Run0, a systemd based alternative to sudo, announced

remember when you had to write bash scripts to start, stop, restart services

This was a really big pain, yes, but I also remember how I could `tail -f *.logs`. I remember how I didn't need to remember about `--no-pager` and `--follow`. I knew where the files were, what they were called. I remember how I didn't have to google how to find logs between 10 days ago and 4 days ago, because the logs would be in a .tar created by logrotate with a date in the filename.

The init system was probably peak of systemd, after that they started reinveting things in a more complicated way. Do we really need journald, systemd-boot, machinectl, systemd-networkd, sd-bus, systemd-resolved, systemd-nspawn? Do people actually use it all? Are there any metrics to show how many systems have it installed and in use?

I'd agree with your message if systemd was just an init system.

No, it hasn't.

You forget, the reason systemd was originally rationalized for its insertion into our trees was "boot times are too slow". Its chameleon-like nature and ability to solve the hastily described problem du jour seems to be its only consistently touted feature.

Bash scripts that start processes are ephemeral. If it's signal handling you want, that was your program's problem. Either that or your program didn't fork itself, which is a fish of an entirely different feather.

And now we have this sprawling mess of complexity and headache.

you can actually declare startup dependencies and other useful relationships

In theory, yes. In practice, I had a lot of trouble ordering things correctly in non-trivial cases.

it's quite annoying that the armchair linux experts complain about how "lol systemd is so stupid for reinventing the wheel, give me my shell scripts back"

I can only speak for myself, but I don't want the abysmal sysvinit scripts back. I just want a simple process supervision suite which is true to the UNIX way of doing things. The sysvinit/systemd dichotomy is false.

Runit and s6 are both very real alternatives to systemd. They lack a ton of features, but they are a way to reliably run services. They do use shell scripts, but not for the reasons sysvinit did. They are extremely simple and have a very small attack surface as a result. Runit itself is a spiritual descendant of daemontools which predate systemd by great many years.

The problem with systemd is that it's a mediocre solution to many problems. UNIX deserved better.

[Edit: whitespace]

Yeah, basically I've found that the people the more vocal against systemd are either not really knowing how it works behind the scenes, and just criticizing for the sake of it (or because other people do so), or criticizing from an ideological point of view (do one thing and do it well). They see systemd as an octopus, not following the unix ideology. Which I don't really agree tbh

I love systemd.

100%

Systemd unit files make Linux feel like a rational OS.

systemd has been a net positive for the linux ecosystem.

You're presuming to speak for an awful lot of people there, on a topic that would be difficult to measure.

since the beginning of systemd people have moaned

it's quite annoying that the armchair linux experts complain

Now you're overgeneralizing, and doing so in a dismissive and patronizing way.

Here are a few examples of problems I have with systemd:

System shutdown/reboot is now unreliable. Sometimes it will be just as quick as it was before systemd arrived, but other times, systemd will decide that something isn't to its liking, and block shutdown for somewhere between 30 seconds and 10 minutes, waiting for something that will never happen. The thing in question might be different from one session to the next, and from one systemd version to the next; I can spend hours or days tracking down the process/mount/service in question and finding a workaround, only to have systemd hang on something else the next day. It offers no manual skip option, so unless I happen to be working on a host with systemd's timeouts reconfigured to reduce this problem, I'm stuck with either forcing a power-off or having my time wasted.

Something about systemd's meddling with cgroups broke the lxc control commands a few years back. To work around the problem, I have to replace every such command I use with something like `systemd-run --quiet --user --scope --property=Delegate=yes <command>`. That's a PITA that I'm unlikely to ever remember (or want to type) so I effectively cannot manage containers interactively without helper scripts any more. It's also a new systemd dependency, so those helper scripts now also need checks for cgroup version and systemd presence, and a different code path depending on the result. Making matters worse, that systemd-run command occasionally fails even when I do everything "right". What was once simple and easy is now complex and unreliable.

At some point, Lennart unilaterally decided that all machines accessed over a network must have a domain name. Subsequently, every machine running a distro that had migrated to systemd-resolved was suddenly unable to resolve its hostname-only peers on the LAN, despite the DNS server handling them just fine. Finding the problem, figuring out the cause, and reconfiguring around it wasn't the end of the world, but it did waste more of my time. Repeating that experience once or twice more when systemd behavior changed again and again eventually drove me to a policy of ripping out systemd-resolved entirely on any new installation. (Which, of course, takes more time.) I think this behavior may have been rolled back by now, but sadly, I'll never get my time back.

There are more examples, but I'm tired of re-living them and don't really want to write a book. I hope these few are enough to convey my point:

Systemd has been a net negative in my experience. It has made my life markedly worse, without bringing anything I needed. Based on conversations, comments, and bug reports I've seen over the years, I get the impression that many others have had a similar experience, but don't bother speaking up about it any more, because they're tired of being dismissed, ignored, or shouted down, just as I am.

I would welcome a reliable, minimal, non-invasive, dependency-based init. Systemd is not it.

Ah yes I remember back when you just put the system hostname in /etc/hostname. Now we have hostnamed!

