WIP

.github/workflows/build.yml

@@ -25,7 +25,7 @@ jobs:
         session requisite                   pam_permit.so
         session required                    pam_permit.so" | tee /etc/pam.d/sr'
     - name: Install RootAsRole
-      run: sudo cargo xtask install --debug
+      run: cargo xtask install -d -i -p sudo
     - name: Add read access on config on rootasrole... Because Github Actions...
       run: sudo chmod a+r /etc/security/rootasrole.json
     - name: print config

.github/workflows/pkg.yml

@@ -24,15 +24,9 @@ jobs:
           override: true
 
       - name: Install Dependencies
-        run: ./dependencies.sh -yd
-
-      - name: Configure
-        run: sudo ./configure.sh -yd
-
-      - name: Install cargo deb
-        run: cargo install cargo-deb
+        run: sudo cargo xtask dependencies -i -d
 
       - name: Build
-        run: cargo deb
+        run: cargo xtask deploy debian redhat
 
-      - name: Upload to GitHub 
+        

README.md

@@ -50,7 +50,7 @@
 
   1. `git clone <https://github.com/LeChatP/RootAsRole>`
   1. `cd RootAsRole`
-  1. `cargo xtask install -i`
+  1. `sudo cargo xtask install -i -b`
 
 ### Additional Installation Options
 

build.rs

@@ -166,10 +166,14 @@ fn main() {
                 if let Err(err) = set_cargo_version(package_version, "capable/capable/Cargo.toml") {
                     eprintln!("cargo:warning={}", err);
                 }
-                if let Err(err) = set_cargo_version(package_version, "capable/capable-ebpf/Cargo.toml") {
+                if let Err(err) =
+                    set_cargo_version(package_version, "capable/capable-ebpf/Cargo.toml")
+                {
                     eprintln!("cargo:warning={}", err);
                 }
-                if let Err(err) = set_cargo_version(package_version, "capable/capable-common/Cargo.toml") {
+                if let Err(err) =
+                    set_cargo_version(package_version, "capable/capable-common/Cargo.toml")
+                {
                     eprintln!("cargo:warning={}", err);
                 }
             }
@@ -179,9 +183,9 @@ fn main() {
             if let Err(err) = set_readme_version(package_version, "README.md") {
                 eprintln!("cargo:warning={}", err);
             }
-            if let Err(err) = set_pkgbuild_version(package_version, "PKGBUILD") {
-                eprintln!("cargo:warning={}", err);
-            }
+            //if let Err(err) = set_pkgbuild_version(package_version, "PKGBUILD") {
+            //eprintln!("cargo:warning={}", err);
+            //}
         }
         Err(err) => {
             eprintln!("cargo:warning={}", err);
@@ -194,6 +198,4 @@ fn main() {
     // }
 
     f.flush().unwrap();
-
-
 }

rar-common/src/api.rs

@@ -7,7 +7,7 @@ use strum::EnumIs;
 use tracing::debug;
 
 #[cfg(feature = "finder")]
-use crate::database::finder::{Cred, ExecSettings, TaskMatch, UserMin, FilterMatcher};
+use crate::database::finder::{Cred, ExecSettings, FilterMatcher, TaskMatch, UserMin};
 
 use crate::database::structs::{SActor, SConfig, SRole, STask};
 use once_cell::sync::Lazy;

rar-common/src/database/finder.rs

@@ -18,15 +18,17 @@ use pcre2::bytes::RegexBuilder;
 use strum::EnumIs;
 use tracing::{debug, warn};
 
-use crate::{api::{PluginManager, PluginResultAction}, as_borrow};
 use crate::database::{
-        options::{Opt, OptStack},
-        structs::{
-            SActor, SActorType, SCommand, SCommands, SConfig, SGroups, SRole, STask,
-            SetBehavior,
-        },
-    };
-use crate::util::{final_path, capabilities_are_exploitable, parse_conf_command};
+    options::{Opt, OptStack},
+    structs::{
+        SActor, SActorType, SCommand, SCommands, SConfig, SGroups, SRole, STask, SetBehavior,
+    },
+};
+use crate::util::{capabilities_are_exploitable, final_path, parse_conf_command};
+use crate::{
+    api::{PluginManager, PluginResultAction},
+    as_borrow,
+};
 use bitflags::bitflags;
 
 #[derive(Debug, PartialEq, Eq, Clone, Copy)]
@@ -307,8 +309,6 @@ pub trait CredMatcher {
     fn user_matches(&self, user: &Cred) -> UserMin;
 }
 
-
-
 fn find_from_envpath(needle: &PathBuf) -> Option<PathBuf> {
     let env_path = std::env::var_os("PATH").unwrap();
     for path in std::env::split_paths(&env_path) {

rar-common/src/database/mod.rs

@@ -11,13 +11,13 @@ use tracing::debug;
 
 use self::{migration::Migration, options::EnvKey, structs::SConfig, versionning::Versioning};
 
