Debian packaging

.cargo/config.toml

@@ -1,2 +1,2 @@
 [alias]
-xtask = "run --package xtask --release --"
+xtask = "run --package xtask --release --bin xtask --"

Cargo.toml

@@ -25,6 +25,7 @@ maintainance ={ status = "actively-maintained", badge = "https://img.shields.io/
 strip = "symbols"
 lto = true
 opt-level = "s"
+codegen-units = 1
 
 #[features]
 #cursive_lib = [ "cursive" ]
@@ -33,13 +34,18 @@ opt-level = "s"
 [[bin]]
 name = "sr"
 path = "src/sr/main.rs"
-required-features = ["rar-common/pcre2"]
+required-features = ["finder"]
 
 
 [[bin]]
 name = "chsr"
 path = "src/chsr/main.rs"
 
+[features]
+default = ["finder"]
+finder = ["dep:pcre2", "rar-common/pcre2", "rar-common/finder"]
+
+
 [build-dependencies]
 reqwest = { version = "0.12.4", features = ["blocking", "json"] }
 pcre2 = "0.2.4"
@@ -58,7 +64,7 @@ semver = { version = "1.0.23", features = ["serde"] }
 nix = { version = "0.29.0", features = ["user","process", "signal", "fs"] } 
 #sudoers-reader = { path = "sudoers-reader" }
 capctl = "0.2.4"
-pcre2 = "0.2.7"
+pcre2 = { version = "0.2.7", optional = true }
 serde = { version = "1.0.202", features=["rc"] }
 serde_json = "1.0.117"
 ciborium = "0.2.2"
@@ -72,13 +78,13 @@ linked_hash_set = { version = "0.1.4" }
 derivative = "2.2.0"
 sha2 = "0.10.8"
 sha1 = "0.10.6"
-md5 = "0.7.0"
+#md5 = "0.7.0"
 chrono = "0.4.38"
 pty-process = "0.4.0"
 once_cell = "1.19.0"
 pest = "2.7.8"
 pest_derive = "2.7.8"
-phf = { version = "0.11.2", features = ["macros"] }
+#phf = { version = "0.11.2", features = ["macros"] }
 const_format = "0.2.32"
 hex = "0.4.3"
 
@@ -95,17 +101,17 @@ lazy_static = "1.4.0"
 [package.metadata.deb]
 maintainer = "Eddie Billoir <[email protected]>"
 license-file = "LICENSE"
-depends = "libpam0g, e2fsprogs, libcap2-bin, libpam-modules, libpcre2-8-0"
+depends = "libpam0g, libpam-modules, libpcre2-8-0"
 section = "admin"
 priority = "optional"
-assets =    [ 
+assets =    [
     ["target/release/sr", "usr/bin/sr", "0555"],
     ["target/release/chsr", "usr/bin/chsr", "0555"],
-    ["resources/rootasrole.json", "usr/share/rootasrole/default.json", "0640"],
-    ["resources/debian/deb_sr_pam.conf", "usr/share/rootasrole/pam_sr.conf", "0644"]
+    ["resources/rootasrole.json", "DEBIAN/resources/rootasrole.json", "0640"],
+    ["resources/debian/deb_sr_pam.conf", "DEBIAN/resources/debian/deb_sr_pam.conf", "0644"]
 ]
-conf-files = ["/etc/pam.d/sr"]
-maintainer-scripts = "resources/debian/"
+conf-files = ["/etc/pam.d/sr", "/etc/security/rootasrole.json"]
+maintainer-scripts = "target/release/"
 extended-description = "RootAsRole is a project to allow Linux/Unix administrators to delegate their administrative tasks access rights to multiple co-administrators through RBAC model and Linux Capabilities features."
 
