Run0, a systemd based alternative to sudo, announced

I'm not a fan of sudo. It's does so much it needs BNF to describe it's configuration format. Who knows, maybe replacing the configuration with polkit is a good idea. Still it's a stand alone binary with one clear job to do, simple enough that one person has no trouble getting their head around it so it's not surprising it hasn't had too many problems over it's long life time.

This made me smile:

> sudo has serious problems though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on.

That is a bit rich coming from the author of systemd, which must be in the running for one of the largest bodies of code that must run as root. It's also a very complex piece of code. That complexity is the reason I was completely flummoxed by interactions between systemd and dll's being exploited by the XZ utils hack to attack an unrelated and uncompromised binary: openssh. Run0 is just an extension of that ball of mud. It's a stretch to believe it will be more secure than sudo in the long term, which is amusing because it appears Lennarts primary argument is it will be more secure.

I'm not the only one who has noticed this: https://lwn.net/Articles/971812/

Regarding your first point: some people agree, most notably the OpenBSD people who did something about it and wrote “doas” as a replacement; which fits the most common use-cases of sudo without fanfare.

Isn't that link showing the opposite? That sudo is really large and systemd isn't? They even compare systemd with wpa_supplicant and it turns out they are the same size.

The article you linked seems to be in support that systemd is in fact simpler than sudo.

Sudo, which only does privilege escalations, is only 1/3 the amount of code of the entirety of systemd.

Systemd-run has been around for many years now, this is simply an expansion of capabilities of features already exposed.

Ian Jackson (former Debian project leader) has been on this train for about 25 years now: https://www.gnu.org/software/userv/

Not really. I'm not going the effort of breaking it down like he did, so just looking at total lines in the source calculated with "wc -l $(find . -type f)":

sudo: 284,103 systemd: 1,981,535

sudo: what, the problem is its attack surface is too big? Nothing like systemd's.

Right now systemd, PID 1 won't finish on a Debian 12 (upgraded) which I am slowly debugging. Neither journalctl nor syslog record messages that flash on the screen. Systemd goes into a dark-flash-dark loop. The developer should focus on getting systemd to work right before pointing at others' supposed deficiencies. Software need to handle error conditions and keep on plugging, especially if it replaces init.

I find your comment here sadly indicative of the level of discussion around systemd from its haters.

Your metric is utterly misleading not only because you're almost certainly counting non-code files, but more crucially, because the systemd repository contains the code for *sixty-nine* entirely separate binaries, separate tools under the overall systemd project umbrella, so counting their collective code size as if it is the code base of one single gigantic tool, a single gigantic program that compiles into a single gigantic binary, with all the interweaving that implies, is just disingenuous at best. That number does not represent the size of a single attack surface area, and pretending it does is nonsensical. It's like pulling in the source of all of gnu and doing a line count. And for the record, I've actually done this properly, cloning the systemd repository and then reading the documentation to figure out what directories and source files did what, and assembled a list of the directories and source files that represented just systemd-the-init-system, and got about 240,000 lines of code.

And remember, it won't actually be systemd the init system that will be replacing sudo, it will be systemd-run, which is a separate binary, with a separate memory space, and a separate permissions model, that merely communicates with systemd the init system to get certain things done. I guarantee you it's probably smaller than the code base of sudo, and this architecture, as LP points out if you actually read his thread on mastodon, far better represents the methodology of running things with at least privilege and privilege separation and so on, because instead of having the binary that is called from unprivileged space managing transitioning itself into privileged space and then doing things, instead the binary always stays unprivileged and just communicates via a strictly defined IPC protocol that gives it no direct abikity to do anything with a process that was already privileged instead, that can decide what to do on its own.

Let me leave you with this quote:

> If you build systemd with all configuration options enabled you will build 69 individual binaries. These binaries all serve different tasks, and are neatly separated for a number of reasons. For example, we designed systemd with security in mind, hence most daemons run at minimal privileges (using kernel capabilities, for example) and are responsible for very specific tasks only, to minimize their security surface and impact. Also, systemd parallelizes the boot more than any prior solution. This parallization happens by running more processes in parallel. Thus it is essential that systemd is nicely split up into many binaries and thus processes. In fact, many of these binaries[1] are separated out so nicely, that they are very useful outside of systemd, too.

