leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Install ergonomics: GitHub release workflow + install.sh + README quickstart

Browse Source 
For 'people should say just use iamroot' framing, the install gate is
the single biggest discoverability bottleneck. This commit makes it:

  curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh

.github/workflows/release.yml:
- Triggers on semver tag push (v*.*.*) + manual dispatch.
- Matrix build for x86_64 (gcc) and arm64 (aarch64-linux-gnu-gcc cross).
- Per-arch sha256sum alongside the binary.
- Auto-generates release notes pointing at CVES.md / ROADMAP.md and
  including the install one-liner with the version-specific URL.
- Publishes via softprops/action-gh-release@v2.

install.sh (also uploaded as a release artifact, so the curl|sh
above is stable):
- Detects arch (x86_64 / aarch64 → arm64).
- Pulls iamroot-<arch> + iamroot-<arch>.sha256 from the requested
  version (default: latest).
- Verifies sha256 via sha256sum or shasum -a 256.
- Installs to /usr/local/bin/iamroot (or $IAMROOT_PREFIX). Uses sudo
  iff /usr/local/bin isn't already writable.
- Prints quickstart hints + ethics pointer at the end.
- Env knobs: IAMROOT_VERSION, IAMROOT_PREFIX, IAMROOT_REPO.

README.md gains a 'Quickstart' section at the top with the four
canonical commands: install, --scan, --audit, --detect-rules,
fleet-scan. Lands the 'curl|bash and go' UX as the first thing
visitors see.
This commit is contained in:
KaraZajac
2026-05-16 21:01:34 -04:00
parent 541aac6993
commit b24934156a
3 changed files with 256 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/release.yml
+120
View File
@@ -0,0 +1,120 @@
name: release
# Triggers on semver tag push (v0.1.0, v0.1.1, etc.). Builds release
# artifacts for x86_64 and arm64, then publishes them on a GitHub
# Release matching the tag.
#
# Maintainer flow:
# git tag v0.1.0
# git push origin v0.1.0
# → CI builds + publishes release with iamroot-x86_64 + iamroot-arm64
on:
push:
tags: ['v*.*.*']
workflow_dispatch: # allow manual re-runs
permissions:
contents: write # needed by softprops/action-gh-release
jobs:
build:
strategy:
fail-fast: false
matrix:
include:
- target: x86_64
cc: gcc
apt: build-essential
- target: arm64
cc: aarch64-linux-gnu-gcc
apt: build-essential gcc-aarch64-linux-gnu
name: build (${{ matrix.target }})
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: install build deps
run: |
sudo apt-get update -qq
sudo apt-get install -y --no-install-recommends ${{ matrix.apt }} linux-libc-dev
- name: build
env:
CC: ${{ matrix.cc }}
run: |
make
file iamroot
ls -la iamroot
- name: rename + checksum
run: |
mv iamroot iamroot-${{ matrix.target }}
sha256sum iamroot-${{ matrix.target }} > iamroot-${{ matrix.target }}.sha256
- uses: actions/upload-artifact@v4
with:
name: iamroot-${{ matrix.target }}
path: |
iamroot-${{ matrix.target }}
iamroot-${{ matrix.target }}.sha256
release:
needs: build
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
path: dist
- name: flatten artifacts
run: |
find dist -type f -exec mv {} . \;
ls -la iamroot-*
- name: collect release notes
id: notes
run: |
tag="${GITHUB_REF#refs/tags/}"
echo "tag=$tag" >> "$GITHUB_OUTPUT"
# Pull the latest entry from CVES.md / ROADMAP.md for the body
{
echo "## IAMROOT $tag"
echo
echo "Pre-built binaries for x86_64 and arm64. Checksums alongside."
echo
echo "### Install"
echo
echo '```bash'
echo "curl -sSLfo /tmp/iamroot https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/iamroot-\$(uname -m | sed s/aarch64/arm64/)"
echo "chmod +x /tmp/iamroot && sudo mv /tmp/iamroot /usr/local/bin/iamroot"
echo "iamroot --version"
echo '```'
echo
echo "Or one-shot via the install script:"
echo
echo '```bash'
echo "curl -sSL https://github.com/${GITHUB_REPOSITORY}/releases/download/${tag}/install.sh | sh"
echo '```'
echo
echo "### What's in this release"
echo
echo "See [\`CVES.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/CVES.md) for the curated CVE inventory."
echo "See [\`ROADMAP.md\`](https://github.com/${GITHUB_REPOSITORY}/blob/${tag}/ROADMAP.md) for phase progress."
} > release-notes.md
- name: publish release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.notes.outputs.tag }}
name: IAMROOT ${{ steps.notes.outputs.tag }}
body_path: release-notes.md
files: |
iamroot-x86_64
iamroot-x86_64.sha256
iamroot-arm64
iamroot-arm64.sha256
install.sh
fail_on_unmatched_files: false # install.sh may not exist at first tag
README.md
+23
View File
@@ -19,6 +19,29 @@
> tool. By using it you assert you have explicit authorization to test
