Systemd Looks to Replace sudo with run0
Systemd Looks to Replace sudo with run0
Systemd Looks to Replace sudo with run0
i'm fine with this nor do i have a problem with systemd in genereal
I never understood the hate, tbh. A lot of users don't even care if Sysd is used, as long as it works. So... Since the majority of distros use it... I think it works enough.
It seems to me to be mainly from people who are dedicated to the Unix philosophy that programs should do only one thing, and do it well. Tying everything up into systemd doesn't follow that. I don't care either, and I don't mind systemd, but some people care about it enough to throw paragraphs of hate on it wherever it's mentioned online. And apparently it's "bloat", and to some " bloat" is worse than the devil himself.
I think some of the hate is from the main systemd dev, Poettering, being so abrasive on social media. He's got a hateboner for certain distros (which don't ship with systemd as the default).
I understand the concern about the future and we have seen overbloated projects have issues. In the long run though I will use what works best for me and only get into philosophical comparisons if im making the choice between relatively equal options.
The article talks about sudo
and doas
being SUID binaries and having a larger attack surface than run0
would. Could someone ELI5 what this means?
Basically, the SUID bit makes a program get the permissions of the owner when executed. If you set /bin/bash
as SUID, suddenly every bash shell would be a root shell, kind of. Processes on Linux have a real user ID, an effective user ID, and also a saved user ID that can be used to temporarily drop privileges and gain them back again later.
So tools like sudo
and doas
use this mechanism to temporarily become root, then run checks to make sure you're allowed to use sudo, then run your command. But that process is still in your user's session and process group, and you're still its real user ID. If anything goes wrong between sudo being root and checking permissions, that can lead to a root shell when you weren't supposed to, and you have a root exploit. Sudo is entirely responsible for cleaning the environment before launching the child process so that it's safe.
Run0/systemd-run acts more like an API client. The client, running as your user, asks systemd to create a process and give you its inputs and outputs, which then creates it on your behalf on a clean process tree completely separate from your user session's process tree and group. The client never ever gets permissions, never has to check for the permissions, it's systemd that does over D-Bus through PolKit which are both isolated and unprivileged services. So there's no dangerous code running anywhere to exploit to gain privileges. And it makes run0 very non-special and boring in the process, it really does practically nothing. Want to make your own in Python? You can, safely and quite easily. Any app can easily integrate sudo functionnality fairly safely, and it'll even trigger the DE's elevated permission prompt, which is a separate process so you can grant sudo access to an app without it being able to know about your password.
Run0 takes care of interpreting what you want to do, D-Bus passes the message around, PolKit adds its stamp of approval to it, systemd takes care of spawning of the process and only the spawning of the process. Every bit does its job in isolation from the others so it's hard to exploit.
Can someone ELI3?
Dude, you need a prize for this comment. Very well explained!
Sounds good in theory.
But I've had so many issues with D-Bus fucking shit up on my systems that I'd be very reluctant to hinge my only way of recovering from failures upon something so brittle.
Granted, D-Bus hasn't given me any trouble since moving to NixOS. The hell of trying to recover my arch systems from a perpetually failing D-Bus would make me very apprehensive to adopt this. I could see myself using run0 by default, but keeping sudo-rs or doas around with a much stricter configuration as a failsafe until the run0 + D-Bus + PolKit is absolutely stable and bulletproof.
Thank you, i didnt really understand what this was about ubtil now
Thanks a lot for this detailed, understandable and kind answer :)
Why not just fix sudo then?
Never had an issue. Might look for a replacement should an issue arise. Been driving Linux since sarge.
SUID stands for Set User ID. An SUID binary is a file that is always run with the UID of the owner user (almost always root). Note that this does not require that the user running them has root permissions, the UID is always changed. For instance, the ping
command needs to set up network sockets, which requires root permissions, but is also often used by non-root users to check their network connections. Instead of having to sudo ping
, any normal user is able to just run ping
, as it uses SUID to run as the root user. sudo
and doas
also require functions that necessitate them running as root, and so if you can find out how to exploit these commands to run some arbitrary code without having to authenticate (since authentication happens after the binary has started running), there is a potential for vulnerabilities. Specifically, there is the privilege escalation, which is one of the most severe types of vulnerabilities.
run0
starts using systemd-run
, which does not use SUID. Instead, it runs with the permissions of the current user, and then authenticates to the root user after the binary has already started to run. systemd-run
contacts polkit for authentication, and if it succeeds, it creates a root PTY (pseudo-terminal/virtual terminal), and sends information between your session and the root PTY. So this means that in order to achieve privilege escalation with run0
as root, you have to actually authenticate first, removing the "before authentication" attack surface of sudo
and doas
.