 [package.metadata.generate-rpm]

rar-common/Cargo.toml

@@ -12,38 +12,28 @@ semver = { version = "1.0.23", features = ["serde"] }
 nix = { version = "0.29.0", features = ["user","process", "signal", "fs"] } 
 #sudoers-reader = { path = "sudoers-reader" }
 capctl = "0.2.4"
-pcre2 = "0.2.7"
+pcre2 = { version = "0.2.7", optional = true }
 serde = { version = "1.0.202", features=["rc"] }
 serde_json = "1.0.117"
 ciborium = "0.2.2"
-glob = "0.3.1"
-pam-client = { version = "0.5.0", git = "https://gitlab.com/LeChatP/rust-pam-client.git" }
-pam-sys = "1.0.0-alpha5"
+glob = { version = "0.3.1", optional = true }
 bitflags = { version = "2.5.0" }
 shell-words = "1.1.0"
 syslog-tracing = "0.3.0"
 linked_hash_set = { version = "0.1.4" }
 derivative = "2.2.0"
 sha2 = "0.10.8"
-sha1 = "0.10.6"
-md5 = "0.7.0"
 chrono = "0.4.37"
-pty-process = "0.4.0"
 once_cell = "1.19.0"
-pest = "2.7.8"
-pest_derive = "2.7.8"
-phf = { version = "0.11.2", features = ["macros"] }
-const_format = "0.2.32"
 hex = "0.4.3"
 
 [dev-dependencies]
 env_logger = "*"
 test-log = { version = "0.2.12", features = ["trace"] }
 tracing = "0.1.37"
 tracing-subscriber = { version = "0.3.16", default-features = false, features = ["env-filter", "fmt"] }
-pest-test-gen = "0.1.7"
-pest-test = "0.1.6"
 lazy_static = "1.4.0"
 
 [features]
-pcre2 = []
+pcre2 = ["dep:pcre2"]
+finder = ["dep:glob"]

rar-common/src/api.rs

@@ -6,12 +6,10 @@ use serde_json::Value;
 use strum::EnumIs;
 use tracing::debug;
 
-use crate::database::finder::{Cred, ExecSettings, TaskMatch, UserMin};
+#[cfg(feature = "finder")]
+use crate::database::finder::{Cred, ExecSettings, TaskMatch, UserMin, FilterMatcher};
 
-use crate::database::{
-    finder::FilterMatcher,
-    structs::{SActor, SConfig, SRole, STask},
-};
+use crate::database::structs::{SActor, SConfig, SRole, STask};
 use once_cell::sync::Lazy;
 static API: Lazy<Mutex<PluginManager>> = Lazy::new(|| Mutex::new(PluginManager::new()));
 
@@ -36,30 +34,35 @@ pub enum PluginResult {
 
 pub type ConfigLoaded = fn(config: &SConfig);
 
+#[cfg(feature = "finder")]
 pub type RoleMatcher = fn(
     role: &SRole,
     user: &Cred,
     filter: &Option<FilterMatcher>,
     command: &[String],
     matcher: &mut TaskMatch,
 ) -> PluginResultAction;
+#[cfg(feature = "finder")]
 pub type TaskMatcher = fn(
     task: &STask,
     user: &Cred,
     command: &[String],
     matcher: &mut TaskMatch,
 ) -> PluginResultAction;
-
+#[cfg(feature = "finder")]
 pub type UserMatcher = fn(role: &SRole, user: &Cred, user_struct: &Value) -> UserMin;
 
 pub type RoleInformation = fn(role: &SRole) -> Option<String>;
 pub type ActorInformation = fn(actor: &SActor) -> Option<String>;
 pub type TaskInformation = fn(task: &STask) -> Option<String>;
 
+#[cfg(feature = "finder")]
 pub type DutySeparation = fn(role: &SRole, actor: &Cred) -> PluginResult;
+#[cfg(feature = "finder")]
 pub type TaskSeparation = fn(task: &STask, actor: &Cred) -> PluginResult;
 
 pub type CapsFilter = fn(task: &STask, capabilities: &mut CapSet) -> PluginResultAction;
+#[cfg(feature = "finder")]
 pub type ExecutionChecker = fn(user: &Cred, exec: &mut ExecSettings) -> PluginResult;
 
 pub type ComplexCommandParser =
@@ -74,46 +77,63 @@ macro_rules! plugin_subscribe {
 
