Regent

A Python framework to allow untrusted users to safely perform privileged system tasks.

Get it from pypi, or grab the code from github.

Regent comes in two parts:

  • a service which runs as the privileged system user, defines a set of operations it will perform, and listens for requests on a linux socket file
  • a client library to ask the service to perform the operations

A service is intended for use with clients on a single host. Alternatively its socket can be mounted within a docker container to control its host or other containers.

The authentication system is designed on the assumption that the unprivileged user is untrusted and can be compromised. For non-harmful operations a basic shared key will deter casual attackers, and for more high-risk commands it supports out-of-channel activation, to allow two-factor authentication or administrator approval.