-use crate::SettingsFile;
 use crate::util::warn_if_mutable;
+use crate::SettingsFile;
+use crate::{open_with_privileges, write_json_config};
 use crate::{
+    util::{immutable_effective, parse_capset_iter},
     RemoteStorageSettings, ROOTASROLE,
-    util::{parse_capset_iter, immutable_effective},
 };
-use crate::{open_with_privileges, write_json_config};
 
 #[cfg(feature = "finder")]
 pub mod finder;

rar-common/src/database/options.rs

@@ -357,20 +357,21 @@ fn is_regex(_s: &str) -> bool {
 impl EnvKey {
     pub fn new(s: String) -> Result<Self, String> {
         //debug!("Creating env key: {}", s);
-        if is_valid_env_name(&s)
-        {
+        if is_valid_env_name(&s) {
             Ok(EnvKey {
                 env_type: EnvKeyType::Normal,
                 value: s,
             })
-        } else if is_regex(&s)
-        {
+        } else if is_regex(&s) {
             Ok(EnvKey {
                 env_type: EnvKeyType::Wildcarded,
                 value: s,
             })
         } else {
-            Err(format!("env key {}, must be a valid env, or a valid regex", s))
+            Err(format!(
+                "env key {}, must be a valid env, or a valid regex",
+                s
+            ))
         }
     }
 }
@@ -446,11 +447,7 @@ impl<T> EnvSet for HashMap<String, T> {
     fn env_matches(&self, wildcarded: &EnvKey) -> bool {
         match wildcarded.env_type {
             EnvKeyType::Normal => self.contains_key(&wildcarded.value),
-            EnvKeyType::Wildcarded => {
-                self.keys().any(|s| {
-                    check_wildcarded(wildcarded, s)
-                })
-            }
+            EnvKeyType::Wildcarded => self.keys().any(|s| check_wildcarded(wildcarded, s)),
         }
     }
 }
@@ -459,11 +456,7 @@ impl EnvSet for LinkedHashSet<EnvKey> {
     fn env_matches(&self, wildcarded: &EnvKey) -> bool {
         match wildcarded.env_type {
             EnvKeyType::Normal => self.contains(wildcarded),
-            EnvKeyType::Wildcarded => {
-                self.iter().any(|s| {
-                    check_wildcarded(wildcarded, &s.value)
-                })
-            }
+            EnvKeyType::Wildcarded => self.iter().any(|s| check_wildcarded(wildcarded, &s.value)),
         }
     }
 }

rar-common/src/database/versionning.rs

@@ -3,8 +3,8 @@ use serde::{Deserialize, Serialize};
 use std::fmt::Debug;
 
 use super::migration::Migration;
-use crate::SettingsFile;
 use crate::version;
+use crate::SettingsFile;
 
 use super::structs::*;
 

rar-common/src/lib.rs

@@ -57,17 +57,15 @@ use std::{cell::RefCell, error::Error, ffi::OsStr, path::PathBuf, rc::Rc};
 use serde::{Deserialize, Serialize};
 use tracing::debug;
 
-pub mod util;
-pub mod database;
 pub mod api;
-pub mod version;
+pub mod database;
 pub mod plugin;
+pub mod util;
+pub mod version;
 
-
-use util::{ 
-        dac_override_effective, open_with_privileges, read_effective,
-        toggle_lock_config, ImmutableLock,
-        write_json_config, 
+use util::{
+    dac_override_effective, open_with_privileges, read_effective, toggle_lock_config,
+    write_json_config, ImmutableLock,
 };
 
 use database::{

rar-common/src/plugin/hashchecker.rs

@@ -1,13 +1,14 @@
 use std::{fs::File, io::Read, os::fd::AsRawFd};
 
-use nix::unistd::{access, AccessFlags};
-use serde::{Deserialize, Serialize};
-use tracing::{debug, warn};
 use crate::{
     api::PluginManager,
     database::structs::SCommand,
-    open_with_privileges, util::{final_path, parse_conf_command},
+    open_with_privileges,
+    util::{final_path, parse_conf_command},
 };
+use nix::unistd::{access, AccessFlags};
+use serde::{Deserialize, Serialize};
+use tracing::{debug, warn};
 
 use libc::FS_IOC_GETFLAGS;
 use sha2::Digest;
@@ -124,7 +125,7 @@ mod tests {
     use nix::unistd::{Pid, User};
 
     use super::*;
-    
+
     use crate::finder::{Cred, TaskMatcher};
     use crate::{
         database::structs::{IdTask, SActor, SCommand, SCommands, SConfig, SRole, STask},

rar-common/src/plugin/ssd.rs

@@ -5,8 +5,8 @@ use nix::unistd::{getgrouplist, Group, User};
 use serde_json::Error;
 
 use crate::{
-    as_borrow,
     api::{PluginManager, PluginResult},
+    as_borrow,
     database::{
         finder::Cred,
         structs::{SActor, SConfig, SGroups, SRole},