 // Define a struct to hold the plugins
 pub struct PluginManager {
+    #[cfg(feature = "finder")]
     role_matcher_plugins: Vec<RoleMatcher>,
+    #[cfg(feature = "finder")]
     task_matcher_plugins: Vec<TaskMatcher>,
+    #[cfg(feature = "finder")]
     user_matcher_plugins: Vec<UserMatcher>,
+    #[cfg(feature = "finder")]
     duty_separation_plugins: Vec<DutySeparation>,
+    #[cfg(feature = "finder")]
     task_separation_plugins: Vec<TaskSeparation>,
     caps_filter_plugins: Vec<CapsFilter>,
+    #[cfg(feature = "finder")]
     execution_checker_plugins: Vec<ExecutionChecker>,
     complex_command_parsers: Vec<ComplexCommandParser>,
 }
 
 impl PluginManager {
     pub fn new() -> Self {
         PluginManager {
+            #[cfg(feature = "finder")]
             role_matcher_plugins: Vec::new(),
+            #[cfg(feature = "finder")]
             task_matcher_plugins: Vec::new(),
+            #[cfg(feature = "finder")]
             user_matcher_plugins: Vec::new(),
+            #[cfg(feature = "finder")]
             duty_separation_plugins: Vec::new(),
+            #[cfg(feature = "finder")]
             task_separation_plugins: Vec::new(),
             caps_filter_plugins: Vec::new(),
+            #[cfg(feature = "finder")]
             execution_checker_plugins: Vec::new(),
             complex_command_parsers: Vec::new(),
         }
     }
 
+    #[cfg(feature = "finder")]
     pub fn subscribe_role_matcher(plugin: RoleMatcher) {
         plugin_subscribe!(role_matcher_plugins, RoleMatcher, plugin);
     }
 
+    #[cfg(feature = "finder")]
     pub fn subscribe_task_matcher(plugin: TaskMatcher) {
         plugin_subscribe!(task_matcher_plugins, TaskMatcher, plugin);
     }
 
+    #[cfg(feature = "finder")]
     pub fn subscribe_user_matcher(plugin: UserMatcher) {
         plugin_subscribe!(user_matcher_plugins, UserMatcher, plugin);
     }
 
+    #[cfg(feature = "finder")]
     pub fn subscribe_duty_separation(plugin: DutySeparation) {
         plugin_subscribe!(duty_separation_plugins, DutySeparation, plugin);
     }
 
+    #[cfg(feature = "finder")]
     pub fn subscribe_task_separation(plugin: TaskSeparation) {
         plugin_subscribe!(task_separation_plugins, TaskSeparation, plugin);
     }
@@ -122,6 +142,7 @@ impl PluginManager {
         plugin_subscribe!(caps_filter_plugins, CapsFilter, plugin);
     }
 
+    #[cfg(feature = "finder")]
     pub fn subscribe_privilege_checker(plugin: ExecutionChecker) {
         plugin_subscribe!(execution_checker_plugins, ExecutionChecker, plugin);
     }
@@ -130,6 +151,7 @@ impl PluginManager {
         plugin_subscribe!(complex_command_parsers, ComplexCommandParser, plugin);
     }
 
+    #[cfg(feature = "finder")]
     pub fn notify_role_matcher(
         role: &SRole,
         user: &Cred,
@@ -151,6 +173,7 @@ impl PluginManager {
         result
     }
 
+    #[cfg(feature = "finder")]
     pub fn notify_task_matcher(
         task: &STask,
         user: &Cred,
@@ -168,6 +191,7 @@ impl PluginManager {
         PluginResultAction::Ignore
     }
 
