Systemd alternative to sudo should make Linux more secure
run0 lets regular users run programs with root rights, similar to sudo but uses different, more secure mechanisms to elevate privileges
(Bild: Gorodenkoff/Shutterstock.com)
Systemd developer Lennart Poettering has included the run0 tool with the new version 256 of Systemd for Linux. With run0, regular users can execute a command with root privileges. Poettering recommends it as a more secure replacement for sudo.
Poettering cites security as the most important reason for his modern sudo alternative. sudo is a SUID binary, i.e. a program that - when started from a user context - runs with root rights. It then asks for the user's password and checks against the rules in the /etc/sudoers file whether the user is allowed to run the requested program with root rights. According to Poettering, the syntax of these rules is complicated and error-prone.
OpenBSD also goes its own way
By default, sudo and the process started from sudo take over a large part of the context of the user process (open files, environment variables, security contexts, cgroup assignments, etc.). sudo itself is responsible for cleaning up the environment so that it is secure. According to Poetterig, this is also an insecure matter. OpenBSD therefore uses its own, less vulnerable doas instead of sudo.
However, Poettering believes that starting privileged processes from the context of a regular user is generally a bad idea for security reasons. The whole SUID concept is no longer up to date and belongs "on the pile of bad Unix ideas". In fact, there are a lot of CVEs on vulnerabilities in sudo or due to incorrectly set SUID bits.
sudo without SUID
His proposal run0 therefore manages without the SUID bit. Instead, run0 uses Polkit (formerly PolicyKit) to obtain root privileges - an established Linux service for controlling the permissions of software. The new, privileged process is also started from the init process (PID 1) so that it does not take over any user context. In fact, according to Poettering, run0 is more comparable to accessing the local machine via ssh than with sudo or su.
Behind run0 is systemd-run, an existing Systemd mechanism for starting transient processes. As of Systemd version 256, the program behaves similarly to sudo when it is called via a symbolic link as run0 - with a few additional gimmicks: run0 colors the terminal red as long as the process with root rights is running in it.
(odi)