I don't resent systemd for existing, but I don't want to be forced to accept Lennart's shitty design decisions and it's clear he wants me to be since he successfully agitated for other critical components to hard depend on it. I want the option of opting out, which Lennart would deny me if he could.

At the end of the day, I just run Void (or MX Linux if I want something more Debian-flavored) and get on with my life.

Its refreshing to see that just hate systemd because "its not UNIX way" is not anymore. I see better discussions under this post and in other places around the web.

systemd has been a net positive for the linux ecosystem

I guess that depends on whether or not you consider the great number of CVEs caused by it don't matter enough.

systemd has been a net positive for the linux ecosystem. remember when you had to write bash scripts to start, stop, restart services and handle any other signals you want to send it?

Systemd was meant to replace Ubuntu's upstart, not sysv init. And it indeed systemd was better designed than upstart.

Sysv init is a horrendous hack. People should NOT use that. Upstart had limitations but is okay, and certainly much better than sysv init. Systemd is okay too (but has much more features).

Also as an historical note, both upstart and system was inspired by Apple's launchd.

NixOS was an early adopter of upstart but it later migrated to systemd (alongside Ubuntu itself)

Systemd isn't just one thing lol

But what makes me really upset is this completely unexplainable need to make everything part of one particular init system. There is absolutely no reason to tie your new sudo replacement to systemd. Absolutely none.

You should look at it differently, and then it'll make perfect sense.

systemd has long stopped being just an init system. It's a system tooling suite. When thinking about systemd don't think "PID 1", think "Linux New System Software Suite". It's a big umbrella project in the style of Gnome and KDE.

For example, systemd-boot is a perfectly normal bootloader that's just been systemd-themed. It has a "ctl" tool, has the same command-line aesthetics as other systemd-group tooling, and so on. It's not in any way dependent or even interested in the init system.

Is that really how they develop software?

Because I'm pretty sure that most of the components are optional.

You did not even discuss the reasoning given for not using sudo to instead hop on your soapbox to say it's bad software with bad practices and that they are stupid.

It's annoying how in the the more surface level Linux communities there's 0 value in discussing systemd.

"1 million lines of code for PID0!"

The new thing is blaming systemd for that recent exploit even though distros were patching in the bug themselves.

People analysing the exploit determined that a new version of systemd was going to prevent the exploit vector so the exploit seemed to have been rushed out.

Isn't this just textbook FUD?

What I've noticed is over the years is systemd would have identified a gap in functionality.

Like systemd-homed having a solution for automatically encrypting home directory when the machine is suspended.

Is that a functionality that OSX has had for years? Yes.

But anti-systemd people will dislike it automatically.

Instead of just hating based on assumptions it would be useful to actually familiarize with the thing you are critizising

But what makes me really upset is this completely unexplainable need to make everything part of one particular init system

systemd is not init system, its and umbrella project for various core system components, which includes an init system.

There is absolutely no reason to tie your new sudo replacement to systemd

well, in this case there is good reason to have it interact with service manager in general

But with one key difference: it’s not in fact SUID. Instead it just asks the service manager to invoke a command or shell under the target user’s UID [...] Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client

strictly speaking it's not 100% coupled to systemd specifically, it most likely uses systemds d-bus API, which is part of their "portable and stable" APIs and as such could be implemented by other service managers https://systemd.io/PORTABILITY_AND_STABILITY/

This is a completely insane way to develop software, instead of creating a new piece of software in a separate project they will force all their projects simultaneously onto all their users for absolutely no reason

The couplings between systemd projects are not that tight, you can pick and choose which parts you want, they explicitly are not "forcing all their projects" to consumers. The minimal systemd build has only init, journald, and udev, which is not exactly sprawling huge. All the rest of the projects are fully optional, and I believe quite many of them can actually work without systemd-init

they will force all their projects simultaneously onto all their users for absolutely no reason.

That's just not true. Just because a system uses systemd the init system doesn't mean the it is forced to use the other components.

But what makes me really upset is this completely unexplainable need to make everything part of one particular init system.

It is not unexplainable at all. In fact, the article explains it very well.

sudo allows you to execute code as another user. If you think about it, you could also replace sudo with ssh to localhost - just set a root password and allow root logins. Now, security-wise, this would obviously be a bad idea. Our current solution is to give the sudo binary itself administrative privileges, which is a slightly less bad idea, but still pretty bad.

Systemd already handles logins, so it is quite obvious that it could also handle this problem very well, and in fact, it already does: there is a tool systemd-run which you can already use. It will create a completely new process and will handle communication to it, just like ssh, but without the above downsides.

But what makes me really upset is this completely unexplainable need to make everything part of one particular init system. There is absolutely no reason to tie your new sudo replacement to systemd. Absolutely none.

The systemd developers are tying it to systemd because they are systemd developers. If somebody else made something like this, it wouldn't be tied to systemd. But somebody else hasn't made something like this.

Sudo isn't going to just go away (unfortunately). You can keep using your CVE-ridden setuid binary as much as you want.

