcher(role: &SRole, user: &Cred, user_struct: &Value) -> UserMin {
+    pub fn notify_user_matcher(role: &SRole, user: &Cred, user_struct: &Value) -> ActorMatchMin {
         let api = API.lock().unwrap();
         for plugin in api.user_matcher_plugins.iter() {
             let res = plugin(role, user, user_struct);
             if !res.is_no_match() {
                 return res;
             }
         }
-        UserMin::NoMatch
+        ActorMatchMin::NoMatch
     }
 
     #[cfg(feature = "finder")]