tirimid.net

Escl, whose name is originally derived from “privilege (esc)a(l)ation”, is a program in the vein of sudo or doas, used to elevate non-root user privileges to root, for the sake of executing commands which you otherwise wouldn’t be able to. It is minimalist software with no dependencies on things which wouldn’t be available on every Linux system ever - using only libcrypt and some POSIX functions. As of writing this, the file containing the entire escl implementation, escl.c, is 275 lines of code. As well as this, all of its configuration is stored in a single file and the program doesn’t interact with any files other than that, so you don’t need to worry about breaking anything.

Escl arose from my personal desire for a hyperminimalist privilege elevation tool which is extremely easy to manage and has zero dependencies.

Installation and setup

First, clone the source tree from the GitHub, then build and install escl. This can be done with:

$ git clone https://github.com/tirimid/escl
$ cd escl
$ make
$ su
# make install

# make uninstall

You will notice that in the previous commands, I have entered su and didn’t exit. This is because the next few commands you will be executing must also be run as root.

Anyway, now that you have installed the compiled escl binary onto your system, you need to understand how escl actually works. Escl has a system of users and passwords, which can only be managed by root. By default, no users are allowed to use escl for privelege elevation, and no passwords exist for them to authenticate with. Once added, any permitted user will be able to authenticate with any registered password. All information about escl permissions and state is stored - by default - in the file: /etc/escl.conf, although this can be changed by editing the source and recompiling. Anyway, the point is that escl requires some light setup in order to be made useful - nothing scary, only one or two commands.

Let’s say that we have two users, one called “alice” and the other called bob”, and we want to give them the ability to elevate privileges by entering any of three passwords: “pass1”, “secretword”, or “mixedradixNS”. The First step would be to add the users, alice and bob, to the /etc/escl.conf. This can either be done manually, or using the escl binary. For the sake of completeness, I will demonstrate both methods.

To manually add the user “alice” to /etc/escl.conf, do the following in vim (or whatever the equivalent is for your text editor):

# vim /etc/escl.conf
i
user alice
ESC
:wq
ENTER

# escl -ua bob

Adding users using the binary is the preferred method of doing so, as it will reduce human error. Now that both users have been added, you need to give them passwords to use for authentication. This is done by running:

# escl -pa

And entering the password you want to use. You can either run the command multiple times to add multiple passwords, or you can run the command once with the -pa flag repeated however many times you want to add a new password.

This is the basic setup process complete. If you cat the output of /etc/escl.conf, you will see something like:

$ cat /etc/escl.conf
user alice
user bob
passwd BhCKeKJIqV1uk
passwd JxLXnoDReSE7k
passwd NqEAUtoNkpmAs

Using escl

After escl has been installed and set up via the process outlined above, all permitted users will be able to use it. For example, if alice decides to upgrade her Arch Linux system with escl on it, she would run:

$ escl pacman -Syu

… and enter one of the registered passwords. In this way, it is used the same as sudo or doas.

User / password management

There are several things that you may want to do to manage the state of escl after installation. For example, you may want to add / remove users and passwords, or regenerate the hash used to store a certain password for security reasons. Using the escl binary, these tasks are all made trivially easy.

What is escl?

Installation and setup

Using escl

User / password management