privmap

Find Linux privilege escalation paths by modeling permissions as a graph.

privmap reads the live configuration of a Linux system: users, groups, sudo rules, file permissions, cron jobs, systemd units, capabilities, and running processes. It assembles them into a directed property graph, then traces concrete escalation paths from each non-privileged user to root and other high-value sinks.

[CRITICAL] 2 escalation paths found for user: www-data

Path 1: www-data -> root (4 hops)
  www-data
    MEMBER_OF  group: adm
    CAN_WRITE  file: /etc/logrotate.d/nginx  (mode: 0664)
    EXECUTES   cron: /etc/cron.daily  (runs-as: root)
  -> root

  Risk: Writable logrotate config executed by root daily cron
  Remediation: chmod 644 /etc/logrotate.d/nginx; chown root:root /etc/logrotate.d/nginx

Where flat-list scanners like LinPEAS report "this file is world-writable" and "this cron job runs as root" as separate observations, privmap connects them into the single chain that actually represents the escalation.

Documentation

See full documentation at https://privmap.readthedocs.io/.

Install

pip install privmap

Requires Python 3.8 or later. From source: git clone … && pip install -e ..

Run

sudo privmap                                       # full scan, every user
sudo privmap --user www-data --user bob            # specific users
sudo privmap --min-severity high                   # filter by severity
sudo privmap --output json > report.json           # SIEM ingestion
sudo privmap --exit-code --min-severity critical   # CI/CD gate

For offline / forensic analysis, run the collector on the target and analyze the snapshot on your workstation:

sudo ./collect.sh                                                   # on target
privmap --snapshot ./privmap_snapshot_target_20260507.tar.gz        # on analyst host

The collector is POSIX-compliant and has no runtime dependencies on the target host.

Scope

privmap is a structural analysis tool for local Linux privilege relationships. It does not perform network enumeration, run exploits, cover Windows or macOS, or match binary versions against a CVE database.

Use cases

• System hardening. Validate least-privilege configurations and catch unintended escalation paths after changes.
• Penetration testing. Replace manual enumeration with deterministic path mapping.
• Incident response. Reconstruct how an attacker may have escalated privileges on a compromised host.
• Education and CTF. Visualise permission chains that are hard to reason about manually.

Contributing

Issues and pull requests are welcome. See CONTRIBUTING for development setup. For security vulnerabilities, see SECURITY.md.

License

MIT. See LICENSE.