TL;DR SUID binaries will always run as the owner (usually root), even before any form of authentication. run0
will start with the permissions of the current user, and then authenticate before running anything with root permissions.
Suid is a bit set on executables that results in them being run as the user that owns the file without needing a password, for example, passwd as root.
Run0 ignores this bit
What a nice succinct explanation!
But also completely useless. Run0 ignores the suid bit for the same reason as 99% of command line apps do: it ignores because it isn't relevant to its functionality.
Coming up: systemd-antivirusd
Hear me out, breathes in, "Linux defender"
Linux Defender for Torvalds365
Systemd is too egotistic to even mention Linux. They will simply name it systemd-defenderd
.
Don't believe me? See this!
SystemD looks to replace Linux kernel with kern0
I’d just like to interject for a moment. What you’re referring to as Linux, is in fact, SystemD/Linux, or as I’ve recently taken to calling it, SystemD plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning SystemD system made useful by the SystemD corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.
Many computer users run a modified version of the SystemD system every day, without realizing it. Through a peculiar turn of events, the version of SystemD which is widely used today is often called Linux, and many of its users are not aware that it is basically the SystemD system, developed by the SystemD Project.
There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine’s resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the SystemD operating system: the whole system is basically SystemD with Linux added, or SystemD/Linux. All the so-called Linux distributions are really distributions of SystemD/Linux!
Brilliant!
So we'll have to say GNU/Linux/SystemD soon?
Slackware users won't! At least not so far.
Lol probably
Sounds reasonable. But I don't like the 0
in the name.
Did they think about how far I would have to move my hand to type it? Sudo is only in two easy to reach places on the keyboard, run0 is 4 separate areas of the keyboard, one two rows from home and none on the home row.
I'm only partially joking.
This is fine, but why does everything need to be part of Systemd? Like, seriously, why can't this just be an independent project? Why must everything be tied into this one knot of interdependent programs, and what's going to happen to all of them when the people who are passionate about it and actually understand all the stupid ways they interrelate move on with their lives? Are we looking at the formation of the next Xorg? Will everybody being scrambling to undo all of this in another 20 years when we all realize it's become an unmaintainable mess?
Systemd does a lot of things that could probably be separate projects, but run0 is an example of something that benefits from being a part of systemd. It ties directly into the existing service manager to spawn new processes.
Systemd does a lot of things that could probably be separate projects,
I dont get the hate for this - Linux is full of projects that do the same thing: coreutils, busybox, kde, gnome, different office suites, even the kernel itself. It is very common for different related projects to be maintained together under the same project/branding with various different levels of integration between them. But people really seem to only hate on systemd for this...
Yeah, if all those complainers want something more modular, they're free to push for protocols that allow to leverage existing components while also allowing for them to come from multiple vendors.
It seems a fairly explicit goal of systemd to redefine Linux as a unified platform rather than as a kernel that can run any one of many implementations of many different services. I assume this is not just the systemd lead but also a goal of Red Hat.
Personally, while I am ok with systemd defining itself as a single source for all this functionality, I hate that they are taking away ( or making it hard at least ) to have independent implementations of these services.
What Chinera is doing with dinit and turnstile is really interesting. It would be nice to have feature comparable approaches to the systemd monolith that distributions could choose from.
What Chinera is doing with dinit and turnstile is really interesting. It would be nice to have feature comparable approaches to the systemd monolith that distributions could choose from.
Link for other readers about Chimera Linux, dinit, turnstile : https://chimera-linux.org/development
It does make sense for me to have this functionality in systemd the way they want to go about doing this.
Okay, but why go about it that way? That can't be the only way of making a viable alternative to sudo. Why does everything need to be part of one project? If you want to reuse code why not spin it out into a library so each component can be installed with just the libraries it needs and not the depending on the whole gigantic thing? KDE works that way. It's obviously possible for some things, at least.
One of my favorite things about Linux is simply fiddling around and finding the things I like and don't and just using the ones I do. I can't do that effectively with systemd though. Sure, it's theoretically modular, and there are even a couple parts left that can work independently, but mostly it's just one big block of half an operating system that all gets lumped together into one gigantic mess, and I can't effectively just use the bits I like. It's kind of all or nothing, and then maybe being allowed to double up on some of the things I'd like to use an alternative to... for now. It just kinda sucks the joy out of using my computer, but trying to avoid it completely is a massive pain in the butt.
There's no big dramatic thing wrong with systemd. Using systemd and being happy with it is a good thing. I do not object to the existence of systemd. Systemd is fine. It just makes me like Linux less is all. I am enjoying my time with my computer less than I used to, and the universal dominance of systemd is probably the biggest reason for that.
