RootAsRole — A better alternative to sudo(-rs)/su • ⚡ Blazing fast • 🛡️ Memory-safe • 🔐 Security-oriented

RootAsRole is a Linux/Unix privilege delegation tool based on Role-Based Access Control (RBAC). It empowers administrators to assign precise privileges — not full root — to users and commands.

📚 Full Documentation for more details

🚀 Why you need RootAsRole?

Most Linux systems break the Principle of Least Privilege. Tools like sudo give full root, even if you just need one capability like CAP_NET_RAW.

RootAsRole solves this:

• Grants only the required capabilities
• Uses roles and tasks to delegate rights securely
• Better than sudo, doas, setcap, or pam_cap, see Comparison table below

⚙️ Features

• A structured access control model based on Roles
  • Role hierarchy
  • Static/Dynamic Separation of Duties
• Linux Capabilities support
• Highly configurable
• Command matching with glob for binary path and PCRE2 for command arguments
• 🛠️ Configuration Helpers:
  • capable: Analyze command rights
  • gensr: Generate policy from Ansible playbooks

📊 Why It’s Better Than Others

📥 Installation

Install from Linux distributions

We really need your help to bring the project to Linux distributions repositories! Please contribute 🙏!

Arch Linux (AUR)

git clone https://aur.archlinux.org/dosr.git
cd dosr
makepkg -si

you can also use yay AUR manager or any other one you like. Please vote for the AUR if you want it into pacman extra repo! All you need is an Arch AUR account and you could vote for the AUR 🙂

🔧 From Source

Prerequisites

• Rust >= 1.83.0
  • You can install Rust by running the following command:

    curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
    

    (Do not forget to add the cargo bin directory to your PATH with . "$HOME/.cargo/env" command)
• git
  • You can install git by running the following commands depending on your distribution: Ubuntu : sudo apt-get install git, RedHat : sudo yum install git, ArchLinux : sudo pacman -S git
• clang (or gcc, but clang is highly recommended)

  • You can install clang by running the following commands depending on your distribution: Ubuntu : sudo apt-get install clang, RedHat : sudo yum install clang, ArchLinux : sudo pacman -S clang

Install Steps

[!WARNING] This installation process configures RaR with all privileges for the user who install the program. See what it does.

1. git clone https://github.com/LeChatP/RootAsRole
2. cd RootAsRole
3. cargo xtask install -bip sudo

🧰 Usage

Execute privileged commands with a role-based access control system

Usage: dosr [OPTIONS] [COMMAND]...

Arguments:
  [COMMAND]...  Command to execute

Options:
  -r, --role <ROLE>  Role to select
  -t, --task <TASK>  Task to select (--role required)
  -u, --user <USER>  User to execute the command as
  -g, --group <GROUP<,GROUP...>> Group(s) to execute the command as
  -E, --preserve-env          Keep environment variables from the current process
  -p, --prompt <PROMPT> Prompt to display
  -K                 Remove timestamp file
  -i, --info         Print the execution context of a command if allowed by a matching task
  -h, --help         Print help (see more with '--help')
  -V, --version      Print version

If you're accustomed to utilizing the sudo tool and find it difficult to break that habit, consider creating an alias :

alias sudo="dosr"
alias sr="dosr"

🏎️ Performance

RootAsRole 3.1.0 introduced CBOR support, significantly boosting performance:

• ⚡ 77% faster than sudo when using a single rule
• 📈 Scales 40% better than sudo as more rules are added

📝 sudo-rs matches sudo performance but crashes with >100 rules (won’t fix for now)

Why Performance Matters

When using Ansible (or any automation tool), every task that uses become: true will invoke dosr on the target host. With RootAsRole (RaR), each role and task introduces additional access control logic --- this doesn’t slow you down.

💡 Here’s the reality: You can reach the performance of 1 sudo rule with ~4000 RaR rules.

That means:

• You can define thousands of fine-grained rules
• You enforce better security (POLP) without degrading performance
• The system stays fast, even at scale

🧱 Configuration

Use the chsr command to:

• Define roles and tasks
• Assign them to users or groups

More information in the documentation

Use the capable command to:

• Analyze specific command rights
• Generate "credentials" task structure

Use gensr for Ansible to:

• Auto-generate security policies for your playbooks
• Detect supply chain attacks by reviewing the generated policy

✅ Compatibility

• Linux kernel >= 4.3

👥 Contributors

• Eddie Billoir : eddie.billoir@gmail.com
• Ahmad Samer Wazan : ahmad.wazan@zu.ac.ae
• Romain Laborde : laborde@irit.fr
• Rémi Venant: remi.venant@gmail.com
• Guillaume Daumas : guillaume.daumas@univ-tlse3.fr

🖼️ Logo

This logo were generated using DALL-E 2 AI, for any license issue or plagiarism, please note that is not intentionnal and don't hesitate to contact us.

📜 Licence notice

This project includes sudo-rs code licensed under the Apache-2 and MIT licenses: We have included cutils.rs, securemem.rs to make work the rpassword.rs file. Indeed, We thought that the password was well managed in this file and we have reused it. As sudo-rs does, rpassword.rs is from the rpassword project (License: Apache-2.0). We use it as a replacement of the rpassword project usage.

🧪 Sponsored research

This project was initiated by IRIT and sponsored by both IRIT and Airbus PROTECT through an industrial PhD during 2022 and 2025.

Link to References