[{"data":1,"prerenderedAt":753},["ShallowReactive",2],{"navigation":3,"\u002Fecosystem\u002Fescapes":89,"\u002Fecosystem\u002Fescapes-surround":748},[4,40,63,76],{"title":5,"path":6,"stem":7,"children":8,"icon":39},"Getting Started","\u002Fgetting-started","1.getting-started\u002F1.index",[9,11,15,19,23,27,31,35],{"title":10,"path":6,"stem":7},"Introduction",{"title":12,"path":13,"stem":14},"Quick Start: Service Provider","\u002Fgetting-started\u002Fquickstart-sp","1.getting-started\u002F2.quickstart-sp",{"title":16,"path":17,"stem":18},"Quick Start: Identity Provider","\u002Fgetting-started\u002Fquickstart-idp","1.getting-started\u002F3.quickstart-idp",{"title":20,"path":21,"stem":22},"Quick Start: Agent","\u002Fgetting-started\u002Fquickstart-agent","1.getting-started\u002F4.quickstart-agent",{"title":24,"path":25,"stem":26},"Quick Start","\u002Fgetting-started\u002Finstallation","1.getting-started\u002F5.installation",{"title":28,"path":29,"stem":30},"How It Works","\u002Fgetting-started\u002Fhow-it-works","1.getting-started\u002F6.how-it-works",{"title":32,"path":33,"stem":34},"For Service Providers","\u002Fgetting-started\u002Ffor-service-providers","1.getting-started\u002F7.for-service-providers",{"title":36,"path":37,"stem":38},"CLI (apes & ape-shell)","\u002Fgetting-started\u002Fcli","1.getting-started\u002F8.cli",false,{"title":41,"path":42,"stem":43,"children":44,"icon":39},"Ecosystem","\u002Fecosystem","2.ecosystem\u002F1.index",[45,47,51,55,59],{"title":46,"path":42,"stem":43},"Overview",{"title":48,"path":49,"stem":50},"OpenApe Auth","\u002Fecosystem\u002Fauth","2.ecosystem\u002F2.auth",{"title":52,"path":53,"stem":54},"OpenApe Grants","\u002Fecosystem\u002Fgrants","2.ecosystem\u002F3.grants",{"title":56,"path":57,"stem":58},"nuxt-auth-sp","\u002Fecosystem\u002Fnuxt-auth-sp","2.ecosystem\u002F4.nuxt-auth-sp",{"title":60,"path":61,"stem":62},"escapes","\u002Fecosystem\u002Fescapes","2.ecosystem\u002F5.escapes",{"title":64,"icon":39,"path":65,"stem":66,"children":67,"page":39},"Security","\u002Fsecurity","3.security",[68,72],{"title":69,"path":70,"stem":71},"Compliance","\u002Fsecurity\u002Fcompliance","3.security\u002F1.compliance",{"title":73,"path":74,"stem":75},"Threat Model","\u002Fsecurity\u002Fthreat-model","3.security\u002F2.threat-model",{"title":77,"icon":39,"path":78,"stem":79,"children":80,"page":39},"Guides","\u002Fguides","4.guides",[81,85],{"title":82,"path":83,"stem":84},"Capabilities & Grants","\u002Fguides\u002Fcapabilities","4.guides\u002F1.capabilities",{"title":86,"path":87,"stem":88},"Delegation","\u002Fguides\u002Fdelegation","4.guides\u002F2.delegation",{"id":90,"title":60,"body":91,"description":742,"extension":743,"links":744,"meta":745,"navigation":158,"path":61,"seo":746,"stem":62,"__hash__":747},"docs\u002F2.ecosystem\u002F5.escapes.md",{"type":92,"value":93,"toc":729},"minimark",[94,97,109,116,121,180,184,187,244,247,251,336,343,372,383,387,392,434,438,445,453,456,460,463,467,470,627,631,637,692,702,706,725],[95,96,60],"h1",{"id":60},[98,99,100,103,104,108],"p",{},[101,102,60],"code",{}," is a Rust binary for ",[105,106,107],"strong",{},"local privilege escalation"," via the OpenApe grant system. It runs as a setuid binary that verifies an AuthZ-JWT before executing a command with elevated privileges.",[98,110,111,112,115],{},"Think of it as ",[101,113,114],{},"sudo"," with cryptographic authorization -- instead of a password, you need a signed grant token approved by a human.",[117,118,120],"h2",{"id":119},"installation","Installation",[122,123,128],"pre",{"className":124,"code":125,"language":126,"meta":127,"style":127},"language-bash shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","# Build from source\ncargo build --release\n\n# Install with setuid (requires root)\nsudo make install  # installs to \u002Fusr\u002Flocal\u002Fbin\u002Fescapes\n","bash","",[101,129,130,139,153,160,166],{"__ignoreMap":127},[131,132,135],"span",{"class":133,"line":134},"line",1,[131,136,138],{"class":137},"sHwdD","# Build