1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
|
.\" Automatically generated by Pandoc 2.17.1.1
.\"
.\" Define V font for inline verbatim, using C font in formats
.\" that render this, and otherwise B font.
.ie "\f[CB]x\f[]"x" \{\
. ftr V B
. ftr VI BI
. ftr VB B
. ftr VBI BI
.\}
.el \{\
. ftr V CR
. ftr VI CI
. ftr VB CB
. ftr VBI CBI
.\}
.TH "please" "1" "06 September 2024" "please 0.5.6" "User Manual"
.hy
.SH NAME
.PP
please - a tool for access elevation.
.SH SYNOPSIS
.PP
\f[B]please /bin/bash\f[R]
.PP
\f[B]pleaseedit /etc/fstab\f[R]
.PP
\f[B]pleaseedit [-r/--reason \[dq]new fs\[dq]] /etc/fstab\f[R]
.PP
\f[B]pleaseedit [-g/--group groupname] filename\f[R]
.PP
\f[B]pleaseedit [-t/--target username] filename\f[R]
.PP
\f[B]pleaseedit [--resume] filename\f[R]
.PP
\f[B]please [-a/--allowenv list]\f[R]
.PP
\f[B]please [-c/--check] /etc/please.ini\f[R]
.PP
\f[B]please [-d/--dir directory] command\f[R]
.PP
\f[B]please [-e/--env environment] command\f[R]
.PP
\f[B]please [-g/--group groupname] command\f[R]
.PP
\f[B]please [-h/--help]\f[R]
.PP
\f[B]please [-t/--target username] backup tar -cvf - /home/data |
\&...\f[R]
.PP
\f[B]please [-u/--user username] backup tar -cvf - /home/data |
\&...\f[R]
.PP
\f[B]please [-l/--list]\f[R]
.PP
\f[B]please [-l/--list] [-t/--target username]\f[R]
.PP
\f[B]please [-l/--list] [-u/--user username]\f[R]
.PP
\f[B]please [-n/--noprompt] command\f[R]
.PP
\f[B]please [-r/--reason \[dq]sshd reconfigured, ticket 24365\[dq]]
/etc/init.d/ssh restart\f[R]
.PP
\f[B]please [-p/--purge]\f[R]
.PP
\f[B]please [-w/--warm]\f[R]
.SH DESCRIPTION
.PP
\f[B]please\f[R] and \f[B]pleaseedit\f[R] are sudo alternatives that
have regex support and a simple approach to ACL.
.PP
The aim is to allow admins to delegate accurate principle of least
privilege access with ease.
\f[B]please.ini\f[R] allows for very specific and flexible regex defined
permissions.
.PP
\f[B]pleaseedit\f[R] adds a layer of safety to editing files.
The file is copied to /tmp, where it can be updated.
When \f[B]EDITOR\f[R] exits cleanly the file is copied alongside the
target, the file will then be renamed over the original, but if a
\f[B]exitcmd\f[R] is configured it must exit cleanly first.
\f[B]resume\f[R] will continue editing when \f[B]exitcmd\f[R] fails.
.TP
\f[B]-a\f[R]/\f[B]--allowenv list\f[R]
allow environments separated by \f[B],\f[R] to be passed through
.TP
\f[B]-c\f[R]/\f[B]--check file\f[R]
will check the syntax of a \f[B]please.ini\f[R] config file.
Exits non-zero on error
.TP
\f[B]-d\f[R]/\f[B]--dir\f[R]
will change directory to \f[B]dir\f[R] prior to executing the command
.TP
\f[B]-g\f[R]/\f[B]--group groupname\f[R]
run or edit as groupname
.TP
\f[B]-h\f[R]/\f[B]--help\f[R]
print help and exit
.TP
\f[B]-l\f[R]/\f[B]--list\f[R]
to list rules
.TP
\f[B]-n\f[R]/\f[B]--noprompt\f[R]
will not prompt for authentication and exits with a status of 1
.TP
\f[B]-p\f[R]/\f[B]--purge\f[R]
will purge your current authentication token for the running user
.TP
\f[B]-r\f[R]/\f[B]--reason\f[R] \f[B][reason]\f[R]
will add \f[B]reason\f[R] to the system log
.TP
\f[B]-t\f[R]/\f[B]--target\f[R] \f[B][username]\f[R]
to execute command, or edit as target \f[B]username\f[R]
.TP
\f[B]-u\f[R]/\f[B]--user\f[R] \f[B][username]\f[R]
to execute command, or edit as target \f[B]username\f[R]
.TP
\f[B]-v\f[R]/\f[B]--version\f[R]
print version and exit
.TP
\f[B]-w\f[R]/\f[B]--warm\f[R]
will warm an authentication token and exit
.SH EXAMPLE USAGE
.TP
\f[B]please -t httpd /bin/bash\f[R]
run a shell as the httpd user
.TP
\f[B]please -l\f[R]
to list what you may run
.TP
\f[B]please -t \[dq]username\[dq] -l\f[R]
to show what username may run.
\f[B]username\f[R] must match the target regex in a \f[B]type=list\f[R]
rule
.TP
\f[B]please -r \[aq]reloading apache2, change #123\[aq] systemctl reload apache2\f[R]
to reload apache2 with a reason
.TP
\f[B]pleaseedit -r \[aq]adding new storage, ticket #24365\[aq] /etc/fstab\f[R]
to use pleaseedit to modify \f[B]fstab\f[R]
.PP
Please see \f[B]please.ini\f[R] for configuration examples.
.SH FILES
.PP
/etc/please.ini
.SH CONTRIBUTIONS
.PP
I welcome pull requests with open arms.
New features always considered.
.SH BUGS
.PP
Found a bug?
Please either open a ticket or send a pull request/patch.
.SH SEE ALSO
.PP
\f[B]please.ini\f[R](5)
.SH AUTHORS
Ed Neville (ed-please\[at]s5h.net).
|
