Skip to content

3.0.0-alpha.1

Compare
Choose a tag to compare
@LeChatP LeChatP released this 18 Jun 10:30
· 477 commits to main since this release
73ab789

This new version implementation is entirely different from previous ones. Many design decisions were taken. SamerW passed the project lead to LeChatP for availability reasons. But SamerW and Romain Laborde are still following the project ideas.

What's Changed

  • sr implementation to a more secure one
    • We simplified the manipulation of capabilities sets and reduced the attack-vector surface
    • We implemented partial order comparison on the entire configuration, resolving most conflicts between roles.
    • We manage the entire credential manipulation
      • variables environment are allowed, filtered, or removed by default.
      • setUID managed
      • multiple setGID managed
      • capabilities bounded by default
    • The role selection complies with partial order comparison to select the proper role according to user input.
    • We allow fine-grained settings that could be applied to the entire file, role or task configuration.
  • capable is functional for multiple distributions: Ubuntu, Debian, Archlinux
  • role-manager is under development to an evolutive Rust implementation
  • New AI-generated logo
  • Implemented Unit Tests for C with Criterion;
  • We added quality code and test code coverage indicators.
  • We encourage security experts to find security issues, so we added the SECURITY.md security policy.

Full Changelog: V2.3.1...V3.0.0-alpha.1

Next Steps

First, We wanted to add tests to our program and improve code quality. Documentation will be available soon. Since it's only an alpha version, many things are missing from our new perspectives :

  • Role hierarchy (tasks inheritance)
  • Configuration permissions (limit the scope of configurators)
  • SELinux features
  • Layered capability bounding (Task, Role, or Entire configuration)
  • Capabilities Semi-Autoconfiguration (use capable tool to configure tasks)
  • Roles canvas (default configuration adapted to IT jobs, with emergency cases to secure the default usage)
  • Make the project binaries available on package manager repos
  • Import sudo configuration into our tool

With these changes, RootAsRole is meant to be a production-ready project.