←back to thread

Run0, a systemd based alternative to sudo, announced

(mastodon.social)
466 points CoolCold | 8 comments | 29 Apr 24 23:59 UTC | HN request time: 0.868s | source | bottom
Show context
airocker ◴[30 Apr 24 20:21 UTC] No.40215819[source]
I have seldom come across unix multiuser environments getting used anymore for servers. Its generally just one user on one physical machine now a days. I understand run0's promise is still useful but i would really like to see the whole unix permission system simplified for just one user who has sudo access.
replies(17): >>40215898 #>>40216049 #>>40216052 #>>40216221 #>>40216591 #>>40216746 #>>40216794 #>>40216847 #>>40217413 #>>40217462 #>>40218411 #>>40219644 #>>40219888 #>>40220264 #>>40221109 #>>40223012 #>>40225619 #
1. NewJazz ◴[30 Apr 24 22:50 UTC] No.40217413[source]
You only have one admin? How do you know who logged in, ssh certificates?
replies(2): >>40217574 #>>40217582 #
2. airocker ◴[30 Apr 24 23:07 UTC] No.40217574[source]
Only one human per machine. If you need to share the machine, make multiple containers and give everyone a separate container.
replies(1): >>40218004 #
3. medellin ◴[30 Apr 24 23:08 UTC] No.40217582[source]
Signed ssh certs make your life easy here
replies(1): >>40232652 #
4. NewJazz ◴[01 May 24 00:04 UTC] No.40218004[source]
You don't run any services where more than one person shares responsibility for managing that service? E.g. kubernetes. That is just one guy holding it up?
replies(1): >>40218279 #
5. airocker ◴[01 May 24 00:46 UTC] No.40218279{3}[source]
In an on-prem cluster, yes one guy or a few sysadmins who either share passwords or can somehow put their keys in the authorized keys file and ssh.

In the cloud, AWS/GCP let or not let an IAM user reach a server.

replies(1): >>40232645 #
6. superq ◴[02 May 24 04:17 UTC] No.40232645{4}[source]
That's convenient but doesn't scale and really not too great for security for a bunch of reasons, but it can work great for smaller teams and minimize friction.
7. superq ◴[02 May 24 04:18 UTC] No.40232652[source]
Maintaining your own PKI isn't exactly easy unless it's your full time job.
replies(1): >>40241997 #
8. medellin ◴[02 May 24 22:18 UTC] No.40241997{3}[source]
Its fairly easy to get setup and after done correctly pretty low maintenance. But i have done it a few times at this point.