There is absolutely no reason to tie your new sudo replacement to systemd

It is said right there: the reason is to avoid the awkward SUID issues, and to have a privileged process create the process.

I've spent a lot of time studying systemd alternatives. I believe the overall best design is Skarnet's s6, and that too includes a sudo-like program:

https://skarnet.org/software/s6/s6-sudo.html

I was very surprised when I learned about it, but it does make sense (for s6 at least).

There is absolutely no reason to tie your new sudo replacement to systemd. Absolutely none.

With s6, the idea is to replace a SUID binary with an IPC mechanism. That does make sense, since (parts of) the init system need to be running as root.

I am very glad to have jumped ship from systemd.

All that aside, so am I.

This is a completely insane way to develop software, instead of creating a new piece of software in a separate project

I appreciate and respect the KISS sentiment of doing one thing and doing it well, but oftentimes I also think open source programs' lack of integration with each other at a fundamental level is also one of its biggest downsides.

Being a Windows wizard unlike most folks around these parts, seeing and using the tight integrations between all the Windows subsystems is frankly marvelous and I wish Linux could have something like that.

It's not unexplainable. Any init by design is supposed to spawn new processes with the given environment, permissions, capabilities. When you run "your-init-cli start foo", you're starting a new service process. run0 is just one step away from that, because it connects the terminal to that process.

It's less "a new thing has been created with systemd" and more "a user interface was exposed for an existing functionality".

The article explains how this sudo replacement ties to systemd:

But with one key difference: it’s not in fact SUID. Instead it just asks the service manager to invoke a command or shell under the target user’s UID.

I understand your frustration, but systemd isn't the first attempt to build an integrated system. It just happens to run on Linux. It isn't insane to develop software this way, from that perspective.

Why is this stupid? It’s just an option for how to configure a system that uses systemd to allow commands to be run in a privileged execution context without a suid binary. What’s wrong with having options?

Why don’t you propose a better solution? How would your non-systemd solution actually work?

I find this quite clever. Yeah yeah, "systemd is bad, it's a monopoly, yadda yadda".

Well, there's also a reason they are doing it, and many aspects of it (seatd, timesyncd, resolved, run), and more neat than cobbling together bash scripts. I like it

> across unix multiuser environments getting used anymore for servers

I guess it depends on the servers. I'm in academic/research computing and single-user systems are the anomaly. Part of it is having access to beefier systems for smaller slices of time, but most of it is being able to share data and collaboration between users.

If you're only used to cloud VMs that are setup for a single user or service, I guess your views would be different.

NixOS may be helping multiuser make a comeback, at least it is for me and my home servers. I no longer have to containerize my apps, i can have one baremetal server with a dozen+ services, all with their own users and permissions, and i don't have to actually think about any of the separation.

Plus there’s network shares. Multiple people in my home with linux PCs, each with their own slice of the NFS pie based on user perms. Sure, it’s not secure, but these are people I live with, not state-sponsored hackers.

All that said, I’d also love a simpler single-user perm setup. For VMs, containers, etc it would be amazing

I've never understood the need for sudo(1) on single-user, physical machines: I keep a root shell (su(1)) around for admin tasks, and it's always been sufficient.

I always still split up "sysadmin" from "deploy".

Ephemeral setups (amongst which k8s) remove that need but introduce a big load of other stuff.

Having a VPS that is managed by sysadmins (users with sudo rights, authed with keys) and on which partly overlapping "deploy" users can write to small parts and maybe do a passwordless "sudo sysctl restart fooapp" but only that, is a nice and simple setup.

I manage at least seven of these. And nothing in me even considers porting this to my k8s infra.

Edit: The reason for this setup is simple and twofold: deploy is safe and clear: deployers can be confident that whatever crap they pull, the server will churn on, data will be safe, recovery is possible. And all devs/ops having their own keys and accts gives a trail, logs and makes it very easy to remove that contractor after she did her work.

You only have one admin? How do you know who logged in, ssh certificates?

Technically not with virtual machines as the hardware is shared, though I agree, nowadays accounts and access control of the system belong to the virtualization layer below. The benefits of multiple accounts per machine are tiny and not worth the complexity for server setups.

We could significantly simplify things by getting rid of the account system. The same could be said for a lot of systems like database servers. Typically it's just one database, one user (your application server) with full access. The account system is mostly an annoyance.

For big company use cases where you want to reduce attack surface, why not spawn a second server with different credentials? Anyway big companies typically have many database servers in a cluster and the same credentials are shared by many server processes... The tendency there is literally in the opposite direction.

We use Userify which manages multiple user logins (via SSH) and sudo usage.. there are definitely many, many use cases for teams logging into remote servers, and most security frameworks (PCI-DSS, HIPAA, NIST, ISO 27000) require separate credentials for separate humans. Sudo has some issues, but it works very well and is well understood by many different tools.

You'll just end up implementing multiuser support anyway due to different permissions to different devices services

You run everything as root or how am I supposed to understand that?

Sudo exists to execute commands with a different user. It's an abbreviation of "switch user (then) do" for a reason.