rar-common/src/util.rs

@@ -1,8 +1,14 @@
 use std::{
-    env, error::Error, ffi::CString, fs::File, io, os::{
+    env,
+    error::Error,
+    ffi::CString,
+    fs::File,
+    io,
+    os::{
         fd::AsRawFd,
         unix::fs::{MetadataExt, PermissionsExt},
-    }, path::{Path, PathBuf}
+    },
+    path::{Path, PathBuf},
 };
 
 use capctl::{prctl, CapState};
@@ -75,12 +81,10 @@ fn immutable_required_privileges(file: &File, effective: bool) -> Result<(), cap
 fn read_or_dac_override(effective: bool) -> Result<(), capctl::Error> {
     Ok(match effective {
         false => {
-            read_effective(false)
-                .and(dac_override_effective(false))?;
+            read_effective(false).and(dac_override_effective(false))?;
         }
         true => {
-            read_effective(true)
-                .or(dac_override_effective(true))?;
+            read_effective(true).or(dac_override_effective(true))?;
         }
     })
 }
@@ -89,7 +93,7 @@ fn read_or_dac_override(effective: bool) -> Result<(), capctl::Error> {
 /// # Arguments
 /// * `file` - The file to set the immutable flag on
 /// * `lock` - Whether to set or unset the immutable flag
-pub fn toggle_lock_config<P:AsRef<Path>>(file: &P, lock: ImmutableLock) -> io::Result<()> {
+pub fn toggle_lock_config<P: AsRef<Path>>(file: &P, lock: ImmutableLock) -> io::Result<()> {
     let file = open_with_privileges(file)?;
     let mut val = 0;
     let fd = file.as_raw_fd();

resources/rootasrole.json

@@ -70,6 +70,10 @@
                 {
                     "type": "user",
                     "name": "ROOTADMINISTRATOR"
+                },
+                {
+                    "type": "user",
+                    "name": "root"
                 }
             ],
             "tasks": [

src/chsr/cli/data.rs

@@ -4,14 +4,14 @@ use capctl::CapSet;
 use chrono::Duration;
 use linked_hash_set::LinkedHashSet;
 
+use pest_derive::Parser;
 use rar_common::database::{
     options::{
         EnvBehavior, EnvKey, OptType, PathBehavior, SAuthentication, SBounding, SPrivileged,
         TimestampType,
     },
     structs::{IdTask, SActor, SActorType, SGroups, SetBehavior},
 };
-use pest_derive::Parser;
 
 #[derive(Parser)]
 #[grammar = "chsr/cli/cli.pest"]

src/chsr/cli/mod.rs

@@ -13,8 +13,8 @@ use process::process_input;
 use tracing::debug;
 use usage::print_usage;
 
-use rar_common::Storage;
 use crate::util::escape_parser_string_vec;
+use rar_common::Storage;
 
 pub fn main<I, S>(storage: &Storage, args: I) -> Result<bool, Box<dyn Error>>
 where
@@ -42,7 +42,15 @@ mod tests {
     use std::{io::Write, rc::Rc};
 
     use rar_common::{
-        database::{options::*, read_json_config, structs::{SCredentials, *}, versionning::Versioning}, get_settings, rc_refcell, util::remove_with_privileges, RemoteStorageSettings, SettingsFile, Storage, StorageMethod, ROOTASROLE
+        database::{
+            options::*,
+            read_json_config,
+            structs::{SCredentials, *},
+            versionning::Versioning,
+        },
+        get_settings, rc_refcell,
+        util::remove_with_privileges,
+        RemoteStorageSettings, SettingsFile, Storage, StorageMethod, ROOTASROLE,
     };
 
     use super::*;
@@ -254,9 +262,8 @@ mod tests {
     #[test]
     fn test_r_complete_show_actors() {
         setup("r_complete_show_actors");
-        let settings =
-            get_settings(&format!("{}.{}", ROOTASROLE, "r_complete_show_actors"))
-                .expect("Failed to get settings");
+        let settings = get_settings(&format!("{}.{}", ROOTASROLE, "r_complete_show_actors"))
+            .expect("Failed to get settings");
         let config = read_json_config(settings.clone()).expect("Failed to read json");
         assert!(main(
             &Storage::JSON(config.clone()),

src/chsr/cli/pair.rs

@@ -9,8 +9,7 @@ use tracing::{debug, warn};
 use crate::cli::data::{RoleType, TaskType};
 use rar_common::database::{
     options::{
-        EnvBehavior, OptType, PathBehavior, SAuthentication, SBounding, SPrivileged,
-        TimestampType,
+        EnvBehavior, OptType, PathBehavior, SAuthentication, SBounding, SPrivileged, TimestampType,
     },
     structs::{IdTask, SActor, SActorType, SGroups, SetBehavior},
 };

src/chsr/cli/process.rs

@@ -7,11 +7,11 @@ use json::*;
 use tracing::debug;
 
 use rar_common::{
-    Storage,
     database::{
         options::{Opt, OptType},
         structs::IdTask,
     },
+    Storage,
 };
 
 use super::{