This is cool. I like this better than GRR and osquery.
The code seems cleaner, more portable than osquery, and as powerful as GRR, all this without making terrible security compromises such as "this tool is the key to all my companies machine's with admin/root rights and let you run anything you like like a pssh command".
Actually, this lib needs root access in the computer. It is intended to be used as a module in MIG (Mozilla InvestiGator), which is an agent that lives in servers and can receive commands.. So it is mostly the same, I think, except that the commands shouldn't return detailed information to the main server, but just yes/no answers, for example: "Is any of my servers running a vulnerable OpenSSL Version?"
You are correct: MIG is designed to prevent a rogue investigator from executing random commands on systems. We do so by filtering what agents can run through modules, and by requiring OpenPGP signatures on all actions ran.
Even if the MIG platform is compromised, agents and systems are safe, as long as the keys of authorized investigators (kept on their laptops) are not compromised.
When MIG was started, in the summer of 2013, Rust was still too unstable to be a good candidate. Go, however, already had the toolkit to build cross-platform agents, so I went with this.
18 months in, I still think it was the right choice. Go is extremely powerful and yet simple enough for contributors to pick it up in a matter of days. I don't think we could have delivered as much value going with Rust, it's still too young and lack the necessary libraries (AMQP, OpenPGP, etc...).
Mozilla is a large and diverse company, not everyone must write in Rust.
Also it could deal with too many unsafe libs, so it being safe wouldn't be as beneficial. That's the reasoning why IIRC homu was chosen in Python instead of Rust.
Nice job.