Open berkus opened 3 hours ago
Hey, thanks for the request and for showing interest in the tool! I can definitely add this crate to crates.io (and I think I will).
However, you won’t be able to install RootAsRole with cargo install
or even cargo binstall
in the way you might expect. The main reason is that installing it requires administrative privileges. While you can technically run cargo install
as root
. It will compile the program as root with all privileges; and that is quite ""insecure"" since you don’t need root permissions just to compile something. And if you do install it as root, the binary will end up in /root/.cargo
folder, which means only the root user can access it.
Also, RootAsRole depends on a config file located at /etc/security/rootasrole.json
, and that file needs to be deployed with certain verifications to lock it with the IMMUTABLE bit for security reasons (which requires again a specific privilege). So, the install process is a bit more involved than a typical Rust crate. That's why installing RaR with cargo install
may mislead and be inconsistent.
For now, I've written the installation program entirely in Rust through an xtask sub-project which handles all the subtleties of the installation, as well as respecting the principle of least privilege by itself.
Let me know if you have more questions or if you have a good solution to this! Cheers, Eddie
Since it is an xtask already, can it be set up to require sudo/elevated privileges only for the installation bit itself?
e.g. cargo install runs as normal user building a binary, but the post-build xtask will ask for elevation and then MOVE the binary and the corresponding config file to the right places?
I want to be able to install this with just
cargo binstall rootasrole
.