RootAsRole (V3.2.1) β A better alternative to sudo(-rs)/su β’ β‘ Blazing fast β’ π‘οΈ Memory-safe β’ π Security-oriented
RootAsRole is a Linux/Unix privilege delegation tool based on Role-Based Access Control (RBAC). It empowers administrators to assign precise privileges β not full root β to users and commands.
π Full Documentation for more details
π Why you need RootAsRole?
Most Linux systems break the Principle of Least Privilege. Tools like sudo give full root, even if you just need one capability like CAP_NET_RAW.
RootAsRole solves this:
- Grants only the required capabilities
- Uses roles and tasks to delegate rights securely
- Better than
sudo,doas,setcap, orpam_cap, see Comparison table below
βοΈ Features
- A structured access control model based on Roles
- Linux Capabilities support
- Highly configurable
- Command matching with glob for binary path and PCRE2 for command arguments
- π οΈ Configuration Helpers:
π Why Itβs Better Than Others
| Feature | setcap?? | doas | sudo | sudo-rs | dosr (RootAsRole) |
|---|---|---|---|---|---|
| Change user/groups | N/A | β | β | β | β β mandatory or optional |
| Environment variables | N/A | partial | β | partial | β |
| Specific command matching | N/A | strict | strict & regex | strict & wildcard | strict & regex |
| Centralized policy | β | β | β | β | Planned |
| Secure signal forwarding | N/A | β | β | β | Planned |
| Set capabilities | β οΈ files | β | β | β | β |
| Prevent direct privilege escalation | β | β | β | β | β |
| Untrust authorized users | β | β | β | β | β |
| Standardized policy format | β | β | β | β | β |
| Scalable access control model | N/A | β ACL | β ACL | β ACL | β RBAC |
π₯ Installation
π§ From Source
Prerequisites
- Rust >= 1.76.0
- You can install Rust by running the following command:
(Do not forget to add the cargo bin directory to your PATH with|. "$HOME/.cargo/env"command)
- You can install Rust by running the following command:
- git
- You can install git by running the following commands depending on your distribution:
Ubuntu :
sudo apt-get install git, RedHat :sudo yum install git, ArchLinux :sudo pacman -S git
- You can install git by running the following commands depending on your distribution:
Ubuntu :
- clang (or gcc, but clang is highly recommended)
- You can install clang by running the following commands depending on your distribution:
Ubuntu :
sudo apt-get install clang, RedHat :sudo yum install clang, ArchLinux :sudo pacman -S clang
- You can install clang by running the following commands depending on your distribution:
Ubuntu :
Install Steps
[!WARNING] This installation process configures RaR with all privileges for the user who install the program. See what it does.
git clone https://github.com/LeChatP/RootAsRolecd RootAsRolecargo xtask install -bip sudo
Install from Linux distributions
We really need your help to bring the project to Linux distributions repositories! Please contribute π!
π§° Usage
If you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias :
ποΈ Performance
RootAsRole 3.1.0 introduced CBOR support, significantly boosting performance:
- β‘ 77% faster than
sudowhen using a single rule - π Scales 40% better than
sudoas more rules are added
π sudo-rs matches sudo performance but crashes with >100 rules (wonβt fix for now)
Why Performance Matters
When using Ansible (or any automation tool), every task that uses become: true will invoke dosr on the target host.
With RootAsRole (RaR), each role and task introduces additional access control logic --- this doesnβt slow you down.
π‘ Hereβs the reality: You can reach the performance of 1 sudo rule with ~4000 RaR rules.
That means:
- You can define thousands of fine-grained rules
- You enforce better security (POLP) without degrading performance
- The system stays fast, even at scale
𧱠Configuration
Use the chsr command to:
- Define roles and tasks
- Assign them to users or groups
More information in the documentation
Use the capable command to:
- Analyze specific command rights
- Generate "credentials" task structure
Use gensr for Ansible to:
- Auto-generate security policies for your playbooks
- Detect supply chain attacks by reviewing the generated policy
β Compatibility
- Linux kernel >= 4.3
π₯ Contributors
- Eddie Billoir : eddie.billoir@gmail.com
- Ahmad Samer Wazan : ahmad.wazan@zu.ac.ae
- Romain Laborde : laborde@irit.fr
- RΓ©mi Venant: remi.venant@gmail.com
- Guillaume Daumas : guillaume.daumas@univ-tlse3.fr
πΌοΈ Logo
This logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.
π Licence notice
This project includes sudo-rs code licensed under the Apache-2 and MIT licenses: We have included cutils.rs, securemem.rs to make work the rpassword.rs file. Indeed, We thought that the password was well managed in this file and we have reused it. As sudo-rs does, rpassword.rs is from the rpassword project (License: Apache-2.0). We use it as a replacement of the rpassword project usage.
π§ͺ Sponsored research
This project was initiated by IRIT and sponsored by both IRIT and Airbus PROTECT through an industrial PhD during 2022 and 2025.