←back to thread

Run0, a systemd based alternative to sudo, announced

(mastodon.social)
466 points CoolCold | 7 comments | 29 Apr 24 23:59 UTC | HN request time: 0.039s | source | bottom
1. immibis ◴[30 Apr 24 15:25 UTC] No.40212064[source]
This will be great. We can finally deprecate sudo on systemd systems. Then we should be able to deprecate PAM, setuid bit, etc.
replies(3): >>40212610 #>>40212652 #>>40212876 #
2. yjftsjthsd-h ◴[30 Apr 24 16:08 UTC] No.40212610[source]
I can see creating a system with zero setuid files, but I don't think this reduces PAM use, does it?
replies(1): >>40212629 #
3. eichin ◴[30 Apr 24 16:10 UTC] No.40212629[source]
Not setuid generically, but `sudo` itself has a bunch of pam support/dependency.
replies(1): >>40212853 #
4. cedws ◴[30 Apr 24 16:12 UTC] No.40212652[source]
I wonder, are there any distros already with a nosuid root?
5. yjftsjthsd-h ◴[30 Apr 24 16:30 UTC] No.40212853{3}[source]
I would expect sudo to also touch pam a lot, but AIUI systemd also uses pam through polkit for its ~native permission system - https://serverfault.com/questions/841306/authentication-is-r...
6. Retr0id ◴[30 Apr 24 16:31 UTC] No.40212876[source]
Is removing setuid actually a win? I know it presents a security risk, but it feels like we're not actually removing that attack surface, just moving it around.
replies(1): >>40216619 #
7. NekkoDroid ◴[30 Apr 24 21:32 UTC] No.40216619[source]
Well... that "attack surface" isn't new, its mostly just repackaging systemd-run, which is just used to tell PID1 to launch a new process. So in total the attack surface would be reduced by removing sudo.