> the target system. See [`docs/ETHICS.md`](docs/ETHICS.md).
## Quickstart
```bash
# One-shot install (x86_64 / arm64; checksum-verified)
curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh
# What's this box vulnerable to?
sudo iamroot --scan
# Broader system hygiene (setuid binaries, world-writable, capabilities, sudo)
sudo iamroot --audit
# Deploy detection rules across every bundled module
sudo iamroot --detect-rules --format=auditd | sudo tee /etc/audit/rules.d/99-iamroot.rules
# Fleet scan (any-sized host list via SSH; aggregated JSON for SIEM)
./tools/iamroot-fleet-scan.sh --binary iamroot --ssh-key ~/.ssh/id_rsa hosts.txt
```
`iamroot --help` lists every command. See [`CVES.md`](CVES.md) for the
curated CVE inventory and [`docs/DEFENDERS.md`](docs/DEFENDERS.md) for
the blue-team deployment guide.
## What this is
Most Linux LPE references are dead repos, broken PoCs, or single-CVE
install.sh
Executable
+113
View File
@@ -0,0 +1,113 @@
#!/usr/bin/env bash
# IAMROOT one-shot installer.
#
# Usage:
# curl -sSL https://github.com/KaraZajac/IAMROOT/releases/latest/download/install.sh | sh
#
# Or with explicit version:
# IAMROOT_VERSION=v0.1.0 curl ... | sh
#
# Or install to a different prefix:
# IAMROOT_PREFIX=$HOME/.local/bin curl ... | sh
#
# Environment:
# IAMROOT_VERSION release tag (default: latest)
# IAMROOT_PREFIX install dir (default: /usr/local/bin if writable, else error)
# IAMROOT_REPO override repo (default: KaraZajac/IAMROOT)
#
# Exit codes:
# 0 — installed successfully
# 1 — error (unsupported arch, download failure, permission denied)
set -euo pipefail
REPO="${IAMROOT_REPO:-KaraZajac/IAMROOT}"
VERSION="${IAMROOT_VERSION:-latest}"
PREFIX="${IAMROOT_PREFIX:-/usr/local/bin}"
log() { printf '[\033[1;36m*\033[0m] %s\n' "$*" >&2; }
ok() { printf '[\033[1;32m+\033[0m] %s\n' "$*" >&2; }
fail() { printf '[\033[1;31m-\033[0m] %s\n' "$*" >&2; exit 1; }
# Detect architecture
arch=$(uname -m)
case "$arch" in
x86_64|amd64) target=x86_64 ;;
aarch64|arm64) target=arm64 ;;
*) fail "Unsupported architecture: $arch (only x86_64 and arm64 currently)" ;;
esac
log "detected arch: $target"
# Resolve version → download URL
if [ "$VERSION" = "latest" ]; then
url="https://github.com/${REPO}/releases/latest/download/iamroot-${target}"
sha_url="https://github.com/${REPO}/releases/latest/download/iamroot-${target}.sha256"
else
url="https://github.com/${REPO}/releases/download/${VERSION}/iamroot-${target}"
sha_url="https://github.com/${REPO}/releases/download/${VERSION}/iamroot-${target}.sha256"
fi
log "downloading from: $url"
# Need curl. wget fallback would be nice but skipping for simplicity.
if ! command -v curl >/dev/null 2>&1; then
fail "curl is required (apt install curl / dnf install curl)"
fi
tmp=$(mktemp -d)
trap 'rm -rf "$tmp"' EXIT
if ! curl -fsSLo "$tmp/iamroot" "$url"; then
fail "download failed. Check the version exists at https://github.com/${REPO}/releases"
fi
# Verify checksum if available
if curl -fsSLo "$tmp/iamroot.sha256" "$sha_url" 2>/dev/null; then
# The .sha256 file has the binary's original name; normalize for our local copy
expected=$(awk '{print $1}' "$tmp/iamroot.sha256")
if command -v sha256sum >/dev/null 2>&1; then
actual=$(sha256sum "$tmp/iamroot" | awk '{print $1}')
elif command -v shasum >/dev/null 2>&1; then
actual=$(shasum -a 256 "$tmp/iamroot" | awk '{print $1}')
else
actual=""
log "no sha256sum/shasum available — skipping checksum verification"
fi
if [ -n "$actual" ]; then
if [ "$actual" = "$expected" ]; then
ok "checksum verified"
else
fail "checksum mismatch (expected $expected, got $actual)"
fi
fi
else
log "no checksum file at $sha_url — skipping verification"
fi
chmod +x "$tmp/iamroot"
# Install. Try $PREFIX directly; if not writable, sudo.
target_path="$PREFIX/iamroot"
if [ -w "$PREFIX" ] || [ "$(id -u)" -eq 0 ]; then
mv "$tmp/iamroot" "$target_path"
elif command -v sudo >/dev/null 2>&1; then
log "$PREFIX needs sudo; you may be prompted for password"
sudo mv "$tmp/iamroot" "$target_path"
else
fail "$PREFIX not writable and sudo not available. Try IAMROOT_PREFIX=\$HOME/.local/bin"
fi
ok "installed: $target_path"
"$target_path" --version
cat >&2 <<EOF
[\033[1;33m!\033[0m] AUTHORIZED TESTING ONLY — see https://github.com/${REPO}/blob/main/docs/ETHICS.md
Quickstart:
sudo iamroot --scan # what's this box vulnerable to?
sudo iamroot --audit # broader system hygiene
sudo iamroot --detect-rules --format=auditd \\
| sudo tee /etc/audit/rules.d/99-iamroot.rules # deploy detection rules
See \`iamroot --help\` for all commands.
EOF