Skip to content

Releases: eresende/peperspray

peperspray 0.1.4

16 Jun 22:20
@github-actions github-actions
v0.1.4
cb3bd28

Choose a tag to compare

View all tags
peperspray 0.1.4 Latest
Latest

💨 peperspray 0.1.4 — denied-read notifications now work out of the box

If you're dogfooding peperspray on your workstation, this is the release that makes blocked credential reads visible. When a process is denied access to a protected file in enforce mode, you now get a desktop popup by default — no manual sandbox tweaking required.

What changed

Earlier versions shipped a hardened pepersprayd.service that, as a side effect, blocked the runuser call peperspray uses to deliver notifications into your session. Denies were still enforced and logged, but the popups never showed. This release grants the daemon exactly the privileges that notification delivery needs (and nothing more), so the feature works the moment you install or upgrade.

You'll see a notification like "Credential access blocked" naming the tool, the protected group, and the file it tried to read. Popups are throttled per tool/group for five minutes so noisy processes don't spam you.

Heads up on the tradeoff

Enabling notifications widens what a root daemon is allowed to do (it gains the privilege-changing capabilities and @setuid syscalls that runuser/PAM require). We think that's a fair default for a developer-workstation tool, but if you'd rather keep the stricter profile, the exact directives to revert are documented inline in packaging/systemd/pepersprayd.service. Enforcement and logging are unaffected either way — only the popups turn off.

Upgrade

# Debian / Ubuntu
sudo apt install ./peperspray_0.1.4_amd64.deb

# Fedora / RHEL-family
sudo dnf install ./peperspray-0.1.4-1.fc44.x86_64.rpm

ARM64 (arm64.deb, aarch64.rpm) and standalone Linux binary tarballs are attached below.

Try it

Switch to enforce mode and have a non-allowlisted tool read a protected file — you should get a popup, and the deny will show up in the log:

peperspray enforce
peperspray why last --decision deny

We'd love to hear how it behaves on your setup, especially across different desktop environments. Issue reports and feedback are very welcome. 🙏

Full Changelog: v0.1.3...v0.1.4

Assets 8
Loading

peperspray 0.1.3

09 Jun 22:25
@github-actions github-actions
v0.1.3
90140ac

Choose a tag to compare

View all tags
peperspray 0.1.3

Full Changelog: v0.1.2...v0.1.3

Loading

peperspray 0.1.2

06 Jun 17:25
@github-actions github-actions
v0.1.2
f013f0b

Choose a tag to compare

View all tags
peperspray 0.1.2

Full Changelog: v0.1.1...v0.1.2

Loading

peperspray 0.1.1

05 Jun 22:10
@github-actions github-actions
v0.1.1
b12d53c

Choose a tag to compare

View all tags
peperspray 0.1.1

Full Changelog: v0.1.0...v0.1.1

Loading

peperspray 0.1.0

05 Jun 20:48
@github-actions github-actions
v0.1.0
72324e8

Choose a tag to compare

View all tags
peperspray 0.1.0

Full Changelog: https://github.com/eresende/peperspray/commits/v0.1.0

Loading