> A package involving 69 individual binaries can hardly be called monolithic. What is different from prior solutions however, is that we ship more components in a single tarball, and maintain them upstream in a single repository with a unified release cycle.

https://0pointer.de/blog/projects/the-biggest-myths.html

And, as LP points out, fails to solve the actual problem because it's still locked into the exact same flawed Unix model, and refuses to integrate with anything else in the system to get things done in a better more systematic way. It's just a slightly refined version of the same tired old Unix way

> That is a bit rich coming from the author of systemd, which must be in the running for one of the largest bodies of code that must run as root.

Not really a far comparison given that it’s an init system

Use something else then?

Linux won on Unix merits.

Feels a bit disingenuous to use that against it, especially when including half the system libs has caused one major and highly publicized security issue already

Two things:

- Non code files were counted for both sudo and systemd. That's because I'm lazy, not because I think it influences the result one way or the other (I don't what effect it would have).

- Separate binaries are not separate logical entities. Pointing to separate binaries is a misdirection. systemd is a set of binaries cooperating using RPC (dbus) to yield something bigger than any single binary. The biggest hint they are interconnected is they are in one source ball for a reason: so these binaries can share a lot of code and interact in complex ways.

As for systemd-run being "a separate binary, with a separate memory space, and a separate permissions model", those things didn't protect openssh being hit with the XZ Utils hack via systemd. An unexpected interconnection is more than enough. systemd abounds with interconnections. Being tightly interconnected often gives you greater functionality, and in the case of Run0 I suspect that is going to be a big win because systemd has a lot of process isolation mechanisms built in. But complex interconnected systems achilles heel is security, and that's definitely true here.

> Use something else then?

What a tiresome response, but here, I'm feeling in a loquacious mood, so I'll humor it.

First, what else would I use? I don't just want a "well designed" operating system, I also NEED an open source, customizable one that is compatible with the vast majority of developer tools and build systems and toolchains — and that is, without a doubt, Linux. I don't have a better option from a practical standpoint.

And even from a design standpoint, there simply aren't any better options, because Unix killed off all of the other good alternatives, and now it's essentially the least worst option we have right now. Basically the same situation we were in when the Unix-Hater's Handbook was written.

I mean, what else have we got?

Windows? Windows NT, by way of OpenVMS so I've heard, had some very interesting ideas that I think Linux would have done well to imitate, like having a Common Language Runtime that lets you directly interact with the objects and functions of every application and code base on your system and communicate with them in structured data (something Lisp Machines and Smalltalk did first, better, but I digress), but we are beginning to get that with DBUS and things like nushell, and Windows failed its own promise there and has a vast panoply of its own flaws, not least being Microsoft. So that's not really better at all.

MacOS? There are many ideas from MacOS I'm a huge advocate of Linux stealing, but it is still fundamentally a UNIX, and in my opinion has even more flaws than Linux has, especially since Apple seems to have stopped caring about their software quality. Not to mention, uh, >Apple<.

So you're basically just pulling the old "you think our social system is deeply flawed in some ways and want to change it? Just go live somewhere else then."

Furthermore, I was never intimating that everything Unix did was completely irredeemable and the entire system we've spent all this time and energy building should be thrown out completely in favor of something entirely new. Instead I was responding to the failure, the refusal even, to develop this amazing testament to open source development and the operating system design sensibilities ties that drive it forward or in any new directions, among a certain crowd that determines the worth of something new by how well it adheres to the philosophy of the old.

I think we can build an excellent new system on the bones of the Unix systems we have now, if nothing else because it's what we've got to start with, and it did sort of have some interesting ideas. I just think it requires actually thinking outside of the box and reanalyzing our dogmatic adherence to tired old traditions in light of everything we've learned and everything that's changed in the interim, and the good ideas from other operating systems that we can borrow, instead of just repeating the same ideas over and over.

