Systemd Introduces run0, a 'Clone' of sudo to Replace sudo

-

 


Systemd has become the standard framework used by most major distributions and has also emerged as a controversial software because it can implement a wide variety of different components. One of the features coming in the next major release of the framework is run0, which is essentially a sudo clone for systemd.

run0 was announced by Lennart Poettering, the creator of systemd and a current Microsoft employee, in a thread he posted on the social network Mastodon. The developer acknowledges the utility of the current sudo found in most Linux distributions, but notes that it "has serious issues. It is a relatively large SUID binary, meaning it's privileged code that non-privileged users can invoke from their own context. It has a complicated configuration language, loadable plugins (ldap!), hostname matches, etc." These factors contribute to a large attack surface.

The alleged complexity of sudo has led some to develop alternatives, among which doas stands out. Originating from OpenBSD, doas simplifies the tool significantly and reduces the attack surface while remaining an SUID binary.

To avoid or at least minimize the alleged drawbacks of sudo, Lennart Poettering has announced run0 as follows: "There is a new tool in systemd called 'run0'. Actually, it's not a new tool, but the 'systemd-run' tool that has been around for a long time, which, when invoked with the name 'run0' (via a symbolic link), behaves very much like a sudo clone with one key difference: it is 'not' SUID. Instead, it simply asks the service manager to invoke a command or shell under the target user's UID. It assigns a new PTY for this and then transfers data back and forth from the original TTY and this PTY."

"In other words, the target command is invoked in an execution context that is isolated, newly forked from PID 1, without inheriting any context from the client (well, it's true that we 'propagate' $TERM, but that is an explicit exception, i.e., it's on the allowed list rather than the denied list). It could be said that 'run0' is closer to the behavior of 'ssh' than 'sudo' in many ways. Except it doesn't care about encryption or cryptographic authentication, key management, etc., but relies on the local identification mechanisms of the kernel."

"By isolating the contexts and resources of the client and the target, we completely eliminate other classes of attacks. The tool is also much more fun to use than sudo. For example, it defaults to tinting the terminal background in a reddish hue while operating with elevated privileges. This is supposed to act as a friendly reminder that you have not yet relinquished privileges and marks the output of all commands that were executed with the appropriate privileges."

"And since it simply calls systemd-run with a different name, it supports the --property= parameter that systemd-run supports, i.e., it allows setting arbitrary service configurations for the privileged command/session invoked if desired."

Considering Lennart Poettering's words, run0 aims not to be a systemd implementation of the sudo we know in Linux, but rather a different software that will yield a very similar result and fulfill the same purpose. And since it is basically systemd-run operating under another name, it is a tool created by and for systemd, or at least that is the logical conclusion that can be drawn from the words of the Microsoft employee.

run0 will be present in the upcoming systemd 256, but that doesn't mean distributions will start using it directly. In fact, systemd has its own bootloader, systemd-boot, which is currently used by very few distributions and even Fedora, which is de facto the reference distribution of the framework, continues to use GRUB, although that might change in the not-too-distant future.

What is clear is that the presence of run0 will reignite the debate between systemd's defenders and detractors, with the former defending the existence of a framework that provides integration, homogeneity, and consistency, and the latter arguing that it is software that is too complex and blatantly breaches the Unix philosophy.

Comments

Post a Comment

Popular posts from this blog

systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security

-
Image
systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security systemd 256 is now a reality, featuring an interesting innovation that could represent a significant change in Linux in the not-too-distant future, although this will ultimately depend on the decisions made by various distributions. Without further delay, let’s go over the main new features. First, we have the introduction of run0, a kind of clone of sudo that aims to enhance security by reducing the attack surface. According to Lennart Poettering, the creator of systemd, this is achieved by ensuring “the target command is invoked in an isolated execution context, freshly forked from PID 1, without inheriting any context from the client,” making its behavior more akin to SSH. And since we’ve mentioned SSH, there’s the systemd-ssh-generator , which has been added to detect if the SSHD binary (the SSH daemon) is present and then link it through socket activation per connection to various sockets depending on
Read more

Kubernetes 1.30 Available, New Version of the Container Orchestrator

-
Image
Kubernetes 1.30, named “Uwurnetes,” has been released as the new stable version of the well-known container orchestrator, which originated at Google and is now under the umbrella of The Linux Foundation. The developers have described this release as "the most beautiful" in the history of the software and have announced it includes a total of 45 new features, with 17 in stable phase, 18 in beta, and 10 in alpha. However, here we will only mention the most important ones. The first notable update in Kubernetes 1.30 is the stable release of the Robust VolumeManager rebuild after restarting the kubelet. This involves a refactoring of the volume manager that allows the kubelet to complete additional information on how existing volumes are mounted during the kubelet's startup. Generally, this makes volume cleanup more robust after restarting the kubelet or the machine. Also arriving in stable phase is the prevention of unauthorized volume mode conversion during volume restora
Read more

Fedora Asahi Remix 40, the new version of Linux for Apple Silicon

-
Image
  Fedora Asahi Remix 40 has been announced as the latest version of the Fedora-based system designed to run on Mac computers with Apple Silicon processors. This version primarily represents an evolution of what was already present, which is quite significant given the project's potential to enhance the Linux desktop experience, particularly in areas like sound. According to Fedora Magazine, Fedora Asahi Remix is developed through close collaboration between the Asahi Linux team and the Fedora Asahi Special Interest Group (SIG). It's worth noting that Asahi Linux is not a traditional distribution but rather a technology platform that enables running Linux on Apple Silicon processors. However, this doesn't stop its Fedora remix from being a reference system. As expected, Fedora Asahi Remix 40 is based on Fedora 40 and uses KDE Plasma 6 as its desktop environment. Therefore, the Wayland session should be the default, especially given the strong support this system has for th
Read more