from source\n",[131,140,142,146,150],{"class":133,"line":141},2,[131,143,145],{"class":144},"sBMFI","cargo",[131,147,149],{"class":148},"sfazB"," build",[131,151,152],{"class":148}," --release\n",[131,154,156],{"class":133,"line":155},3,[131,157,159],{"emptyLinePlaceholder":158},true,"\n",[131,161,163],{"class":133,"line":162},4,[131,164,165],{"class":137},"# Install with setuid (requires root)\n",[131,167,169,171,174,177],{"class":133,"line":168},5,[131,170,114],{"class":144},[131,172,173],{"class":148}," make",[131,175,176],{"class":148}," install",[131,178,179],{"class":137},"  # installs to \u002Fusr\u002Flocal\u002Fbin\u002Fescapes\n",[117,181,183],{"id":182},"agent-enrollment","Agent Enrollment",[98,185,186],{},"Each machine needs an enrolled agent with a key pair:",[122,188,190],{"className":124,"code":189,"language":126,"meta":127,"style":127},"sudo escapes enroll \\\n  --server https:\u002F\u002Fid.example.com \\\n  --agent-email deploy@example.com \\\n  --agent-name web-deploy \\\n  --key \u002Fetc\u002Fopenape\u002Fagent.key\n",[101,191,192,206,216,226,236],{"__ignoreMap":127},[131,193,194,196,199,202],{"class":133,"line":134},[131,195,114],{"class":144},[131,197,198],{"class":148}," escapes",[131,200,201],{"class":148}," enroll",[131,203,205],{"class":204},"sTEyZ"," \\\n",[131,207,208,211,214],{"class":133,"line":141},[131,209,210],{"class":148},"  --server",[131,212,213],{"class":148}," https:\u002F\u002Fid.example.com",[131,215,205],{"class":204},[131,217,218,221,224],{"class":133,"line":155},[131,219,220],{"class":148},"  --agent-email",[131,222,223],{"class":148}," deploy@example.com",[131,225,205],{"class":204},[131,227,228,231,234],{"class":133,"line":162},[131,229,230],{"class":148},"  --agent-name",[131,232,233],{"class":148}," web-deploy",[131,235,205],{"class":204},[131,237,238,241],{"class":133,"line":168},[131,239,240],{"class":148},"  --key",[131,242,243],{"class":148}," \u002Fetc\u002Fopenape\u002Fagent.key\n",[98,245,246],{},"The enrollment registers the agent's public key at the IdP. The private key stays on the machine, owned by the agent's user.",[117,248,250],{"id":249},"usage","Usage",[122,252,254],{"className":124,"code":253,"language":126,"meta":127,"style":127},"# Execute a command with a grant token\nescapes --grant \u003Cjwt> -- apt-get upgrade\n\n# With reason (logged for audit)\nescapes --grant \u003Cjwt> --reason \"Security update\" -- systemctl restart nginx\n",[101,255,256,261,290,294,299],{"__ignoreMap":127},[131,257,258],{"class":133,"line":134},[131,259,260],{"class":137},"# Execute a command with a grant token\n",[131,262,263,265,268,272,275,278,281,284,287],{"class":133,"line":141},[131,264,60],{"class":144},[131,266,267],{"class":148}," --grant",[131,269,271],{"class":270},"sMK4o"," \u003C",[131,273,274],{"class":148},"jw",[131,276,277],{"class":204},"t",[131,279,280],{"class":270},">",[131,282,283],{"class":148}," --",[131,285,286],{"class":148}," apt-get",[131,288,289],{"class":148}," upgrade\n",[131,291,292],{"class":133,"line":155},[131,293,159],{"emptyLinePlaceholder":158},[131,295,296],{"class":133,"line":162},[131,297,298],{"class":137},"# With reason (logged for audit)\n",[131,300,301,303,305,307,309,311,313,316,319,322,325,327,330,333],{"class":133,"line":168},[131,302,60],{"class":144},[131,304,267],{"class":148},[131,306,271],{"class":270},[131,308,274],{"class":148},[131,310,277],{"class":204},[131,312,280],{"class":270},[131,314,315],{"class":148}," --reason",[131,317,318],{"class":270}," \"",[131,320,321],{"class":148},"Security update",[131,323,324],{"class":270},"\"",[131,326,283],{"class":148},[131,328,329],{"class":148}," systemctl",[131,331,332],{"class":148}," restart",[131,334,335],{"class":148}," nginx\n",[98,337,338,339,342],{},"The typical flow with the ",[101,340,341],{},"apes"," CLI:",[122,344,346],{"className":124,"code":345,"language":126,"meta":127,"style":127},"# apes handles the full lifecycle: request grant, wait for approval, execute\napes