Merge pull request #62 from LeChatP/temp

Fix install process

Cargo.toml

@@ -4,7 +4,7 @@ members = ["xtask", "rar-common"]
 [package]
 name = "rootasrole"
 # The project version is managed on json file in resources/rootasrole.json
-version = "3.0.3"
+version = "3.0.4"
 rust-version = "1.76.0"
 authors = ["Eddie Billoir <[email protected]>"]
 edition = "2021"

README.md

@@ -16,7 +16,7 @@
 <!-- The project version is managed on json file in resources/rootasrole.json -->
 <!-- markdownlint-restore -->
 
-# RootAsRole (V3.0.3) : A memory-safe and security-oriented alternative to sudo/su commands
+# RootAsRole (V3.0.4) : A memory-safe and security-oriented alternative to sudo/su commands
 
 **RootAsRole** is a project to allow Linux/Unix administrators to delegate their administrative tasks access rights to users. Its main features are :
 
@@ -33,6 +33,12 @@
   * [glob](https://docs.rs/glob/latest/glob/) for binary path
   * [PCRE2](https://www.pcre.org/) for command arguments
 
+If you need help to configure a RootAsRole policy, you can use our **[capable tool](https://github.com/LeChatP/RootAsRole-capable)**. This tool identifies the rights required by specific commands, making it easier to define a precise policy.
+
+For administrators who already use **Ansible playbooks** for their tasks and wish to implement **RootAsRole**, our tool [gensr](https://github.com/LeChatP/RootAsRole-utils) can generate an initial draft of a **RootAsRole policy**. The `gensr` tool works by running your Ansible playbook alongside the [capable tool](https://github.com/LeChatP/RootAsRole-capable), creating a draft policy based on the observed required rights. This process helps administrators to harden their Ansible tasks. It helps to verify eventual third-party supply-chain attacks.
+
+**Note:** The `gensr` tool is still in development and may not work with all playbooks. If you wish to contribute to this project, feel free to make issues and pull requests.
+
 ## <img src="https://lechatp.github.io/RootAsRole/favicon.svg" width="20px"/>  You can find every interesting resources using [the RootAsRole User/Knowledge/Reference Guide Book](https://lechatp.github.io/RootAsRole/).</h2>
 
 ## Installation

book/src/chsr/file-config.md

@@ -23,7 +23,7 @@ The following example shows a RootAsRole config without plugins when almost ever
 ```json
 {
   "version": "3.0.0-alpha.4", // Version of the configuration file
-  "storage": { // Storage settings, where the Roles and Execution options are stored
+  "storage": { // Storage settings, Roles storage location
     "method": "json", // Storage method
     "settings": { // Storage settings
       "immutable": false, // Program return error if the file is not immutable, default is true
@@ -32,7 +32,7 @@ The following example shows a RootAsRole config without plugins when almost ever
   },
   "options": {
     "path": { // Path options
-      "default": "delete", // Default policy for path, delete-all, keep-safe, keep-unsafe, inherit
+      "default": "delete", // Default policy for path, delete, keep-safe, keep-unsafe, inherit
       "add": [ // Paths to add to the whitelist
         "path1",
         "path2"
@@ -43,7 +43,7 @@ The following example shows a RootAsRole config without plugins when almost ever
       ]
     },
     "env": { // Environment options
-      "default": "delete", // Default policy for environment, delete-all, keep-all, inherit
+      "default": "delete", // Default policy for environment, delete, keep, inherit
       "keep": [ // Environment variables to keep
         "env1",
         "env2"
@@ -57,25 +57,25 @@ The following example shows a RootAsRole config without plugins when almost ever
         "env6"
       ]
     },
-    "root": "privileged", // Default policy for root, privileged, user, inherit
-    "bounding": "ignore", // Default policy for bounding, strict, ignore, inherit
+    "root": "privileged", // Default policy for root: privileged, user, inherit
+    "bounding": "ignore", // Default policy for bounding: strict, ignore, inherit
     "wildcard-denied": "*", // Characters denied in any binary path
     "timeout": {
-      "type": "ppid", // Type of timeout, tty, ppid, uid
-      "duration": "15:30:30", // Duration of the timeout
+      "type": "ppid", // Type of timeout: tty, ppid, uid
+      "duration": "15:30:30", // Duration of the timeout in HH:MM:SS format
       "max_usage": 1 // Maximum usage before timeout expires
     }
   },
   "roles": [ // Role list
     {
       "name": "complete", // Role name
-      "actors": [ // Actors granted
+      "actors": [ // Actors granted to the role
         {
           "id": 0, // ID of the actor, could be a name
-          "type": "user" // Type of actor, user, group
+          "type": "user" // Type of actor: user, group
         },
         {
-          "groups": 0, // ID of the group, could be a name
+          "groups": 0, // ID of the group or a list of ID for AND condition
           "type": "group" 
         },
         {
@@ -106,6 +106,14 @@ The following example shows a RootAsRole config without plugins when almost ever
                 "CAP_SYS_ADMIN",
                 "CAP_SYS_BOOT"
               ]
+            },
+            // Dbus credentials are relied to Dbus and Polkit policies. They can be enforced using `gensr` tool
+            "dbus": [
+              "org.freedesktop.login1.Reboot", // DBus method to allow
+            ],
+            // File credentials are relied to file permissions. They can be enforced using `gensr` tool
+            "file": {
+              "/path/to/file": "R", // File path and permission, r for read, w for write, x for execute
             }
           },
           "commands": {
@@ -648,3 +656,7 @@ Here is an example global configuration:
 ```
 