Most daemons run under a specific user. Things like docker that use a root Daemon are a security nightmare.

Visit the research computing environment sometime, for instance. The libzma SSH compromise was considered very worrying, after all.

Yeah but elevated permissions may be needed from time to time anyway. Either on the client, the baremetal server or the container. Running everything as root is even for containers not recommended. Considering how popular these have become, it's a bit of an irony that systemd isn't available on the container without considerable detours.

I haven’t seen it doesn’t mean it doesn’t exist.

in some other systems the concept has become overloaded. instead of multiple real people as users, different software with different permissions are different users. its not a bad abstraction.

access management is usually delegated to other systems that supervise UNIX, like AWS

The humans are now spawns of multithread shells and other things. Linux land is still very multiuser oriented. But it is the rise of the mschines instead.

Many, many daemons run under their own users. Just because a single human is using the system, it doesn’t mean the system has a single user.

Also, people noted HPC, and other still very relevant scenarios.

I tried it a bit ago (when it was still called uid0, pre-release), I also wasn't a fan of the tinting.

I like the intent behind it, but some terminals already tint the header color when running sudo, I haven't tested if its done specifically for sudo or if its in a more generic way that could handle this as well.

This is a perfect example of a choice that a developer makes to suit his/her personal preference and environment, believing that everyone does (or should) use their computer the same way. Which is sadly becoming a more common trend.

I like the idea, but I don't think it should be on by default. The rest of us have just used root-specific shell prompts for the last few decades or so.

This is a thing in certain environments. I don’t mind it.

Yeah, that's the part that stuck out for me. "sudo is bad because it does all these things it shouldn't do instead of just the one thing it's for and nothing else. My tool is good because it does just the one thing it's for — plus this other random thing because I think it's cool."

Is it? Does systemd's sudo replacement also have a lot of complex code running as root in a suid binary?

Because that's what he's complaining about

I think what is perhaps something to consider is how much of an attack surface sudo is and how unaware people are of the fact. Many people think they can configure sudo to be safe to use for unprivileged users, by only allowing specific things to run with it. But they don't realize all the ways it can be abused for privilege escalation. Getting rid of all that configuration removes that false sense of security, which is a good thing, it has been a huge footgun in Linux for decades. Some incompatibility is price well worth paying for that imho

And I'm kind of worried that when this breaks stuff, the systemd project is going to push forward with some plan to get rid of sudo, and not gracefully accept the feedback that this is breaking things.

Given Lennart already declared SUID concept as “bad”, I think this is the game plan all along.

Systemd: Do all the things, but not very well, and don’t listen to anyone.

run0 has already been exploited: https://twitter.com/hackerfantastic/status/17854955875146385...

There will be plenty more where that came from. Yet another terrible idea and terrible implementation from Poettering.

I don't know what your sudo does, but mine requires the --preserve-env flag if you want the new process to have access to all your environment variables.

The thing you're saying is going to be an endless source of problems should already be an endless source of problems! (And I think I've been briefly confused by some missing environment variable once or twice so far.)

And I'm kind of worried that when this breaks stuff, the systemd project is going to push forward with some plan to get rid of sudo, and not gracefully accept the feedback that this is breaking things.

See for example perhaps, "systemd can't handle the process previlege that belongs to user name starts with number, such as 0day":

* https://github.com/systemd/systemd/issues/6237

Never mind that POSIX allows it:

* https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd...

* https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd...

I'm particularly worried about this because of the whole saga of KillUsersProcesses breaking nohup and screen, which to my knowledge is still broken many years later.

For anyone curious, see "Systemd v230 kills background processes after user logs out, breaks screen, tmux" from 2016:

* https://news.ycombinator.com/item?id=11782364

Yeah we had to explicitly set that to No and enable linger to let pulseaudio keep running for users so they can continue to stream sound from their remote browsers in BrowserBox/CloudTabs. Ie at: https://puter.com/app/cloudtabs-browserbox

Your comment was really well expressed btw. Made your thoughts and emotions very clear about this. Inspiring communication skill! :)

One binary to rule them all, one binary to find them, one binary to bring them all and in the darkness bind them; in the Land of Lennart where the shadows lie. Bwaahahaha.

Agreed. I've taken to treating my linux installs like I used to treat Windows: no internet access expect application specific.

For example, I run a Visionfive 2 OpenBSD install with squid, everything else has to go through that.

I want the change.

I love it when new and better ways are found to do things.

I love it that Linux is constantly improving and moving forward.

I’m willing to accept along the way some things seem to be mis steps (I’m looking at you snap packaging).

I love it that improved network configuration systems are being adopted because network configuration is a pain.

I love systemd and when new stuf comes out from the systemd project I think “gee I’m glad finally someone is taking a wholistic look at and fixing that messy inconsistent evolved corner of Linux and replacing it with well thought out powerful and integrated solution.”

Bring on the change, change is the best thing about computing and software. I own vintage computers but wouldn’t want to live there.

This is the main reason why I'm still on Slackware. Pat is keeping the same thing for the last 20-30 years. Sure, he had to introduce some stuff, like NetworkManager or PulseAudio, to keep up with the latest software versions, but every major change is postponed as much as possible. Hell, even systemd is not there yet, and I'm pleased about that.