run --as root -- apt-get upgrade\n",[101,347,348,353],{"__ignoreMap":127},[131,349,350],{"class":133,"line":134},[131,351,352],{"class":137},"# apes handles the full lifecycle: request grant, wait for approval, execute\n",[131,354,355,357,360,363,366,368,370],{"class":133,"line":141},[131,356,341],{"class":144},[131,358,359],{"class":148}," run",[131,361,362],{"class":148}," --as",[131,364,365],{"class":148}," root",[131,367,283],{"class":148},[131,369,286],{"class":148},[131,371,289],{"class":148},[98,373,374,375,378,379,382],{},"When ",[101,376,377],{},"--as"," is specified, ",[101,380,381],{},"apes run"," automatically routes through escapes for privilege escalation.",[117,384,386],{"id":385},"security-model","Security Model",[388,389,391],"h3",{"id":390},"privilege-handling","Privilege Handling",[393,394,395,402,408,414,420],"ol",{},[396,397,398,401],"li",{},[105,399,400],{},"Starts as root"," (setuid binary)",[396,403,404,407],{},[105,405,406],{},"Drops privileges"," before loading any user data or keys",[396,409,410,413],{},[105,411,412],{},"Validates the AuthZ-JWT"," -- checks signature, audience, expiry, command hash",[396,415,416,419],{},[105,417,418],{},"Re-elevates"," only after successful validation",[396,421,422,425,426,429,430,433],{},[105,423,424],{},"Sanitizes environment"," -- clears ",[101,427,428],{},"LD_PRELOAD",", ",[101,431,432],{},"PATH",", etc. before exec",[388,435,437],{"id":436},"command-hash-verification","Command Hash Verification",[98,439,440,441,444],{},"The JWT contains a ",[101,442,443],{},"cmd_hash"," (SHA-256 of the canonicalized command). escapes recomputes the hash from the actual command arguments and compares:",[122,446,451],{"className":447,"code":449,"language":450},[448],"language-text","Requested: apt-get upgrade\ncmd_hash:  sha256:a1b2c3...  (from JWT)\nComputed:  sha256:a1b2c3...  (from actual args)\nMatch → execute\n","text",[101,452,449],{"__ignoreMap":127},[98,454,455],{},"This prevents substitution attacks -- even if an attacker obtains a valid JWT, they cannot use it for a different command.",[388,457,459],{"id":458},"multi-agent-support","Multi-Agent Support",[98,461,462],{},"A single machine can have multiple enrolled agents, each with their own key and identity. escapes matches the JWT's subject against the registered agents by deriving the public key from the configured private keys.",[388,464,466],{"id":465},"audit-logging","Audit Logging",[98,468,469],{},"Every execution is logged as JSONL:",[122,471,475],{"className":472,"code":473,"language":474,"meta":127,"style":127},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"ts\": \"2025-01-15T10:30:00Z\",\n  \"agent\": \"deploy@example.com\",\n  \"command\": [\"apt-get\", \"upgrade\"],\n  \"grant_id\": \"3f8a...\",\n  \"decided_by\": \"alice@example.com\",\n  \"result\": \"success\"\n}\n","json",[101,476,477,482,506,526,560,580,601,621],{"__ignoreMap":127},[131,478,479],{"class":133,"line":134},[131,480,481],{"class":270},"{\n",[131,483,484,487,491,493,496,498,501,503],{"class":133,"line":141},[131,485,486],{"class":270},"  \"",[131,488,490],{"class":489},"spNyl","ts",[131,492,324],{"class":270},[131,494,495],{"class":270},":",[131,497,318],{"class":270},[131,499,500],{"class":148},"2025-01-15T10:30:00Z",[131,502,324],{"class":270},[131,504,505],{"class":270},",\n",[131,507,508,510,513,515,517,519,522,524],{"class":133,"line":155},[131,509,486],{"class":270},[131,511,512],{"class":489},"agent",[131,514,324],{"class":270},[131,516,495],{"class":270},[131,518,318],{"class":270},[131,520,521],{"class":148},"deploy@example.com",[131,523,324],{"class":270},[131,525,505],{"class":270},[131,527,528,530,533,535,537,540,542,545,547,550,552,555,557],{"class":133,"line":162},[131,529,486],{"class":270},[131,531,532],{"class":489},"command",[131,534,324],{"class":270},[131,536,495],{"class":270},[131,538,539],{"class":270}," [",[131,541,324],{"class":270},[131,543,544],{"class":148},"apt-get",[131,546,324],{"class":270},[131,548