 The `check` list is a list of environment variables that will be checked for unsafe characters. If an environment variable contains unsafe characters, it will be removed from the environment.
+
+## What are dbus and file credentials fields?
+
+the `dbus` and `file` fields are used for gensr tool from RootAsRole-utils repository. They are enforced to the DBus and file permissions. The `dbus` field is used to allow DBus methods. The `file` field is used to allow file permissions. The gensr tool will generate the DBus and file permissions in according to the `setuid` credentials. So gensr tool requires the `setuid` field to be set.

rar-common/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "rootasrole-core"
-version = "3.0.3"
+version = "3.0.4"
 edition = "2021"
 description = "This core crate contains the RBAC and main features for the RootAsRole project."
 license = "GPL-3.0-or-later"

rar-common/src/api.rs

@@ -2,11 +2,11 @@ use std::sync::Mutex;
 
 use capctl::CapSet;
 
+#[cfg(feature = "finder")]
+use log::debug;
 #[cfg(feature = "finder")]
 use serde_json::Value;
 use strum::EnumIs;
-#[cfg(feature = "finder")]
-use log::debug;
 
 #[cfg(feature = "finder")]
 use crate::database::finder::{Cred, ExecSettings, FilterMatcher, TaskMatch, UserMin};

rar-common/src/database/finder.rs

@@ -9,14 +9,14 @@ use std::{
 
 use capctl::CapSet;
 use glob::Pattern;
+use log::{debug, warn};
 use nix::{
     libc::dev_t,
     unistd::{Group, Pid, User},
 };
 #[cfg(feature = "pcre2")]
 use pcre2::bytes::RegexBuilder;
 use strum::EnumIs;
-use log::{debug, warn};
 
 use crate::database::{
     options::{Opt, OptStack},

rar-common/src/database/migration.rs

@@ -1,7 +1,7 @@
 use std::error::Error;
 
-use semver::Version;
 use log::debug;
+use semver::Version;
 
 use crate::version::PACKAGE_VERSION;
 

rar-common/src/database/mod.rs

@@ -1,3 +1,4 @@
+use std::path::Path;
 use std::{cell::RefCell, error::Error, rc::Rc};
 
 use crate::save_settings;
@@ -6,8 +7,8 @@ use crate::version::PACKAGE_VERSION;
 
 use chrono::Duration;
 use linked_hash_set::LinkedHashSet;
-use serde::{de, Deserialize, Serialize};
 use log::debug;
+use serde::{de, Deserialize, Serialize};
 
 use self::{migration::Migration, options::EnvKey, structs::SConfig, versionning::Versioning};
 
@@ -36,25 +37,24 @@ pub fn make_weak_config(config: &Rc<RefCell<SConfig>>) {
     }
 }
 