A flaw in our modern notion of operating system research and development which has depressed even the creators of Unix themselves: and while I don't think Plan 9 was the right move exactly — I think it actually recapitulates many of the flaws and fallacies of unix, such as the idea that everything being a file is particularly useful, or that we should use plain text designed first for people to read and only secondly for a computer to process, in idiosyncratic formats, instead of structured data — if even the original creators of Unix believe that it should be transcended (Dennis Richie), and that the original philosophy is dead (Rob Pike), maybe we should learn something from that?

Maybe it's actually okay to look at what other good ideas there may be in the problem space instead of being myopically, slavishly devoted to a sad old religion.

> Linux won on Unix merits.

First of all, even if that was the case, that doesn't mean it can't improve?

Just because, let's say, it's Unixy design was better than anything else that was on the market at the time, and so it won out against the other options that were available, doesn't mean it is the best possible option — that it can't be improved or developed, or even that the philosophy motivating it wasn't fundamentally flawed and broken in some ways; all it means is that whatever improvements could be made, or whatever was broken in the philosophy to begin with, was less broken or less bad than what happened to exist in competition with it. You're making the exact same mistake that people with conservative tendencies in life me and insisting that just because something work in the past, for whatever reasons it did that, it can't possibly be developed or improved upon. You aren't even saying if it ain't broke don't fix it, you're saying if it wasn't literally the worst, don't fix it.

In fact, I don't even think Unix won out in the server, workstation, academic, scientific, and supercomputing Realms as much as it did because of timeless technical merits and design decisions based on eternal truths that mean we should continue genuflecting to them forever (as much as the purveyors of the Art of Unix would like us to think that) but instead because it happened to have features that happened to be extremely relevant merits in the particular time and place and context it arose in, technologically and economically speaking.

Namely, that it combined extreme minimalism and portability with a reasonable level of composability, even if the composability it offered was awkward and half baked, and because the other offerings had made their own more severe tactical mistakes (Lisp Machines).

Thus it won out mostly almost by historical accident, as most things do, because a proper level of composability and integration, using defined IPC and structured data and well integrated families of tools with non-Turing-complete configuration languages was just too difficult for the hardware of the time, and so the choices were either on operating system with very little composability and flexibility and programmability, or something like unix.

But that isn't the case anymore, yet because it did win, we've retroactively deified it.

We can have our cake and eat it too if we choose to, if we choose to not get sucked in to the North Korea like UNIX cult.

> Separate binaries are not separate logical entities.

They're separate programs, sometimes essentially completely independent, sometimes sharing almost no code at all. For example, systemd-init does not have dependencies on all of the other programs, or vice versa. You can use the systemd-boot bootloader without using systemd's init daemon. You can use the systemd init daemon without using the systemd-boot bootloader.

Having separate release tarballs isn't some special distinction that makes things more "logically separate".

Besides, isn't this a goalpost shift of epic proportions?

> That is a bit rich coming from the author of systemd, which must be in the running for one of the largest bodies of code that must run as root

The point in indicting the size of systemd was the code that runs as root, but the wc line count is counting tons of stuff that not only doesn't all run as root, but some of it doesn't even run under Linux.

> those things didn't protect openssh being hit with the XZ Utils hack via systemd

A lot has already been said about this before, but the systemd library that they included in the Debian and Fedora patches to OpenSSH is by far one of the smallest surface areas of any of the runtime dependencies. A bit ago, when I ran libtree on sshd, I got this:

    $ libtree `which sshd`
    /run/current-system/sw/bin/sshd 
    ├── libgssapi_krb5.so.2 [runpath]
    │   ├── libkrb5.so.3 [runpath]
    │   │   ├── libk5crypto.so.3 [runpath]
    │   │   │   ├── libkrb5support.so.0 [runpath]
    │   │   │   │   ├── libkeyutils.so.1 [runpath]
    │   │   │   │   └── libresolv.so.2 [runpath]
    │   │   │   ├── libkeyutils.so.1 [runpath]
    │   │   │   └── libresolv.so.2 [runpath]
    │   │   ├── libcom_err.so.3 [runpath]
    │   │   │   ├── libkrb5support.so.0 [runpath]
    │   │   │   ├── libkeyutils.so.1 [runpath]
    │   │   │   └── libresolv.so.2 [runpath]
    │   │   ├── libkrb5support.so.0 [runpath]
    │   │   ├── libkeyutils.so.1 [runpath]
    │   │   └── libresolv.so.2 [runpath]
    │   ├── libk5crypto.so.3 [runpath]
    │   ├── libcom_err.so.3 [runpath]
    │   ├── libkrb5support.so.0 [runpath]
    │   ├── libkeyutils.so.1 [runpath]
    │   └── libresolv.so.2 [runpath]
    ├── libkrb5.so.3 [runpath]
    ├── libcom_err.so.3 [runpath]
    ├── libk5crypto.so.3 [runpath]
    ├── libz.so.1 [runpath]
    ├── libcrypto.so.3 [runpath]
    │   └── libpthread.so.0 [runpath]
    ├── libldns.so.3 [runpath]
    │   ├── libssl.so.3 [runpath]
    │   │   ├── libcrypto.so.3 [runpath]
    │   │   └── libpthread.so.0 [runpath]
    │   └── libcrypto.so.3 [runpath]
    └── libpam.so.0 [runpath]
        └── libaudit.so.1 [runpath]

And that's just what you can see by looking at the shared objects, there might be more at runtime.

You would have to ignore mountains of rationality in order to come to the conclusion that systemd was remotely reasonably "at fault" for what happened with the xz incident. Not only that, even prior to the xz incident, systemd had already fixed the problem that lead to the xz exploit, it just wasn't shipping in Debian or Fedora yet; that's most likely why the xz backdoor had to be rushed into the next releases in the first place, because the window of opportunity was closing.

His methodology actually favors systemd, as sudo is for example vendoring its dependencies in the repository.

    diath@11km :: /tmp » git clone https://github.com/systemd/systemd
    diath@11km :: /tmp » cloc --match-f="(c|h)" systemd/src
    C                             1478         165173          37638         584876
    C/C++ Header                  1083          15580          22432          59692

    diath@11km :: /tmp » git clone https://github.com/sudo-project/sudo
    diath@11km :: /tmp » cloc --match-f="(c|h)" sudo/{src,include}
    C                               41           2104           3359          16384
    C/C++ Header                    36            797           2159           5158

Way too loquacious. Definitely not the Unix way.

For anyone else unfamiliar with BNF:

https://en.m.wikipedia.org/wiki/Backus%E2%80%93Naur_form

If you don't like Unix maybe don't write software for a Unix clone.

I initially had the same reaction although having read the whole thread, the author convinced me that SUID is in fact a fatally flawed architecture and that run0's client-server architecture is correct.

> Windows NT, by way of OpenVMS so I've heard, had some very interesting ideas that I think Linux would have done well to imitate, like having a Common Language Runtime that lets you directly interact with the objects and functions of every application and code base on your system and communicate with them in structured data

The CLR is Microsoft’s answer to the JVM. It is not among the ideas Windows NT inherited from OpenVMS. It is not part of the core OS. Most apps don’t use it. With the advent of WinRT, there is arguably less of a push for its use than there once was.

And when you talk about “communicating with structured data”, I believe you are talking about PowerShell - which apps don’t participate in by default, you need to go to the extra effort of writing PowerShell cmdlets for your app, and many developers don’t. You have to write them in PowerShell itself, or else a CLI language such as C#, F#, C++/CLI, etc. So if your app is written in C or (standard) C++ or Go or Rust or Python or Java or JavaScript or Lisp or whatever, integrating with PowerShell requires adding a new language to your project - no wonder many don’t bother

> But complex interconnected systems achilles heel is security, and that's definitely true here.

And portability. Sudo, being a truly independent binary, has been ported in many OSes. Run0?

The issue with systemd ecosystem is not primarily technical, it's the isolationism.

Em, that seems an extremely generous comparison, where did you come up with that? Last I checked for example systemd relies on polkit for policies, which drags in a javascript interpreter engine. If the author thinks BNF is complex…

Unix "way":

- what matters is composability (ie programs, possibly running from different computers, being able to use each other's output)

- simplicity is required for composability. Thus the structure less file system and the "everything is a file" design concepts.