,549],{"class":270},",",[131,551,318],{"class":270},[131,553,554],{"class":148},"upgrade",[131,556,324],{"class":270},[131,558,559],{"class":270},"],\n",[131,561,562,564,567,569,571,573,576,578],{"class":133,"line":168},[131,563,486],{"class":270},[131,565,566],{"class":489},"grant_id",[131,568,324],{"class":270},[131,570,495],{"class":270},[131,572,318],{"class":270},[131,574,575],{"class":148},"3f8a...",[131,577,324],{"class":270},[131,579,505],{"class":270},[131,581,583,585,588,590,592,594,597,599],{"class":133,"line":582},6,[131,584,486],{"class":270},[131,586,587],{"class":489},"decided_by",[131,589,324],{"class":270},[131,591,495],{"class":270},[131,593,318],{"class":270},[131,595,596],{"class":148},"alice@example.com",[131,598,324],{"class":270},[131,600,505],{"class":270},[131,602,604,606,609,611,613,615,618],{"class":133,"line":603},7,[131,605,486],{"class":270},[131,607,608],{"class":489},"result",[131,610,324],{"class":270},[131,612,495],{"class":270},[131,614,318],{"class":270},[131,616,617],{"class":148},"success",[131,619,620],{"class":270},"\"\n",[131,622,624],{"class":133,"line":623},8,[131,625,626],{"class":270},"}\n",[117,628,630],{"id":629},"integration-with-apes-cli","Integration with apes CLI",[98,632,633,634,636],{},"The ",[101,635,381],{}," command integrates escapes seamlessly:",[122,638,640],{"className":124,"code":639,"language":126,"meta":127,"style":127},"# Direct: agent runs the command itself (adapter mode)\napes run -- kubectl apply -f deployment.yaml\n\n# Escalated: agent runs the command as root via escapes\napes run --as root -- apt-get upgrade\n",[101,641,642,647,667,671,676],{"__ignoreMap":127},[131,643,644],{"class":133,"line":134},[131,645,646],{"class":137},"# Direct: agent runs the command itself (adapter mode)\n",[131,648,649,651,653,655,658,661,664],{"class":133,"line":141},[131,650,341],{"class":144},[131,652,359],{"class":148},[131,654,283],{"class":148},[131,656,657],{"class":148}," kubectl",[131,659,660],{"class":148}," apply",[131,662,663],{"class":148}," -f",[131,665,666],{"class":148}," deployment.yaml\n",[131,668,669],{"class":133,"line":155},[131,670,159],{"emptyLinePlaceholder":158},[131,672,673],{"class":133,"line":162},[131,674,675],{"class":137},"# Escalated: agent runs the command as root via escapes\n",[131,677,678,680,682,684,686,688,690],{"class":133,"line":168},[131,679,341],{"class":144},[131,681,359],{"class":148},[131,683,362],{"class":148},[131,685,365],{"class":148},[131,687,283],{"class":148},[131,689,286],{"class":148},[131,691,289],{"class":148},[98,693,694,695,697,698,701],{},"In escalated mode, ",[101,696,341],{}," requests a grant with ",[101,699,700],{},"audience: \"escapes\"",", waits for approval, then passes the AuthZ-JWT to the escapes binary.",[117,703,705],{"id":704},"next-steps","Next Steps",[707,708,709,715,720],"ul",{},[396,710,711,714],{},[712,713,82],"a",{"href":83}," -- how the grant system works",[396,716,717,719],{},[712,718,86],{"href":87}," -- act on behalf of another user",[396,721,722,724],{},[712,723,20],{"href":21}," -- enroll your first agent",[726,727,728],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}",{"title":127,"searchDepth":134,"depth":141,"links":730},[731,732,733,734,740,741],{"id":119,"depth":141,"text":120},{"id":182,"depth":141,"text":183},{"id":249,"depth":141,"text":250},{"id":385,"depth":141,"text":386,"children":735},[736,737,738,739],{"id":390,"depth":155,"text":391},{"id":436,"depth":155,"text":437},{"id":458,"depth":155,"text":459},{"id":465,"depth":155,"text":466},{"id":629,"depth":141,"text":630},{"id":704,"depth":141,"text":705},"Privilege escalation with grant verification.","md",null,{},{"title":60,"description":742},"d2-byG-sCN21UBUZYxG9NkcQoXZlxnVGlQF9UF9mZSg",[749,751],{"title":56,"path":57,"stem":58,"description":750,"children":-1},"Add OpenApe login to any Nuxt app in minutes.",{"title":69,"path":70,"stem":71,"description":752,"children":-1},"NIS2, NIST CSF 2.0, and regulatory compliance.",1776885317056]