What complaining. There weren't paved paths before. Whatever one person learned was different from how anyone else did it. Few of the tools had anywhere near the essential capabilities, serving o ly some tiny niche of the use cases in some tool specific limited way.

Look at all the different netsevs supported by systemd-networkd. https://www.freedesktop.org/software/systemd/man/latest/syst... This is a huge list of tools that required a huge assortment of tools to do before, few of which had even part way decent management & fewer still had good init scripts. You used to have to learn from 0 each time, with each tool. Nothing was alike, nothing was as capable, nothing was integrative.

Don't listen to these complainers, for God sake. Your life is too short to get pissed off about well built work together featureful tools being built in a mono-repo fashion.

I'm so tired of the sabotage, so tired of broadscale general refusenik attitudes. This post is absurd. There was nothing to learn before, everything was 100% special snowflake & distinct. None of it was great, all of it was limited. Systemd mono-repo is built of many small pieces, but they couple together and are 100x more learnable. What you learn today will work across whatever system you run across. It's such a a better world, and these "pry it from my cold dead fingers" attitude can keep to that path for all I care, but I wish they weren't poisoning kinds with absurd incorrect negativity & being such magnets for disdain. The world today is fantastic & you rarely see these folks with even an iota of appreciation for how good we have it, never a drop of balance. But hate sells, & unites, powerfully.

It's very fair to eschew change for negligible improvements.

But I've also seen the community defend terrible stuff just because.

Look at what happened with the init system. System V, fstab, etc was awful. Doing anything with a reasonable level of robustness was grotesquely obtuse and complicated. And yet it was "perfectly fine" to the greybeards. Alternative proposals were near zero.

I don't have a dog in the networkmanager/netplan fight. It could be that one is irrelevant; given history, I have a hard time trusting what I hear.

sudo has quirks for sure (which is why you see a number of alternatives).

I don't want to learn a new network config alternative with every update (Ubuntu changed its net config tool again with 24.04).

That's really just Ubuntu's fault. Between upstart, Unity, netplan, and snapd, Ubuntu likes to go off and do its own thing for a few years before coming back to what everyone else picked in the first place

I moved to FreeBSD and am happy for its reluctance to change.

Same here on server. Desktop is still linux.

I don't want an immutable os. (...)

But I do. So I use one, and contribute to a project that tries to create one. Am I a part of some sub-community that wants constant change? Or do I just have an unusual use-case and want to support it?

The beauty of OS is that anyone can decide which tool to use, contribute to it, and even fork it.

I so want to ditch Linux for bsd, but hardware support, both for my current laptop and future pain in searching for compatible hardware is the only thing putting me off. And my server needs cuda for my AI shenanigans, so probably no bsd there either ...

That's funny. It's like there are two camps, conservatives, and progressives. ;)

Jokes aside, I just think that life is constant change and the programming industry is a good example of that. Coding practices have improved a lot in the last few years and will continue to improve with new knowledge and new technology. Sometimes it's better to start anew from scratch than trying to adapt old code into new practices.

Btw this is not a young whippersnapper saying this. My first IT job was on FreeBSD and OpenBSD. I was a full-time FreeBSD user from 04 to ~10.

And I remember exacty this gripe back in 2011 when Debian was using one network config, RHEL another. Today I actually enjoy the progress made with systemd, and I'm that annoying co-worker who will give you crap for disabling SElinux.

To help myself to understand others better, I made some efforts to look and keep looking outside my bubble.

That's not simple though- humans tend to think THEY know better for all others while it's often not.

Say you don't want to have immutable distros, but many want. Android or Talos or even OS for network switches are nice examples.

Linux based solutions and products related community is wide and to keep up with evolution one needs to adapt and adopt changes.

We already see what happens for immutable/stale systems like FreeBSD - even TrueNAS is abandoning it, dying as predicted by experts since 2008-2010.

On other side - nothing stops you from keep using sudo or even choose disto vendor which doesn't use systemd, there is a choice, not thing set in stone.

Say I don't plan to switch to run0 in any near future - first it's not gonna be in any LTS disto, 2nd - it seems to be lacking LDAP based rules and very much likely other important features.

also worth mentioning: Lennart Poettering

"Poettering is known for having controversial technical and architectural positions regarding the Linux ecosystem"

https://en.wikipedia.org/wiki/Lennart_Poettering

For three decades. I suspect he hasn't seen much money for the work, but hopefully I'm wrong.

So many critical components in our system are maintained by just a random good guy on the internet.

I can't help but think of another XZ crisis that is yet to come.

https://xkcd.com/2347/

Did you expect more?

Don't worry I offered him help. I recently helped xz library too

Regarding your first point: some people agree, most notably the OpenBSD people who did something about it and wrote “doas” as a replacement; which fits the most common use-cases of sudo without fanfare.

Isn't that link showing the opposite? That sudo is really large and systemd isn't? They even compare systemd with wpa_supplicant and it turns out they are the same size.

