sheval - helmet to assign dynamic values in an escalated environment
sheval [-P pid] [-C config] [-f file] [-g group] [-R root] [-u user]
mnemonic program euid:egid cred_type:cred
This helmet is intended to allow op(1) escalation rules to include
dynamic variable assignments in the escalated environment. It does
this by assigning the output from a shell command to the specified
variable, to compensates for op's inability to do that. The escalation
fails when any of these commands exit(3)s non-zero.
This program takes all the op provided options, but actually doesn't
look at any of them (other than -P). It does sanity check them, just
Like any helmet, most of the configuration is passed from op via the
The helmet executes the given cmd reading the output to form a
new value for the env specified. The last newline is deleted
from the new value. When any cmd exits non-zero the escalation
is denied. When env is the empty string it is replaced with a
single under-bar (_). If the cmd is empty, it is replaced with
hostname. Think of this as running the command below for every
The warning message to replace the common "Sorry" denial mes-
The standard reveal logic, see op-jacket(7).
A comma-separated list of environment variables to remove after
processing. This masks values that the escalated process should
not be able to see, but are required for computing other values.
Think of this as running:
unset 'echo list | tr ',' ' ''
Note that any env formed from the escalated environment may have the
"SHEVAL_SET_" prefix, in which case it is processed again, at the end
of the cycle. This allows order-dependent assignments, which may
otherwise be randomized, the new command is the evaluation of the
original. This process may be repeated as many times as the prefix
All of these are deleted from each cmd's environment: $IFS, $CDPATH,
$ENV, $BASH_ENV to prevent perl(1) from refusing to run any commands.
If you must have them set, you'll have to put each in the environment
with a set specification.
These are example from the command-line:
Output only the version of the program, then exit.
Output only a summary of the environment expected.
All of these are snips from the op access.cf file. Note that you must
allow any referenced environment variables into the escalated environ-
ment, and it is a really good idea to include a $PATH.
Set the environment variable $NOW to the current time.
Deposit the path to the default stamp directory in $TOP. Recall
that the op markup $. represents a space in the context of an
environment variable, this is a bit easier to read than $\s.
Restore $IFS to a whacky value (by including a colon), then run
myscript to set the value of $Targ. The echo(1) command outputs
a script name, the next pass executes that script.
Set $FROM to the local hostname. This is a strange default, but
it is useful in calls to the master source tools, viz. hxmd,
efmd, msrc and mmsrc(8).
Force the client to be in both the disk and operator groups.
The helmet matches the original group list for the complete word
"operator", only when op allows the access by group membership
in "disk". Note that we then remove the trap variable, radiat-
ing extra information is bad policy.
This jacket trusts that the op configuration won't allow a malicious
shell command through the environment filter. The multiple evaluation
feature makes that much harder to believe. Any configuration that
calls a helmet or jacket requires great care, but great power always
comes with great responsibility.
Reveals do not take place in the helmet, they may conflict with assign-
ments made in sheval, in which case the assignments made from sheval
overwrite the revealed values. Revealed variables are not visible to
the cmd processes (but they are still visible with the original pre-
fix). This means revealing $IFS doesn't impact any evaluations. One
should not depend on this behavior, since it is implementation depen-
dent (and might change).
K S Braunsdorf, from the Non-Player Character Guild
op at-not-a-spammer ksb dot npcguild.org
sh(1), op(1l), op-jacket(7l), stampctl(8l), getpeereid(3), hostname(1),
hxmd(8l), efmd(8l), mmsrc(8) and msrc(8l)