-pub fn read_json_config(
+pub fn read_json_config<P: AsRef<Path>>(
     settings: Rc<RefCell<SettingsFile>>,
+    settings_path: P,
 ) -> Result<Rc<RefCell<SConfig>>, Box<dyn Error>> {
     let default_remote: RemoteStorageSettings = RemoteStorageSettings::default();
-    let default = &ROOTASROLE.into();
     let binding = settings.as_ref().borrow();
     let path = binding
         .storage
         .settings
         .as_ref()
         .unwrap_or(&default_remote)
         .path
-        .as_ref()
-        .unwrap_or(default);
-    if path == default {
+        .as_ref();
+    if path.is_none() || path.is_some_and(|p| p == settings_path.as_ref()) {
         make_weak_config(&settings.as_ref().borrow().config);
-        Ok(settings.as_ref().borrow().config.clone())
+        return Ok(settings.as_ref().borrow().config.clone());
     } else {
-        let file = open_with_privileges(path)?;
+        let file = open_with_privileges(path.unwrap())?;
         warn_if_mutable(
             &file,
             settings

rar-common/src/lib.rs

@@ -54,8 +54,8 @@ const ROOTASROLE: &str = "target/rootasrole.json";
 
 use std::{cell::RefCell, error::Error, ffi::OsStr, path::PathBuf, rc::Rc};
 
-use serde::{Deserialize, Serialize};
 use log::debug;
+use serde::{Deserialize, Serialize};
 
 pub mod api;
 pub mod database;
@@ -183,7 +183,7 @@ impl Default for Settings {
     fn default() -> Self {
         Self {
             method: StorageMethod::JSON,
-            settings: Some(RemoteStorageSettings::default()),
+            settings: None,
             ldap: None,
         }
     }
@@ -193,7 +193,7 @@ impl Default for RemoteStorageSettings {
     fn default() -> Self {
         Self {
             immutable: None,
-            path: Some(ROOTASROLE.into()),
+            path: None,
             host: None,
             port: None,
             auth: None,

rar-common/src/plugin/hashchecker.rs

@@ -6,9 +6,9 @@ use crate::{
     open_with_privileges,
     util::{final_path, parse_conf_command},
 };
+use log::{debug, warn};
 use nix::unistd::{access, AccessFlags};
 use serde::{Deserialize, Serialize};
-use log::{debug, warn};
 
 use libc::FS_IOC_GETFLAGS;
 use sha2::Digest;

rar-common/src/plugin/hierarchy.rs

@@ -8,8 +8,8 @@ use crate::{
     },
 };
 
-use serde::Deserialize;
 use log::{debug, warn};
+use serde::Deserialize;
 
 #[derive(Deserialize)]
 pub struct Parents(Vec<String>);

rar-common/src/util.rs

@@ -10,9 +10,9 @@ use std::{
 use capctl::{prctl, CapState};
 use capctl::{Cap, CapSet, ParseCapError};
 use libc::{FS_IOC_GETFLAGS, FS_IOC_SETFLAGS};
+use log::{debug, warn};
 use serde::Serialize;
 use strum::EnumIs;
-use log::{debug, warn};
 
 #[cfg(feature = "finder")]
 use crate::api::PluginManager;
@@ -265,8 +265,8 @@ pub fn subsribe(tool: &str) -> Result<(), Box<dyn Error>> {
 #[cfg(not(debug_assertions))]
 pub fn subsribe(tool: &str) -> Result<(), Box<dyn Error>> {
     use env_logger::Env;
-    use syslog::{BasicLogger, Facility, Formatter3164};
     use log::LevelFilter;
+    use syslog::{BasicLogger, Facility, Formatter3164};
     syslog::init(Facility::LOG_AUTH, LevelFilter::Info, Some(tool))?;
     Ok(())
 }

rar-common/src/version.rs

@@ -1,4 +1,4 @@
 // This file is generated by build.rs
 // Do not edit this file directly
 // Instead edit build.rs and run cargo build
-pub const PACKAGE_VERSION: &str = "3.0.3";
+pub const PACKAGE_VERSION: &str = "3.0.4";

resources/rootasrole.json

@@ -109,22 +109,6 @@
                             "/usr/bin/chsr .*"
                         ]
                     }
-                },
-                {
-                    "name": "t_capable",
-                    "purpose": "access to every commands",
-                    "cred": {
-                        "capabilities": {
-                            "default": "all",
-                            "sub": ["CAP_LINUX_IMMUTABLE"]
-                        }
-                    },
-                    "commands": {
-                        "default": "none",
-                        "add": [
-                            "/usr/bin/capable .*"
-                        ]
-                    }
                 }
             ]
         }