+    #[cfg(feature = "finder")]
     pub fn notify_user_matcher(role: &SRole, user: &Cred, user_struct: &Value) -> UserMin {
         let api = API.lock().unwrap();
         for plugin in api.user_matcher_plugins.iter() {
@@ -179,6 +203,7 @@ impl PluginManager {
         UserMin::NoMatch
     }
 
+    #[cfg(feature = "finder")]
     pub fn notify_duty_separation(role: &SRole, actor: &Cred) -> PluginResult {
         let api = API.lock().unwrap();
         for plugin in api.duty_separation_plugins.iter() {
@@ -190,6 +215,7 @@ impl PluginManager {
         PluginResult::Neutral
     }
 
+    #[cfg(feature = "finder")]
     pub fn notify_task_separation(task: &STask, actor: &Cred) -> PluginResult {
         let api = API.lock().unwrap();
         for plugin in api.task_separation_plugins.iter() {
@@ -213,6 +239,7 @@ impl PluginManager {
         PluginResultAction::Ignore
     }
 
+    #[cfg(feature = "finder")]
     pub fn notify_privilege_checker(user: &Cred, exec: &mut ExecSettings) -> PluginResult {
         let api = API.lock().unwrap();
         for plugin in api.execution_checker_plugins.iter() {

rar-common/src/database/finder.rs

@@ -26,7 +26,7 @@ use crate::database::{
             SetBehavior,
         },
     };
-use crate::util::capabilities_are_exploitable;
+use crate::util::{final_path, capabilities_are_exploitable, parse_conf_command};
 use bitflags::bitflags;
 
 #[derive(Debug, PartialEq, Eq, Clone, Copy)]
@@ -307,33 +307,7 @@ pub trait CredMatcher {
     fn user_matches(&self, user: &Cred) -> UserMin;
 }
 
-pub fn parse_conf_command(command: &SCommand) -> Result<Vec<String>, Box<dyn Error>> {
-    match command {
-        SCommand::Simple(command) => Ok(shell_words::split(command)?),
-        SCommand::Complex(command) => {
-            if let Some(array) = command.as_array() {
-                let mut result = Vec::new();
-                if !array.iter().all(|item| {
-                    // if it is a string
-                    item.is_string() && {
-                        //add to result
-                        result.push(item.as_str().unwrap().to_string());
-                        true // continue
-                    }
-                }) {
-                    // if any of the items is not a string
-                    return Err("Invalid command".into());
-                }
-                Ok(result)
-            } else {
-                // call PluginManager
-                let res = PluginManager::notify_complex_command_parser(command);
-                debug!("Parsed command {:?}", res);
-                res
-            }
-        }
-    }
-}
+
 
 fn find_from_envpath(needle: &PathBuf) -> Option<PathBuf> {
     let env_path = std::env::var_os("PATH").unwrap();
@@ -346,22 +320,6 @@ fn find_from_envpath(needle: &PathBuf) -> Option<PathBuf> {
     None
 }
 
-pub fn final_path(path: &String) -> PathBuf {
-    let result;
-    if let Some(env_path) = find_from_envpath(&path.parse().expect("The path is not valid")) {
-        result = env_path
-    } else if let Ok(cannon_path) = std::fs::canonicalize(path) {
-        result = cannon_path;
-    } else {
-        result = path.parse().expect("The path is not valid");
-    }
-    result
-        .to_str()
-        .expect("The path is not valid")
-        .parse()
-        .expect("The path is not valid")
-}
-
 fn match_path(input_path: &String, role_path: &String) -> CmdMin {
     if role_path == "**" {
         return CmdMin::FullWildcardPath;

rar-common/src/database/mod.rs

@@ -19,6 +19,7 @@ use crate::{
 };
 use crate::{open_with_privileges, write_json_config};
 
+#[cfg(feature = "finder")]
 pub mod finder;
 pub mod migration;
 pub mod options;