Skip to content

Exec-as-caller systemd unit and authenticated-admin prompt carve-outs#40

Merged
morgaesis merged 1 commit into
mainfrom
salvage-item4-prompts-unit
Jul 2, 2026
Merged

Exec-as-caller systemd unit and authenticated-admin prompt carve-outs#40
morgaesis merged 1 commit into
mainfrom
salvage-item4-prompts-unit

Conversation

@morgaesis

Copy link
Copy Markdown
Owner

Adds a guard-exec-as-caller.service systemd unit for the deployment where the daemon starts as root and runs each approved command as the connecting Unix caller (--users, --exec-as-caller over a Unix socket, with --state-db), including the sandbox relaxations that mode requires and comments documenting the UID allow-list and when to widen ReadWritePaths. It also extends the safe and readonly evaluator prompts so authenticated read-only appliance and service-management APIs reached through a named SSH host or localhost tunnel with guard-injected credentials read as ordinary administration: fixed GET/search/status calls and bounded response handling are not a secret leak, and a request body from a named local JSON file is not exfiltration merely because its path contains secrets/. The credential-leak deny rules that follow are unchanged, and main's existing vendor-specific examples were left as-is.

…outs

Adds deployment/systemd/guard-exec-as-caller.service: a root-started
variant that runs approved commands as the connecting Unix caller
(--users, --exec-as-caller) with a Unix socket and --state-db, and the
sandbox relaxations that mode needs (ProtectHome=false, /home in
ReadWritePaths). It is a sibling of guard.service; comments document the
UID allow-list and when to widen ReadWritePaths.

Extends the safe and readonly evaluator prompts so authenticated
read-only appliance and service-management APIs reached through a named
SSH host or localhost tunnel with guard-injected credentials are treated
as ordinary administration: fixed GET/search/status calls and bounded
response handling (head -c, wc -c, jq) are not a secret leak, and a
request body from a named local JSON file is not exfiltration merely
because its path contains 'secrets/'. The existing credential-leak deny
rules that follow are unchanged.
@morgaesis morgaesis merged commit 4e23b46 into main Jul 2, 2026
7 checks passed
@morgaesis morgaesis deleted the salvage-item4-prompts-unit branch July 2, 2026 21:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant