The creator of systemd, Microsoft employee Lennart Poettering, has announced that he would be including a new tool, known as run0, in the upcoming v256 release of systemd.
Poettering said run0 was meant as a replacement for sudo, "a tool that allows an unprivileged user to temporarily acquire privileges from within the existing login session, for just one command, or maybe for a sub-shell".
systemd was proposed as the default init system by Poettering about 11 years ago. Its adoption by many Linux distributions caused a great deal of angst, with some developers even quitting the projects to which they had contributed for a long time.
Some Debian developers who preferred the older init system, sysVinit, forked the distribution and set up Devuan where sysV is still the default.
{loadposition sam08}In a Mastodon post about run0, Poettering wrote: "sudo is very, very useful as it … allows users to operate at minimum privilege: do most of their work without privileges, but temporarily acquire them where needed, all without leaving the shell workflow, integratable with shell scripts, pipelines and so on.
"sudo has serious problems, though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on."
Ubuntu is one well-known Linux distribution that uses sudo.
Poettering said: "This has led various people to revisit the problem and come up with alternatives: most prominently there's probably OpenBSD's sudo replacement called 'doas'. While it greatly simplifies the tool and removes much of the attack surface, it doesn't change one key thing: it's still a SUID binary.
"I personally think that the biggest problem with sudo is the fact it's a SUID binary though – the big attack surface, the plugins, network access and so on that come after it just make the key problem…… worse, but are not in themselves the main issue with sudo.
"SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context, I mean the myriad properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on.
"A few of these settings the kernel is nice enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.
"So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, manual clean-up is just not how security engineering should be done in 2024 anymore.
"With systemd v256 we are going one step towards this. There's a new tool in systemd, called 'run0'. Or actually, it's not a new tool, it's actually the long existing tool systemd-run, but when invoked under the run0 name (via a symlink) it behaves a lot like a sudo clone.
"But with one key difference: it's *not* in fact SUID. Instead it just asks the service manager to invoke a command or shell under the target user's UID. It allocates a new PTY for that, and then shovels data back and forth from the originating TTY and this PTY."
Asked for his take on run0, veteran Debian developer Russell Coker told iTWire: "Changing colour of a terminal window to indicate changed privileges is a good idea.
"Polkit has been a major pain to configure, they have had some sort of change to the configuration language and I haven't yet tried configuring the new one. I don't think that the Polkit language is less bad than sudo config files.
"The claim that sudo is insecure and that going to something based on polkit is better is dubious. If we can have just run0 instead of sudo, polkit, and a mix of other things that will be an improvement.
"Addressing issues of tty character injection via a proxy is good. It's something I did for SE Linux about 20 years ago and a re-implementation of the same concept is in the current SE Linux code base.
"Generally I think this is a good thing, having one place where it's done and getting that one place right is better than having lots of SETUID programs doing different things."