privesc 1.2.0

Small utility library for multi-platform privilege escalation
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253

mod error;

#[cfg(target_os = "macos")]
mod privesc_darwin;
#[cfg(target_os = "linux")]
mod privesc_linux;
#[cfg(windows)]
mod privesc_windows;

use std::{path::PathBuf, process::ExitStatus};

pub use crate::error::{PrivescError, Result};

#[cfg(target_os = "macos")]
use privesc_darwin::PrivilegedChildInner;
#[cfg(target_os = "linux")]
use privesc_linux::PrivilegedChildInner;
#[cfg(windows)]
use privesc_windows::PrivilegedChildInner;

/// Handle to a spawned privileged process.
///
/// This struct wraps the underlying platform-specific process handle and provides
/// methods to wait for completion and retrieve the output.
///
/// # Platform Behavior
/// - **macOS/Linux**: Wraps a `std::process::Child`.
/// - **Windows**: Wraps a Windows process `HANDLE`.
pub struct PrivilegedChild {
    inner: PrivilegedChildInner,
}

impl PrivilegedChild {
    /// Waits for the process to exit and returns the output.
    ///
    /// This method consumes the `PrivilegedChild` and blocks until the process
    /// has finished executing.
    ///
    /// # Note
    /// On Windows, stdout and stderr are always `None` as `ShellExecuteExW`
    /// does not support output redirection.
    pub fn wait(self) -> Result<PrivilegedOutput> {
        self.inner.wait()
    }

    /// Attempts to collect the exit status of the child if it has already exited.
    ///
    /// This method will not block. Returns `Ok(None)` if the process has not
    /// yet exited.
    ///
    /// Note: Unlike [`wait`](Self::wait), this method cannot return stdout/stderr
    /// because the process may still be running. To get output, use [`wait`](Self::wait).
    pub fn try_wait(&mut self) -> Result<Option<ExitStatus>> {
        self.inner.try_wait()
    }

    /// Returns the OS-assigned process identifier of the child process, if available.
    ///
    /// # Platform Behavior
    /// - **macOS/Linux**: Returns `Some(pid)`.
    /// - **Windows**: Returns `None` (ShellExecuteExW doesn't provide the process ID).
    pub fn id(&self) -> Option<u32> {
        self.inner.id()
    }
}

/// Output from a privileged command execution.
///
/// Unlike `std::process::Output`, this struct uses `Option` for stdout/stderr
/// to accurately represent platforms where output capture is not possible
/// (e.g., Windows UAC elevation via `ShellExecuteExW`).
#[derive(Debug, Clone)]
pub struct PrivilegedOutput {
    /// The exit status of the process.
    pub status: ExitStatus,
    /// The captured stdout, if available.
    ///
    /// This is `None` on Windows, where `ShellExecuteExW` does not support
    /// output redirection.
    pub stdout: Option<Vec<u8>>,
    /// The captured stderr, if available.
    ///
    /// This is `None` on Windows, where `ShellExecuteExW` does not support
    /// output redirection.
    pub stderr: Option<Vec<u8>>,
}

impl PrivilegedOutput {
    /// Returns true if the process exited successfully.
    pub fn success(&self) -> bool {
        self.status.success()
    }

    /// Returns stdout as a UTF-8 string, if available and valid.
    pub fn stdout_str(&self) -> Option<&str> {
        self.stdout
            .as_ref()
            .and_then(|b| std::str::from_utf8(b).ok())
    }

    /// Returns stderr as a UTF-8 string, if available and valid.
    pub fn stderr_str(&self) -> Option<&str> {
        self.stderr
            .as_ref()
            .and_then(|b| std::str::from_utf8(b).ok())
    }
}

/// Builder for executing a program with elevated privileges.
///
/// # Example
///
/// ```no_run
/// use privesc::PrivilegedCommand;
///
/// let output = PrivilegedCommand::new("/usr/bin/cat")
///     .arg("/etc/shadow")
///     .run()?;
/// # Ok::<(), privesc::PrivescError>(())
/// ```
///
/// # Platform Behavior
/// - **macOS**: Uses `osascript` with AppleScript for GUI, `sudo` for CLI.
/// - **Linux**: Uses `pkexec` for GUI, `sudo` for CLI.
/// - **Windows**: Uses `ShellExecuteExW` with "runas" verb (UAC). Output capture
///   is not available.
#[derive(Debug, Clone)]
pub struct PrivilegedCommand {
    program: PathBuf,
    args: Vec<String>,
    gui: bool,
    prompt: Option<String>,
}

impl PrivilegedCommand {
    /// Creates a new `Command` for the given program.
    ///
    /// # Arguments
    /// * `program` - The path to the program to execute with elevated privileges.
    pub fn new(program: impl Into<PathBuf>) -> Self {
        Self {
            program: program.into(),
            args: Vec::new(),
            gui: false,
            prompt: None,
        }
    }

