Find Linux privilege escalation paths by modeling permissions as a graph.
Project description
privmap
Find Linux privilege escalation paths by modeling permissions as a graph.
privmap reads the live configuration of a Linux system: users, groups, sudo rules, file permissions, cron jobs, systemd units, capabilities, and running processes. It assembles them into a directed property graph, then traces concrete escalation paths from each non-privileged user to root and other high-value sinks.
[CRITICAL] 2 escalation paths found for user: www-data
Path 1: www-data -> root (4 hops)
www-data
MEMBER_OF group: adm
CAN_WRITE file: /etc/logrotate.d/nginx (mode: 0664)
EXECUTES cron: /etc/cron.daily (runs-as: root)
-> root
Risk: Writable logrotate config executed by root daily cron
Remediation: chmod 644 /etc/logrotate.d/nginx; chown root:root /etc/logrotate.d/nginx
Where flat-list scanners like LinPEAS report "this file is world-writable" and "this cron job runs as root" as separate observations, privmap connects them into the single chain that actually represents the escalation.
Documentation
See full documentation at https://privmap.readthedocs.io/.
Install
pip install privmap
Requires Python 3.8 or later. From source: git clone … && pip install -e ..
Run
sudo privmap # full scan, every user
sudo privmap --user www-data --user bob # specific users
sudo privmap --min-severity high # filter by severity
sudo privmap --output json > report.json # SIEM ingestion
sudo privmap --exit-code --min-severity critical # CI/CD gate
For offline / forensic analysis, run the collector on the target and analyze the snapshot on your workstation:
sudo ./collect.sh # on target
privmap --snapshot ./privmap_snapshot_target_20260507.tar.gz # on analyst host
The collector is POSIX-compliant and has no runtime dependencies on the target host.
Scope
privmap is a structural analysis tool for local Linux privilege relationships. It does not perform network enumeration, run exploits, cover Windows or macOS, or match binary versions against a CVE database.
Use cases
- System hardening. Validate least-privilege configurations and catch unintended escalation paths after changes.
- Penetration testing. Replace manual enumeration with deterministic path mapping.
- Incident response. Reconstruct how an attacker may have escalated privileges on a compromised host.
- Education and CTF. Visualise permission chains that are hard to reason about manually.
Contributing
Issues and pull requests are welcome. See CONTRIBUTING for development setup. For security vulnerabilities, see SECURITY.md.
License
MIT. See LICENSE.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file privmap-2.0.0.tar.gz.
File metadata
- Download URL: privmap-2.0.0.tar.gz
- Upload date:
- Size: 77.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
19c834112efe66d0c4c7241f00be931a38fb806eb543c6afbad5c3e8ee343dad
|
|
| MD5 |
45d622bf73e69503d367f1830abfe2fd
|
|
| BLAKE2b-256 |
dcbfec0ed0ff50835aede2cb403f7f827cf4e964d9432fa97ce74928ca5934e1
|
File details
Details for the file privmap-2.0.0-py3-none-any.whl.
File metadata
- Download URL: privmap-2.0.0-py3-none-any.whl
- Upload date:
- Size: 77.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2e2e365efe17c90101f5bcfc56ad8a068008bbd9bcebd82d129f0e924ebc0624
|
|
| MD5 |
3457f20956d2bce3da731c315d1328b5
|
|
| BLAKE2b-256 |
6f315224761e3d22ab745fd2b94a141029bef346dea2e2018cf60985a6905ce1
|