I personally don't have a problem with run0 over sudo, however, I don't want to have to remember to use a different command on the terminal. Just rename it "sudo", and do the new stuff with it. Just don't bother me having to remember new commands.
You can uninstall the sudo application and add sudo
as an alias for run0
in your shell initialization script. That's better than them renaming run0 to sudo, because that will prevent people from running the real sudo if they want it.
You can create aliases
Me: Oh, I get it, this "Lemmy" website -- it's like The Onion but for nerds?
My fellow lemmings: No, they're serious. run0 is real.
Me: Hah. The Onion, but for nerds! I love it.
Sounds good. It's a win win. People that doesn't like the system d implementation can use doas or keep sudo. I Hate the name though. Run0 is dumb can't they just steal the name doas
I'll just use an alias; sudo has been around for to long for me to change it and not be stressed about it.
Reminds me of when I aliased 'man' to 'rtfm'
Well, since doas has a Linux implementation, stealing that name would cause lots of issues to users who already use it or want to use doas instead of run0. This will be a default part of systemd; not a new package. The reason it's called run0 is because it's just a symbolic link to systemd-run, and instead of executing as an SUID binary, like sudo or doas, it runs using the current user's UID.
Will this be an integral part of systemd, or will they release it as a separate thing? I mean, if I like it, but I'm not using systemd (I do use it, but I'm just thinking about it), could I use this run0 (horrible name) without having to buy into all of systemd?
it's just a link to systemd-run which is a part of systemd, i doubt it works separately.
but, if you use s6 as an alternative init system, s6-sudo is a somewhat equivalent aproach to how run0 works (instead of systemd-run it calls s6-ipcclient)
The article says it works by messaging systemd to run the process as the given user, rather than being a SUID binary. So it wouldn't work without systemd.
Most systems ship with systemd
They were very specifically talking about ones that don't.
Lol. Right after Microsoft added sudo to windows.
That wasn't the "sudo", MS just named something else "sudo".
That's rich, coming from a company that sued a child whose website domain name was mikerowesoft.com. (His name was Mike Rowe, and the site was about the software he made).
Anyway i prefer doas btw
sudo provides sudoedit
or sudo -e
which allows me to use vim with my user configuration btw
Just symlink your user config to root, nothing at all wrong with that.
This just sounds like a bad idea, a solution in search of a problem. Sure, sudo is a setuid binary, but it's a fairly simple program, and at some point, you have to trust the code. It's also a very fundamental piece of the system that you want to always work, even (especially!) when other things get borked. The brief description of run0 already has too many potential points of failure.
sudo is a setuid binary, but it's a fairly simple program
Sudo is actually fairly huge and complex. Alternatives like really
or doas
or su
are absolutely tiny by comparison.
The OP can make the same argument after replacing sudo with doas or su.
Sure, sudo is a setuid binary, but it’s a fairly simple program, and at some point, you have to trust the code.
Have to trust the code ? doas for OpenBSD was created because of issues with sudo.
Talking with deraadt and millert, however, I wasn’t quite alone. There were some concerns that sudo was too big, running too much code in a privileged process. And there was also pressure to enable even more options, because the feature set shipped in base wasn’t big enough.
I've actually ran into some of those problems. If you run sudo su --login someuser
, it's still part of your user's process group and session. With run0 that would actually give you a shell equivalent to as if you logged in locally, and manage user units, all the PAM modules.
systemd-run can do a lot of stuff, basically anything you can possibly do in a systemd unit, which is basically every property you can set on a process. Processor affinity, memory limits, cgroups, capabilities, NUMA node binding, namespaces, everything.
I'm not sure I would adopt run0 as my goto since if D-Bus is hosed you're really locked out and stuck. But it's got its uses, and it's just a symlink, it's basically free so its existence is kBs of bloat at most. There's always good ol su
when you're really stuck.
Have you seen the average sudoers file? It is not simple in the slightest
I have 0 knowledge of these things, but I do know that people always comment that sudo is bloated, that nobody is truly using everything that sudo can do, only one basic command.