    /// Adds a single argument to pass to the program.
    pub fn arg(mut self, arg: impl Into<String>) -> Self {
        self.args.push(arg.into());
        self
    }

    /// Adds multiple arguments to pass to the program.
    pub fn args<I, S>(mut self, args: I) -> Self
    where
        I: IntoIterator<Item = S>,
        S: Into<String>,
    {
        self.args.extend(args.into_iter().map(Into::into));
        self
    }

    /// Sets whether to use a GUI prompt for authentication.
    ///
    /// - `true`: Use GUI prompt (AppleScript on macOS, pkexec on Linux, UAC on Windows)
    /// - `false`: Use terminal-based sudo (default)
    ///
    /// On Windows, this parameter is ignored as only UAC elevation is available.
    pub fn gui(mut self, gui: bool) -> Self {
        self.gui = gui;
        self
    }

    /// Sets a custom prompt message for authentication.
    ///
    /// On Windows, this is ignored as UAC displays its own prompt.
    /// On Linux with GUI mode, this is ignored due to pkexec limitations.
    pub fn prompt(mut self, prompt: impl Into<String>) -> Self {
        self.prompt = Some(prompt.into());
        self
    }

    /// Executes the command with elevated privileges.
    ///
    /// # Returns
    /// A `PrivilegedOutput` containing the exit status and optionally captured
    /// stdout/stderr. Note that stdout/stderr are `None` on Windows.
    pub fn run(&self) -> Result<PrivilegedOutput> {
        if !self.program.is_absolute() {
            return Err(PrivescError::InvalidProgramPath(self.program.clone()));
        }

        let args: Vec<&str> = self.args.iter().map(String::as_str).collect();
        let prompt = self.prompt.as_deref();

        #[cfg(target_os = "macos")]
        {
            privesc_darwin::run(&self.program, &args, self.gui, prompt)
        }
        #[cfg(windows)]
        {
            privesc_windows::run(&self.program, &args, self.gui, prompt)
        }
        #[cfg(target_os = "linux")]
        {
            privesc_linux::run(&self.program, &args, self.gui, prompt)
        }
    }

    /// Spawns the command with elevated privileges, returning a handle to the process.
    ///
    /// Unlike [`run`](Self::run), this method returns immediately after spawning,
    /// allowing you to perform other work while the privileged process runs.
    ///
    /// # Returns
    /// A `PrivilegedChild` handle that can be used to wait for the process to finish.
    ///
    /// # Platform Behavior
    /// - **macOS/Linux**: Returns a handle wrapping the underlying process.
    /// - **Windows**: Returns a handle wrapping the Windows process `HANDLE`.
    ///
    /// # Example
    /// ```no_run
    /// use privesc::PrivilegedCommand;
    ///
    /// let child = PrivilegedCommand::new("/usr/bin/long-running-task")
    ///     .spawn()?;
    ///
    /// // Do other work...
    ///
    /// let output = child.wait()?;
    /// # Ok::<(), privesc::PrivescError>(())
    /// ```
    pub fn spawn(&self) -> Result<PrivilegedChild> {
        if !self.program.is_absolute() {
            return Err(PrivescError::InvalidProgramPath(self.program.clone()));
        }

        let args: Vec<&str> = self.args.iter().map(String::as_str).collect();
        let prompt = self.prompt.as_deref();

        #[cfg(target_os = "macos")]
        let inner = privesc_darwin::spawn(&self.program, &args, self.gui, prompt)?;
        #[cfg(windows)]
        let inner = privesc_windows::spawn(&self.program, &args, self.gui, prompt)?;
        #[cfg(target_os = "linux")]
        let inner = privesc_linux::spawn(&self.program, &args, self.gui, prompt)?;

        Ok(PrivilegedChild { inner })
    }
}