The article you linked seems to be in support that systemd is in fact simpler than sudo.

Sudo, which only does privilege escalations, is only 1/3 the amount of code of the entirety of systemd.

Systemd-run has been around for many years now, this is simply an expansion of capabilities of features already exposed.

I initially had the same reaction although having read the whole thread, the author convinced me that SUID is in fact a fatally flawed architecture and that run0's client-server architecture is correct.

That is a bit rich coming from the author of systemd, which must be in the running for one of the largest bodies of code that must run as root.

Not really a far comparison given that it’s an init system

sudo: what, the problem is its attack surface is too big? Nothing like systemd's.

Right now systemd, PID 1 won't finish on a Debian 12 (upgraded) which I am slowly debugging. Neither journalctl nor syslog record messages that flash on the screen. Systemd goes into a dark-flash-dark loop. The developer should focus on getting systemd to work right before pointing at others' supposed deficiencies. Software need to handle error conditions and keep on plugging, especially if it replaces init.

Ian Jackson (former Debian project leader) has been on this train for about 25 years now: https://www.gnu.org/software/userv/

For anyone else unfamiliar with BNF:

https://en.m.wikipedia.org/wiki/Backus%E2%80%93Naur_form

I had to write an ssh client for an embedded system long ago.

Looking at the design, I found it to be sort of messy.

You could restrict commands ssh could invoke, but it didn't seem super secure.

Also scp/sftp was not well designed. You basically had to give ssh access to your system to allow a file to be copied, and there were no real path restrictions.

I personally thought ssh could be much more robust in what you could run and what you couldn't. And scp/sftp could have better filesystem semantics so you could have more security in what you could access.

And I thought having a write-only scp would be really interesting, sort of like a dropbox for people to send you files securely, but not have to give someone ssh credentials to do it. And an anoymous scp/sftp for distribution or a dropbox could have been really interesting too.

Technically `sudo -u` can switch to any user on the system while only a limited few would be allowed as ssh targets. Even root might not be allowed as an ssh target if `PermitRootLogin` is set to `no`, which I do on all my systems.

It's the usual way to make changes to a privileged file in Emacs; ssh to localhost with root.

In my previous job, we set up a privileged account on a server with shell set to `git-shell`, leave some shell scripts in $HOME, so that we can do:

ssh user@privileged-commands ./do-something

Indeed, there was a blog by a redhat engineer doing that: https://tim.siosm.fr/blog/2023/12/19/ssh-over-unix-socket

Sudo is a program that:

1. Parses the sudoers file to check if the current user can run the command provided.

2. If so, authenticates the user using PAM.

3. If both those pass, sets the user id to root and runs the program.

There is nothing special about it. All steps can be done by any program. In fact sudo is usually not even an installed by default package in many systems.

The only seeming magic bit is part 3, where the program sets it's user id to root. Obviously if any program could do this... That'd be unsafe.

However, unix systems allow any executable file to have their flags changed to include the setuid bit which causes the file to execute with privileges of the files owner. You'll notice that the sudo binary has this bit set and it's owned by root, which explains now the entire process.

Pretty sure `sudo` is an application that you can remove, it just comes pre-installed in many distros.

> I was under the impression that ‘sudo’ was baked into the entire system.

There's a capability baked into the entire system named 'setuid' which allows certain binaries run by a user to access things as if they were root.

For example, when a user changes their password using 'passwd' that executable gets special write access to the file containing hashes of all users' passwords. The system's security relies on passwd being coded carefully enough that it won't let one user change another user's password, no matter what input they give it.

sudo is "just" a setuid binary, which checks if the user is allowed to run things as root and if so uses its power to run them. It can be replaced.

There are a bunch of design implications resulting from the way setuid works - for example, the operating system has a special setting so if you plug in a USB drive containing a setuid binary, the setuid bit on it gets ignored. So you can't make a special version of sudo at home which doesn't check permissions, then take it to the school computer lab and have it work there.

sudo, and even cd and ps you mention are simply binaries that come shipped with your distro / OS.

They, like explorer.exe on Windows, are an essential part of that OS with special privileges and roles but they are not part of the kernel, they are still simply programs. It is not developed by the people who develop the Linux kernel.

There are other Sudo alternatives such as DoAs already.

sudo is just another program, it's not "baked in" as such. It just ships with many (not all) distros. I remember having to install it from repos in the past on a new system: https://github.com/sudo-project/sudo

I was under the impression that ‘sudo’ was baked into the entire system. Like ‘cd’ or ‘ps’.

Neither of these are “baked into the entire system” for any meaningful sense of the word. `cd` is just a shell builtin and is casually reimplemented in every single shell. It’s just environment state within your session. `ps` is just a binary that (on Linux) parses stuff in /proc.

None of it is magic. Neither is sudo. It’s just a binary like any other (though in sudo’s case, it’s setups, which is how it can cross the permissions boundary).

Any linux process can run with elevated privileges (ie: as root) by setting a specific permission bit - https://en.wikipedia.org/wiki/Setuid. This is used for many things like ping and sudo.

Instead Run0 is using systemd to elevate privileges.

There is a lot that could be said, but suffice to say you can have both sudo and Run0 installed. So even if a Distro ships Run0 by default, you can always manually install sudo.

Sudo isn't baked into the system. It's an application.

https://www.sudo.ws/

Did you read the thread linked?

So, you don't like a component because you ran software which requires that component, and you intentionally ran it in an environment without that component.

That does not make sense to me?

I tried filling up a Tesla at a gas station.

And now I don't like electric cars anymore.

You must absolutely despise libc

Well, they're the only ones actually funding development of the ecosystem, aren't they?

The rest just do a lot of opinoning and complaining and not that much of developing.

Ironically enough, Lennart now apparently works for Microsoft.

(though to be clear, I like systemd and I think Lennart is a very good engineer).

We don't have to use their stuff. systemd actually does a good job of managing services' up and down state - it's the rest of the bundled functionality that people take issue with - and if service up and down is all you want, there's runit.

Wayland seems to be a solution without a problem, and it's only winning by default. I've toyed with the idea of forking Xorg - the code is a bit odd by today's standards, but I didn't find any direct problem with it, and it works fine - the biggest problem I discovered in Xorg is a lack of project management as nobody knows what it should and shouldn't do

My gentoo system has some gentoo-specific fork of udev without systemd in it.

We don't have to use run0 and can just use sudo.

I guess but in this case it's doing something that sudo doesn't do — get privs from a daemon instead of setuid, and using something that systemd already did (systemd-run).

Is it that weird that they would make a runas frontend when all the pieces of it were lying around?

filesystemd, replacing ext4/btrfs/etc.

It will come with `filectl` for all your file operations, so you will no longer need `cd`, `pwd`, `touch`, `rm`, `mkdir`, `cat`, `grep`, `find`, etc. Instead you do everything through `filectl` commands.

This will deprecate many commands from GNU coreutils, which is a good thing because replacing things is always good.

Then, since programs are just files, and filesystem will be part of systemd, any program you want to use will obviously have to go through systemd as well, meaning they will need to be a service unit of type `oneshot`, because this way we keep everything well integrated together.

Don't worry tho, you only write the unit files once and they work forever. The only thing you need to remember is that, instead of `cargo build` you'll need to use `filectl exec -u cargo build` (`filectl exec -u` is only 3 words, so you don't have the right to ever complain about this tiny little change).

Anyone who doesn't like these changes is stuck in the past.

Guix will reimplement POSIX utils and extras with tools written in Gule.

Hopefully glibc and coreutils!

Let’s call it GNU/systemd/linux

I mean, it already has replaced the shell in a lot of ways. Systemd is basically the one reason why it's feasible to banish POSIX shells to where they belong, albeit still not usually practical.

That backdoor was never pushed out of the testing branches for distros.

Can you even hear what you are saying? Don't you find it ridiculous to blame the XZ backdoor on systemd, instead of the actual hacker?

Even if systemd did not exist, the hacker would have just picked something else to infiltrate.

Also remember that systemd-using distros like, say, Arch were also safe from the nearly-solar-winds-level backdooring because the backdoor targeted specific distros widely used as servers. Obviously the solution to security from backdoors is only using distros that aren't popular for servers

Good news! run0 will use polkit[1], which uses JavaScript for its rules[2], so there's no limit to how complex your rules can get!

On the other hand, maybe adding a JavaScript interpreter to Linux's trusted computing base isn't good news...

[1] https://mastodon.social/@pid_eins/112353420303876549

[2] https://www.freedesktop.org/software/polkit/docs/latest/polk...

Thats why i moved every sudoers rule to ldap. Much nicer to configure and no need for files with the same content on multiple servers. New users are added and removed fast and i can check the rule on any server.

What's the goal?

If the host is to get most scenarios off sudo, exceptions aren't a problem.

If the goal is to delete sudo, exceptions matter, and migrating what is migratable will clarify what the remaining requirements are.

doas uses SUID

Nope, but an instance of sshd only running on localhost could do the trick...

Presumably because it uses different options and other different stuff, it has a different name. However, it might be useful to have a command "sudo" which emulates the options of sudo so that you can still use the same "sudo" command on systemd-based systems as well as on non-systemd-based systems. I don't really know how well that would work, though.

alias sudo="run0"

If run0 supports the same flags and parameters they'll be interchangeable with just an alias.

calling it sudo would create the expectations that all the options, config, and usage is exactly the same.

It would appear that it's _functionally_ the same, but using a different mechanism and with a new name so they don't want to be locked down to all the other stuff.

Because there already is jq-go and jq-python. One of them is called jq in linux the other is called jq in MacOS. They are not compatible and you find out you're using the other one after 6 hours of screaming at the computer.

It would be really funny if systemd tried to replace pulseaudio.

That's not a great summary of lzma. It was systems adding custom patch to ssh which used a systemd-related library which it didn't really need in the first place. It's a stack of issues that don't have much to do with systemd itself really.

