sudo(-rs)/su • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-orientedRootAsRole is a Linux/Unix privilege delegation tool based on Role-Based Access Control (RBAC). It empowers administrators to assign precise privileges — not full root — to users and commands.
📚 Full Documentation for more details
Most Linux systems break the Principle of Least Privilege. Tools like sudo give full root, even if you just need one capability like CAP_NET_RAW.
RootAsRole solves this:
- Grants only the required capabilities
- Uses roles and tasks to delegate rights securely
- Better than sudo, doas, setcap, or pam_cap, see Comparison table below
| Feature | setcap?? | doas | sudo | sudo-rs | dosr (RootAsRole) |
|---|---|---|---|---|---|
| Change user/groups | N/A | ✅ | ✅ | ✅ | ✅✅ mandatory or optional |
| Environment variables | N/A | partial | ✅ | partial | ✅ |
| Specific command matching | N/A | strict | strict & regex | strict & wildcard | strict & regex |
| Centralized policy | ❌ | ❌ | ✅ | ❌ | Planned |
| Secure signal forwarding | N/A | ❌ | ✅ | ✅ | Planned |
| Set capabilities | ⚠️ files | ❌ | ❌ | ❌ | ✅ |
| Prevent direct privilege escalation | ❌ | ❌ | ❌ | ❌ | ✅ |
| Untrust authorized users | ❌ | ❌ | ❌ | ❌ | ✅ |
| Standardized policy format | ❌ | ❌ | ❌ | ❌ | ✅ |
| Scalable access control model | N/A | ❌ ACL | ❌ ACL | ❌ ACL | ✅ RBAC |
We really need your help to bring the project to Linux distributions repositories! Please contribute 🙏!
git clone https://aur.archlinux.org/dosr.git
cd dosr
makepkg -si
you can also use yay AUR manager or any other one you like. Please vote for the AUR if you want it into pacman extra repo! All you need is an Arch AUR account and you could vote for the AUR 🙂
sh
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
(Do not forget to add the cargo bin directory to your PATH with . "$HOME/.cargo/env" command)sudo apt-get install git, RedHat : sudo yum install git, ArchLinux : sudo pacman -S gitsudo apt-get install clang, RedHat : sudo yum install clang, ArchLinux : sudo pacman -S clang[!WARNING] This installation process configures RaR with all privileges for the user who install the program. See what it does. 1.
git clone https://github.com/LeChatP/RootAsRole1.cd RootAsRole1.cargo xtask install -bip sudo
Execute privileged commands with a role-based access control system Usage: dosr [OPTIONS] [COMMAND]... Arguments: [COMMAND]... Command to execute Options: -r, --role <ROLE> Role to select -t, --task <TASK> Task to select (--role required) -u, --user <USER> User to execute the command as -g, --group <GROUP<,GROUP...>> Group(s) to execute the command as -E, --preserve-env Keep environment variables from the current process -p, --prompt <PROMPT> Prompt to display -K Remove timestamp file -i, --info Print the execution context of a command if allowed by a matching task -h, --help Print help (see more with '--help') -V, --version Print version
If you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias :
alias sudo="dosr"
alias sr="dosr"
RootAsRole 3.1.0 introduced CBOR support, significantly boosting performance:
sudo when using a single rulesudo as more rules are added📝 sudo-rs matches sudo performance but crashes with >100 rules (won’t fix for now)
When using Ansible (or any automation tool), every task that uses become: true will invoke dosr on the target host.
With RootAsRole (RaR), each role and task introduces additional access control logic --- this doesn’t slow you down.
💡 Here’s the reality: You can reach the performance of 1 sudo rule with ~4000 RaR rules.
That means: - You can define thousands of fine-grained rules - You enforce better security (POLP) without degrading performance - The system stays fast, even at scale
Use the chsr command to:
* Define roles and tasks
* Assign them to users or groups
More information in the documentation
Use the capable command to: * Analyze specific command rights * Generate "credentials" task structure
Use gensr for Ansible to: * Auto-generate security policies for your playbooks * Detect supply chain attacks by reviewing the generated policy
This logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.
This project includes sudo-rs code licensed under the Apache-2 and MIT licenses: We have included cutils.rs, securemem.rs to make work the rpassword.rs file. Indeed, We thought that the password was well managed in this file and we have reused it. As sudo-rs does, rpassword.rs is from the rpassword project (License: Apache-2.0). We use it as a replacement of the rpassword project usage.
This project was initiated by IRIT and sponsored by both IRIT and Airbus PROTECT through an industrial PhD during 2022 and 2025.
$ claude mcp add RootAsRole \
-- python -m otcore.mcp_server <graph>