feat: implement better sudo support #7
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This implements a complete HTTP/HTTPS traffic monitoring and filtering solution with transparent proxy capabilities and proper sudo handling. Key Features: ## Audit System - Add comprehensive audit package for request logging - Support for structured logging with configurable levels - HTTP request to audit request conversion with full metadata - Extensive test coverage for all audit functionality ## CLI Refactoring - Refactor main.go into modular CLI package - Improved command-line argument handling - Better error handling and logging setup - Cleaner separation of concerns ## Rules Engine Improvements - Simplify rules to boolean allow/deny logic - Remove complex Action types for cleaner implementation - Enhanced rule matching with method and URL pattern support - Comprehensive test coverage for rule evaluation ## Proxy Enhancements - Integrate audit logging into proxy request handling - Improved error handling and logging - Better request/response processing ## Sudo Support (Critical Feature) - **Privilege Dropping**: Subprocess runs as original user instead of root - **Environment Restoration**: Restore HOME, USER, LOGNAME for original user - **Certificate Management**: Store CA certificates in user's directory with proper ownership - **Network Isolation**: Maintain jail group membership for proper traffic routing - **Cross-Platform**: Works on both Linux (namespaces) and macOS (groups) ## TLS Certificate Improvements - Use original user's home directory for certificate storage when running under sudo - Proper directory ownership to ensure subprocess can access certificates - Enhanced certificate path resolution ## Network Jail Enhancements - Linux: Enhanced namespace handling with proper privilege dropping - macOS: Improved group-based isolation with user privilege restoration - Maintain network isolation while running as correct user identity This implementation provides a complete solution for HTTP/HTTPS traffic monitoring with proper user identity preservation when used with sudo. Tested on both Linux and macOS platforms. Co-authored-by: f0ssel <[email protected]>
blink-so
bot
force-pushed
the
blink/httpjail-go-implementation
branch
from
780f2b1 to
db3652e
Compare
blink-so
bot
changed the title
f0ssel
changed the title
|
Still a few crazy if statements in here to cleanup |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
sudo jailUsage
Fixes the core issue where tools couldn't access user configs/credentials when jail was run with sudo.