The same merits as HTTP in the realm of protocols.

The appeal for a stricter and more principled approach are understandable, and the road one end up favouring largely depends on one's early experience I believe.

I, for one, grew up in a world where I could use either a resilient Linux system that could run a treasure trove of programs written long ago for different machines, or a more modern and principled OS (windows) where a small glitch in some non essential video driver would frequently bring down the whole thing. I went for linux, it won maybe for its merits, maybe by chance, and now I'm concerned that a whole encompassing systemd will eventually bring us back where an unrelated glitch, or backdoor, in an unrelated non essential part will bring down the whole system.

Makes sense. Like I said, there are a few vaguely interesting ideas on Windows but it isn't good at all.

It's the best (or, least worst) OS we have right now, though, I just want it to evolve on those Unix ideas.

> There are system-d haters, sure.

> ...but system-d apologists are also a thing.

Why do you feel the need to insert this personal insult into an otherwise impersonal argument? This infuriates me. I'm not sitting here inflamed with passion to argue about systemd because I think it is great. I'm sitting here arguing about systemd because I feel someone was wrong on the Internet.

https://xkcd.com/386/

If you want to ascribe me as some "systemd apologist" because I am willing to "defend" systemd when I feel it is justified, then so be it, but it's wildly inaccurate, and framing it this way is biased in and of itself. It implies some kind of personal identification with things like init systems that I don't have. I have strong opinions, but I have those about everything.

> There's a fairly comprehensive thread about this (1), and my take away from it was not 'this had nothing to do with systemd'.

That's an enormous thread, if it really has a substantive bit can you please at least point to it? There's no chance I'm reading another thread about the xz incident.

> You can argue where blame lies for it,

Which is what I did do

> but that it involved system-d, and would not have been possible without system-d is not in dispute.

FWIW it would have been possible to backdoor Linux via liblzma5 without sshd linking to it. The actual thing that makes the sshd backdoor so incredibly stealthy is a combination of the fact that it is done in such a roundabout way (through an unexpected dependency), in a way that it would only be activated by downstream patches in distros and not upstream code. That last part is really nifty for avoiding detection.

There are still plenty of places where liblzma5 is used, with root privileges even. For example, many package managers use liblzma5. It certainly would've been possible to install a backdoor into sshd through that vector.

People are reading a bit much into the systemd link, but even if you won't accept that backdooring Linux would've been completely doable through liblzma5 without systemd, I would still contend that linking to liblzma5 is honestly a completely reasonable thing for a system library to do; heck, sshd itself already links to zlib. While 0 unused dependencies are better than 1, the picture people paint is that systemd recklessly linked in a bunch of libraries which is the only possible way a compromise of the xz project could've backdoored Linux, but the reality is a lot more nuanced than that.

> You're stepping from 'lets argue about system-d being big and clunky' into 'nothing is ever wrong with system-d we cannot tolerate critique!' here.

That's neither where this argument started nor where it is. Nothing in my single reply in this thread even remotely suggests the latter. It is a direct confrontation of two specific points.

> ...but, come on. We're arguing about the minute (irrelevant) details of a much larger point being made here.

> System-d is a big complex system; it is kind of funny that something that is big and complex

sigh. Now we're all the way back to square one. systemd is not a monolithic piece of software, it is a suite of programs.

> and part (undenyably) of a major recent security scare is part of the plan to replace sudo to be more secure and less complex.

I don't see this as funny at all considering that you don't need a bunch of roundabout logic to find security issues in sudo, they happen fairly regularly.

https://www.sudo.ws/security/advisories/

> I believe the intent is good, and the result will probably be better than the mess that sudo is now; but that's because sudo is a mess (or I personally think so anyway), not because system-d is simple, or easy, or somehow fundamentally more secure.

> If you can't see the irony here, you are dancing around with your hands over you ears.

Well, trust me when I say this, but I can tell you right now that I am witnessing a lot of irony.

That's called plan9.

> which must be in the running for one of the largest bodies of code that must run as root

Have you ever heard of the Linux kernel? Or X11 (which does traditionally run as root until systemd made it possible to not do so)?