systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security

-

systemd 256 arrives with run0, the ‘sudo clone’ that aims to improve security


systemd 256 is now a reality, featuring an interesting innovation that could represent a significant change in Linux in the not-too-distant future, although this will ultimately depend on the decisions made by various distributions. Without further delay, let’s go over the main new features.

First, we have the introduction of run0, a kind of clone of sudo that aims to enhance security by reducing the attack surface. According to Lennart Poettering, the creator of systemd, this is achieved by ensuring “the target command is invoked in an isolated execution context, freshly forked from PID 1, without inheriting any context from the client,” making its behavior more akin to SSH.

And since we’ve mentioned SSH, there’s the systemd-ssh-generator, which has been added to detect if the SSHD binary (the SSH daemon) is present and then link it through socket activation per connection to various sockets depending on the execution context. It can also optionally generate a socket activation service file that wraps SSHD.

Another interesting feature of systemd 256 is the new kernel command line option, systemd.crash_action=, which has caused systemd.crash_reboot to be marked as obsolete. This new option supports actions such as freezing, rebooting, and shutting down. On the other hand, cgroup v1 is now considered obsolete, and therefore, systemd will refuse to start under it in its default configuration.

Regarding systemd-networkd, it now provides basic support for the Varlink interface and can retrieve WireGuard secrets from systemd’s own credentials. Similarly, encrypted service credentials can now be made available to unprivileged users through new options introduced in systemd-creds, while systemd-homed 
can unlock user directories when logging in via SSH.

A new command-line tool introduced is importctl, which allows downloading, importing, and exporting disk images via systemd-importd. Essentially, it expands the capabilities provided by machinectl.

As our readers may know (and quite possibly many others due to the impact it had), systemd was indirectly affected by the backdoor discovered in XZ, which nearly compromised the entire Linux ecosystem or at least a significant part of it. As a response, several dependency libraries have been converted from normal dependency libraries to dlopen() dependencies to reinforce security.

Finally, several systemd programs will now attempt to load their main configuration files from locations such as /usr/lib, /usr/local/lib, and /run instead of only /etc.

These are the most important updates in systemd 256, the new version of the framework that governs most of the major Linux distributions. Those who want to learn all the details can check out the official announcement, which contains a lot of material since this project is very actively developed.

systemd is a component whose update is generally not critical for the vast majority of users, but those who wish to have the latest version have the option to compile it themselves or wait for it to be provided through the repositories of a rolling release and bleeding-edge distribution like Arch Linux or openSUSE Tumbleweed.

Comments

Post a Comment

Popular posts from this blog

Kubernetes 1.30 Available, New Version of the Container Orchestrator

-
Image
Kubernetes 1.30, named “Uwurnetes,” has been released as the new stable version of the well-known container orchestrator, which originated at Google and is now under the umbrella of The Linux Foundation. The developers have described this release as "the most beautiful" in the history of the software and have announced it includes a total of 45 new features, with 17 in stable phase, 18 in beta, and 10 in alpha. However, here we will only mention the most important ones. The first notable update in Kubernetes 1.30 is the stable release of the Robust VolumeManager rebuild after restarting the kubelet. This involves a refactoring of the volume manager that allows the kubelet to complete additional information on how existing volumes are mounted during the kubelet's startup. Generally, this makes volume cleanup more robust after restarting the kubelet or the machine. Also arriving in stable phase is the prevention of unauthorized volume mode conversion during volume restora
Read more

Fedora Asahi Remix 40, the new version of Linux for Apple Silicon

-
Image
  Fedora Asahi Remix 40 has been announced as the latest version of the Fedora-based system designed to run on Mac computers with Apple Silicon processors. This version primarily represents an evolution of what was already present, which is quite significant given the project's potential to enhance the Linux desktop experience, particularly in areas like sound. According to Fedora Magazine, Fedora Asahi Remix is developed through close collaboration between the Asahi Linux team and the Fedora Asahi Special Interest Group (SIG). It's worth noting that Asahi Linux is not a traditional distribution but rather a technology platform that enables running Linux on Apple Silicon processors. However, this doesn't stop its Fedora remix from being a reference system. As expected, Fedora Asahi Remix 40 is based on Fedora 40 and uses KDE Plasma 6 as its desktop environment. Therefore, the Wayland session should be the default, especially given the strong support this system has for th
Read more