Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Chsr tool documentation

Chsr is a command-line tool to configure roles, permissions and execution options. If you want to know how the file configuration works, you can check the file configuration section.

Usage

Usage: chsr [command] [options]

Commands:
  -h, --help                    Show help for commands and options.
  list, show, l                 List available items; use with specific commands for detailed views.
  role, r                       Manage roles and related operations.
  options, o                    Manage global options.
  convert, c                    Convert policy file format (json, cbor).
  editor, e                     Open the configuration file with vim.


Role Operations:
chsr role [role_name] [operation] [options]
  add, create                   Add a new role.
  del, delete, unset, d, rm     Delete a specified role.
  show, list, l                 Show details of a specified role (actors, tasks, all).
  purge                         Remove all items from a role (actors, tasks, all).
  
  grant                         Grant permissions to a user or group.
  revoke                        Revoke permissions from a user or group.
    -u, --user [user_name]      Specify a user for grant or revoke operations.
    -g, --group [nameA,...]     Specify one or more groups combinaison for grant or revoke operations.
Example : chsr role roleA grant -u userA -g groupA,groupB -g groupC
This command will grant roleA to "userA", "users that are in groupA AND groupB" and "groupC".



Task Operations:
chsr role [role_name] task [task_name] [operation]
  show, list, l                 Show task details (all, cmd, cred).
  purge                         Purge configurations or credentials of a task (all, cmd, cred).
  add, create                   Add a new task.
  del, delete, unset, d, rm     Remove a task.


Command Operations:
chsr role [role_name] task [task_name] command [cmd]
  show                          Show commands.
  setpolicy [policy]            Set policy for commands (allow-all, deny-all).
  whitelist, wl [listing]       Manage the whitelist for commands.
  blacklist, bl [listing]       Manage the blacklist for commands.


Credentials Operations:
chsr role [role_name] task [task_name] credentials [operation]
  show                          Show credentials.
  set, unset                    Set or unset credentials details.
     --setuid [user]            Specify the user to set.
     --setgid [group,...]       Specify groups to set.
  caps                          Manage capabilities for credentials.


Capabilities Operations:
chsr role [role_name] task [task_name] credentials caps [operation]
  setpolicy [policy]            Set policy for capabilities (allow-all, deny-all).
  whitelist, wl [listing]       Manage whitelist for credentials.
  blacklist, bl [listing]       Manage blacklist for credentials.


Options:
chsr options [option] [operation]
chsr role [role_name] options [option] [operation]
chsr role [role_name] task [task_name] options [option] [operation]
  path                          Manage path settings (set, whitelist, blacklist).
  env                           Manage environment variable settings (set, whitelist, blacklist, checklist).
  root [policy]                 Defines when the root user (uid == 0) gets his privileges by default. (privileged, user, inherit)
  bounding [policy]             Defines when dropped capabilities are permanently removed in the instantiated process. (strict, ignore, inherit)
  timeout                       Manage timeout settings (set, unset).


Path options:
chsr options path [operation]
  setpolicy [policy]            Specify the policy for path settings (delete-all, keep-safe, keep-unsafe, inherit).
  set [path]                    Set the policy as delete-all and the path to enforce.
  whitelist, wl [listing]       Manage the whitelist for path settings.
  blacklist, bl [listing]       Manage the blacklist for path settings.


Environment options:
chsr options env [operation]
  setpolicy [policy]            Specify the policy for environment settings (delete-all, keep-all, inherit).
  set [key=value,...]           Set variables to enforce.
  keep-only [key,...]           Set the policy as delete-all and the key map to keep.
  delete-only [key,...]         Set the policy as keep-all and the key map to delete.
  whitelist, wl [listing]       Manage the whitelist for environment settings.
  blacklist, bl [listing]       Manage the blacklist for environment settings.
  checklist, cl [listing]       Manage the checklist for environment settings. (Removed if contains unsafe chars)
  setlist, sl [listing]         Manage the setlist for environment settings. (define environment variables) 

Timeout options:
chsr options timeout [operation]
  set, unset                    Set or unset timeout settings.
    --type [tty, ppid, uid]     Specify the type of timeout.
    --duration [HH:MM:SS]       Specify the duration of the timeout.
    --max-usage [number]        Specify the maximum usage of the timeout.

Listing:
    add [items,...]                        Add items to the list.
    del [items,...]                        Remove items from the list.
    set [items,...]                        Set items in the list.
    purge                                  Remove all items from the list.

Convert policy format :
chsr convert (-r) (--from [from_type] [from_file]) [to_type] [to_file]
Supported types: json, cbor  
  -r, --reconfigure   Reconfigure /etc/security/rootasrole.json file to specify the new location.  
  --from [from_type] [from_file]   Specify the type and file to convert from.
  Warning: the new location should be under a protected directory.