please - Man Page
a tool for access elevation.
Synopsis
please /bin/bash
pleaseedit /etc/fstab
pleaseedit [-r/--reason "new fs"] /etc/fstab
pleaseedit [-g/--group groupname] filename
pleaseedit [-t/--target username] filename
pleaseedit [--resume] filename
please [-a/--allowenv list]
please [-c/--check] /etc/please.ini
please [-d/--dir directory] command
please [-e/--env environment] command
please [-g/--group groupname] command
please [-t/--target username] backup tar -cvf - /home/data | ...
please [-u/--user username] backup tar -cvf - /home/data | ...
please [-l/--list] [-t/--target username]
please [-l/--list] [-u/--user username]
please [-n/--noprompt] command
please [-r/--reason "sshd reconfigured, ticket 24365"] /etc/init.d/ssh restart
Description
please and pleaseedit are sudo alternatives that have regex support and a simple approach to ACL.
The aim is to allow admins to delegate accurate principle of least privilege access with ease. please.ini allows for very specific and flexible regex defined permissions.
pleaseedit adds a layer of safety to editing files. The file is copied to /tmp, where it can be updated. When EDITOR exits cleanly the file is copied alongside the target, the file will then be renamed over the original, but if a exitcmd is configured it must exit cleanly first. resume will continue editing when exitcmd fails.
- -a/--allowenv list
allow environments separated by , to be passed through
- -c/--check file
will check the syntax of a please.ini config file. Exits non-zero on error
- -d/--dir
will change directory to dir prior to executing the command
- -g/--group groupname
run or edit as groupname
- -h/--help
print help and exit
- -l/--list
to list rules
- -n/--noprompt
will not prompt for authentication and exits with a status of 1
- -p/--purge
will purge your current authentication token for the running user
- -r/--reason [reason]
will add reason to the system log
- -t/--target [username]
to execute command, or edit as target username
- -u/--user [username]
to execute command, or edit as target username
- -v/--version
print version and exit
- -w/--warm
will warm an authentication token and exit
Example Usage
- please -t httpd /bin/bash
run a shell as the httpd user
- please -l
to list what you may run
- please -t "username" -l
to show what username may run. username must match the target regex in a type=list rule
- please -r 'reloading apache2, change #123' systemctl reload apache2
to reload apache2 with a reason
- pleaseedit -r 'adding new storage, ticket #24365' /etc/fstab
to use pleaseedit to modify fstab
Please see please.ini for configuration examples.
Files
/etc/please.ini
Contributions
I welcome pull requests with open arms. New features always considered.
Bugs
Found a bug? Please either open a ticket or send a pull request/patch.
See Also
Authors
Ed Neville (ed-please@s5h.net).