aboutsummaryrefslogtreecommitdiff

Overview

This is a simple tool that allows non-root users to run commands as root in a controlled way.

Traditional tools that serve this purpose, like sudo or doas, rely on using the SUID bit to elevate privileges, which is suboptimal for a number of reasons. Any SUID privileged process inherits the properties of the unprivileged process, which painstakingly need to be sanitized to avoid a neverending torrent of security pitfalls. This goes double for a process that prepares to execute arbitrary commands.

In contrast, systemd employs a dedicated daemon running as root for its run0 tool, which avoids SUID and provides a clean and consistent environment for the process. This project also follows this approach, but relies on the SSH daemon that is already running on many systems.

A setup script creates a dedicated SSH key, which can optionally be protected by a password. This key is added to the root account, but only for logins from localhost. A second script forms a convenience wrapper for the SSH client. It selects the generated keys and sets up some expected properties, such as the working directory. The script also implements some sudo and doas options on a best-effort basis if symlinked to the corresponding names.

Dependencies

  • This obviously requires an SSH server to be installed and configured. openssh is recommended. Dropbear does not work, as it does not implement the needed from="..." ssh key restriction.
  • The scripts need bash.
  • The sudo -u / doas -u functionality relies on the su-exec helper.

Installation

Put root and setup-root into your PATH. Configure sshd to tolerate public/private key pair root logins:

PermitRootLogin prohibit-password
PubkeyAuthentication yes

Optionally symlink root to sudo and/or doas to make use of the corresponding adapter functionality.

Configuration

For any user that should be allowed to run root commands, run setup-root <user> as root. Enter a password into the prompt if desired, otherwise just press Enter twice.

If password caching is desired, configure ssh-agent for your user. This should be done in a way so that every launched terminal starts its own instance of ssh-agent, otherwise authenticating in one terminal allows passwordless root access in another terminal. The root script will detect the running ssh agent and add the key for 15 minutes. Unlike with sudo / doas, further invocations do not extend this period.

Usage

Run root to open a root shell.

Run root <command> to run the given command as root.

If configured, use sudo and doas as usual. Observe some unimplemented behavior.

generated by cgit v1.2.3 (git 2.25.1) at 2026-02-24 10:34:38 +0000