This work by tirimid is licensed under CC BY-SA 4.0
Escl, whose name is originally derived from "privilege (esc)a(l)ation", is a
program in the vein of sudo or doas, used to elevate non-root user privileges to
root, for the sake of executing commands which you otherwise wouldn't be able
to. It is minimalist software with no dependencies on things which wouldn't be
available on every Linux system ever - using only libcrypt and some POSIX
functions. As of writing this, the file containing the entire escl
implementation, escl.c, is 275 lines of code. As well as this, all of its
configuration is stored in a single file and the program doesn't interact with
any files other than that, so you don't need to worry about breaking anything.
Escl arose from my personal desire for a hyperminimalist privilege elevation tool which is extremely easy to manage and has zero dependencies.
First, clone the source tree from the GitHub, then build and install escl. This can be done with:
If you ever wish to uninstall escl, run the following:
You will notice that in the previous commands, I have entered su and
didn't exit. This is because the next few commands you will be executing must
also be run as root.
Anyway, now that you have installed the compiled escl binary onto your
system, you need to understand how escl actually works. Escl has a system of
users and passwords, which can only be managed by root. By default, no users are
allowed to use escl for privelege elevation, and no passwords exist for them to
authenticate with. Once added, any permitted user will be able to authenticate
with any registered password. All information about escl permissions and state
is stored - by default - in the file: /etc/escl.conf, although this can be
changed by editing the source and recompiling. Anyway, the point is that escl
requires some light setup in order to be made useful - nothing scary, only one
or two commands.
Let's say that we have two users, one called "alice" and the other called
"bob", and we want to give them the ability to elevate privileges by entering
any of three passwords: "pass1", "secretword", or "mixedradixNS". The First step
would be to add the users, alice and bob, to the /etc/escl.conf. This can
either be done manually, or using the escl binary. For the sake of
completeness, I will demonstrate both methods.
To manually add the user "alice" to /etc/escl.conf, do the following in
vim (or whatever the equivalent is for your text editor):
To add a user using the binary, run:
Adding users using the binary is the preferred method of doing so, as it will reduce human error. Now that both users have been added, you need to give them passwords to use for authentication. This is done by running:
And entering the password you want to use. You can either run the command
multiple times to add multiple passwords, or you can run the command once with
the -pa flag repeated however many times you want to add a new password.
This is the basic setup process complete. If you cat the output of
/etc/escl.conf, you will see something like:
The added passwords are stored in hashed form for a basic level of security.
After escl has been installed and set up via the process outlined above, all permitted users will be able to use it. For example, if alice decides to upgrade her Arch Linux system with escl on it, she would run:
... and enter one of the registered passwords. In this way, it is used the same as sudo or doas.
That's it, that's all there is to it.
There are several things that you may want to do to manage the state of escl
after installation. For example, you may want to add / remove users and
passwords, or regenerate the hash used to store a certain password for security
reasons. Using the escl binary, these tasks are all made trivially easy.
Adding users and passwords has already been covered in the above section.
To remove the user alice's ability to use escl, run the following command:
To remove a password from the /etc/escl.conf so that users can no longer
authenticate with it, run the following command and enter the password you wish
to remove:
To regenerate the hash used to store a password in /etc/escl.conf, simply
remove a password and readd it. The salt used for generating a hash is
randomized whenever a password is added, so this process will have the effect of
hash regeneration. To quickly remove and add a password, run:
This work by tirimid is licensed under CC BY-SA 4.0