Nobody is using all of sudo's features because those features are for different use cases. Case in point, LDAP support. At home, pretty much nobody uses it. But on the job, where there are tens to hundreds of machines that someone might need, and they're all hooked into LDAP for centralized authentication management, it makes sense to have that built into sudo. Same with Kerberos support - at home, forget it, but in a campus environment where Kerberos (and possibly AFS) are part of the network, it makes sense.
sudo
is not a fairly simple program. Last I checked, it had ~177k lines of code. It provides functionality far beyond what is needed of an average user. doas
is a simpler alternative (also using SUID) at ~3k lines of code. It comes from OpenBSD. There is absolutely a problem when it comes to SUID binaries. If you can find a way to exploit the permissions given at the start of the SUID binary before user authentication occurs (since the UID is set before the binary runs), you have yourself a full privilege escalation vulnerability. systemd
is very well integrated with the distros that use it, being the first process to run after the kernel is initialized. There will never be a point at which systemd is not functioning, but the rest of your system is perfectly fine. It is an absolutely necessary part of the system (assuming your distro uses it), and if it goes down, you have to restart your system. As such, I don't see any validity to the statement "you want to always work, even (especially!) when other things get borked". What exactly do you see as being an issue with run0
? What specific part of its implementation do you seem to have a problem with? It's just a symlink to systemd-run
, which is already very well tested and has been around for a long time. It's also far simpler than sudo
, and removes the attack surface of running an SUID binary of its size. What "points of failure" do you see here, exactly?
sudo is a setuid binary, but it’s a fairly simple program
Some people would disagree to this.
The brief description of run0 already has too many potential points of failure.
If the "listener" is PID1, which will run the privileged command, in theory, it would be quite bullet proof (in a working system PID1 is always there). But since this is systemd, PID1 is much more than that and much more complex. On the other hand spawning another daemon from PID1 to be the "listener" makes it, perhaps, even more complicated. You'd have to make sure the listener is always running and have some process supervisor there to watch if it exits... and maybe even a watchdog polling it to make sure it isn't frozen.
So my conclusion is the same as yours:
a solution in search of a problem
We already have a working solution. Have a well written SUID program. I've been using doas for some years now. It's simple enough that I trust it.
I've always wondered why we even bother with SUID commands. Why not just log in as root?
it took less than a day for someone to break run0 totally open, so basically, you have a choice between a well tested/debugged sudo and this new thing which may eventually mature
As far as I know, the exploit you are referring to, wasn't actually a vulnerability. https://youtu.be/awkoa_WxFIg?feature=shared&t=659 Although feel free to correct me on that one
Not-invented-here
Read the article.
It does something different and doesn't ask to replace sudo everywhere. You brainless trashtalkers can't even read an article before you judge.
Never had an issue.
Might look for a replacement should an issue arise.
Been driving Linux since sarge.
I'm not systemd user, and I generally see this absorbing as much as possible as a terrible practice. I don't usually comment on systemd stuff, since I'm happy just not being forced to use it.
However, even though I don't use it, the decision of people managing systemd really affects non systemd users. See by succeeding in getting all major distros into become systemd distros (somehow now governed by RH, if anyone cares), everything systemd absorbs tend to leave alternatives sooner or later deprecated, or abandoned.
Even autofs is no longer part of some official repos, given systemd has its own auto mount/unmount functionality... And there are several other examples...
At any rate, hopefully the more bloated systemd, doesn't make it the more vulnerable. And also hopefully, doesn't make life worse and worse to non systemd distros and users...
BTW, before sudo
there was su
, so a life without sudo
is possible, :)
Fuck off Poettering. Stop trying to absorb the whole system.
EDIT: apparently systemd absorbing the whole system with it's nonstandard, monolithic nightmare is a good thing, judging from downvotes. Carry on.
The vast majority of Linux users consider systemd as a good thing because it apparently makes system administration easier. They also don't agree that systemd is monolithic, because it's actually designed modular.
But of course there are detractors. The only thing I like about systemd is its declarative service definition and parallel service startup. But if I wanted to run an OS with bloated and inscrutable software (even with the source code), my choice wouldn't be Linux or Systemd.
I also routinely switch parts of my OS. This is harder with systemd. Although it is modular, the modules are so tightly coupled that it will prevent the replacement of modular components with alternatives. Frankly, I think systemd is killing the innovation in system component development.
Yeah... Not sure how everyone lets them get away with calling it "modular" when it's next to impossible to swap out the modules
because it’s actually designed modular
Oh? Try to use systemd without logind or journald. logind isn't so bad, but journald was bad enough, that I gave up with systemd.
He's trying to turn Linux into Windows NT. And Microsoft hired him as a reward for doing so.
Between this and the pip install break all system packages
This has to be about the dumbest change I could possibly gather in the last 20 years of computing. I can’t even imagine breaking this many things all at once. I’m still dealing with the side effects of people’s installers from docker-compose and the pip problems - ansible will just never be the same again. Now this.
Well I guess eMacs has a real challenger these days but systems does everything poorly
At this point I looks to replace systemd with vim. Anything better than systemd mess
Lennart's cancer spreads.
wtf