But re. expanding the attack surface - unlikely. Systemd's primary purpose is to start processes with the right environment / permissions. systemd-run/run0 basically give you the tool to invoke that functionality with a terminal attached to it. That's smaller scope of extra code than sudo/doas deal with.

I'm surprised he hasn't started writing his own kernel by now.

I think this is bang on. Let's give it more surface area :/

Until systemd consumes the kernel and then it will be GNU/systemd

Is removing setuid actually a win? I know it presents a security risk, but it feels like we're not actually removing that attack surface, just moving it around.

I can see creating a system with zero setuid files, but I don't think this reduces PAM use, does it?

AFAIK privileges are an area that has an easy problem statement ("execute this command with that capability") and is fiendishly difficult to execute in practice. `sudo` alone has weird bits to set in the filesystem, magic users and all sorts of unhelpful implications - and it doesn't even lead to any particular security for single-user systems. Same-user code is a scary enough place to be running untrusted code.

Those sort of problems sound like the sort that get a lot of attempts which run into the complexity wall and halt. I think Amazon has one of the best implementations of a privilege system I've used and it is horrible.

Because pkexec has the same problems as sudo: it's a SUID binary. As Lennart says, the goal is to eventually get rid of SUID binaries altogether, as they are an inherent security risk. Replacing sudo with pkexec would not change much. In fact, pkexec has had its fair share of local root exploits over the past few years.

Not all distros ship pkexec with polkit. Polkit runs fine without pkexec present. This is kind of a non-suid alternative to pkexec. It's really more similar to a local-only ssh though.

"Systemd wants to expand to include a replacement of the Linux kernel" headline coming soon

Mark my words, you won't be able to see the kernel anywhere in there soon!

How hard would it be to create a program to send a signal to polkit "impersonating" run0 and obtains a root shell? :)

That's how sudo already works on most (all?) distros. Eg Debian 12 has:

    Defaults env_reset

    Defaults always_set_home
    Defaults env_reset
    Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"

Anything you need to give to `make install` should be given explicitly, like `sudo make INSTALL_ROOT=$INSTALL_ROOT install` or whatever.

That was the plan (by Redhat) all along, to have better control of the platform.

I would assume the authentication happens in polkit, so a fake client would only be able to run a command if it had the necessary credentials.

Without looking at the he specific implementation

There should be a service running as uid=0 that exposes an unprivileged API.

This service then takes the RPC and does authorization with polkit.

I.e. the unprivileged part doesn't talk to polkit directly. But a privileged part uses polkit instead of a custom sudoers style config.

It’s fitting he’s now at Microsoft. That’s the MS way.

Sadly there's no "interaction" in blog posts

I am continually baffled at people's use of X-Twitter/Mastodon for this kind of writing. Thankfully I've found mastoreader, which is an equivalent of threadreaderapp.

https://mastoreader.io/?url=https%3A%2F%2Fmastodon.social%2F...

Plan9port has factotum.

Plan9 has a completely different security model.

The Hostowner (usually Glenda) is essentially "root" and you're at the mercy of the filesystem regarding file privileges etc.

AFAIK there is no way to "become" glenda.

I know of doas[1], but that appears to be an OpenBSD thing. Maybe Debian folks ported it?

[1] https://wiki.archlinux.org/title/Doas

Now if then the commands run via some kind of privilege elevation mechanism would require pledges to be used, that would be awesome: https://news.ycombinator.com/item?id=38037075

"This needs root", okay. But you only get exactly what you need.

Capabilities aren't guaranteed to be present, and in a lot of high-security situations aren't available (though obviously you could say that about sudo too)

There's like 3 components involved in making setuid safe (the kernel, the dynamic loader, and your exec), and at least one of them wasn't doing its job correctly (the dynamic loader). IPC by definition involves a superset of these components.

There's no reason to think that if you can't make a simple setuid binary safe, you can make IPC safe. IPC is an order of magnitude more involved. Specially because in order to gain any effective security you need a 3 way IPC (1st level = the client, which is completely untrusted; 2nd level = the request parser, which is trusted but runs without elevated permissions; 3rd level = the actual elevator process, which must run with elevated permissions).

the right person to replace sudo, not: https://github.com/systemd/systemd/issues/6237

PS: https://pwnies.com/systemd-bugs/

edit, this one went on for more than a year: https://github.com/systemd/systemd/issues/6632

From the post:

well, admittedly, we do propagate $TERM, but that's an explicit exception, i.e. allowlist rather than denylist

If this is the only bug, then this is easily solvable: create the pty in the daemon.

Plan9 propaganda in the wild

https://github.com/secnigma/CVE-2021-3560-Polkit-Privilege-E...

what a bizarre point of view.

everything other than "being an init system" is a compile time option in systemd, so your complaint is that ... other people are building OSes and turning these things on?

which OS are you working on that provides all these convenient features and large-scale integration of software with them, with code that isn't in systemd?

44 years and ~20 local privilege escalation vulnerabilities later...

doas exists but isn't universally available but already solves this problem. sudo has too many features and permits excessive configuration, but it also has the convenience of ubiquity. Inventing a third thing tied to systemd is absurd and unnecessary.