Skip to content

3.0.0-alpha.3
Compare
Choose a tag to compare
@LeChatP LeChatP released this 30 Aug 09:07
· 335 commits to main since this release
v3.0.0-alpha.3
76a4685
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

By rewriting this program entirely in Rust, I could add new features quickly and get almost the same performance as the C version. Rust language is appropriate for our software. And the rewriting was easy.

However, today, I would like to say what differs in this version:

From the most to the least exciting changes

  • Full Rust Rewriting, no more C !
    • The sr binary is to execute a task with a role
    • The chsr binary is to modify the configuration and the RootAsRole policy with command line arguments or fancy terminal interface
    • The capable binary determines which capabilities are needed for a program.
  • Role hierarchy managed (role parents' tasks will be included)
    • Parent roles and their tasks are Included in partial order comparison.
    • This role will be chosen if a task is less privileged in its parents.
    • TODO: chsr needs to be managed with cursive.
  • Static separation of duties (SSD) implemented
    • If one role defines another role as SSD, actors cannot be in this role
    • This is checked on chsr. Configurator no longer needs to check it manually; it will be informed as denied.
    • This is checked on sr. If a user is added to a group that conflicts with SSD, conflicting roles are forbidden.
    • TODO: Editing the configuration of SSD with chsr.
  • sr now handles timestamp cookies!
    • This means that sr doesn't require authentication for every command executed before a certain delay. This is entirely configurable like sudo does.
  • Thanks to the Aya framework, The capable eBPF program is now in Rust. It simplifies the compilation process, which was the main problem with the C version.
  • Capabilities are now entirely documented, thus automatically dumped from the capabilities manual.
  • Better Command parsing
    • Binary Path is matched with the extended glob syntax.
      • ** means any path; you could translate it by "anything, everywhere".
      • * means any direct file on the current path here will be relative to the current working directory.
    • The previous meaning of ** was changed to ALL. So ALL means any command and any arguments. This is because the meaning of ** exists in the glob syntax and could be confusing.
    • Paths are now canonicalized.
    • Arguments can use PCRE2 to match. See here to build your regular expression
  • Configuration file Versionning management implemented
    • This means that any upgrade of the current configuration will be managed and automatically migrated from one version to another.
  • Now, capabilities can be denied from role definition, and their parents are included
  • libxml2 is still needed to verify DTD
    • This negatively impacts performance because the program parses two times the configuration file
    • Today, XML rust crates do not provide every needed feature. SXD is the most complete one, so I implemented a part of libxml2 C bindings, but it needs to be completed and could be complex to enhance.
    • One day, I will consider migrating to JSON or YAML... However, I enforce the need for Schema Validation, which is not provided by default.
  • Switched to Termion backend for cursive interface.

Full Changelog: v3.0.0-alpha.2...v3.0.0-alpha.3

Assets 2
Loading