Most active commenters

    ←back to thread

    Run0, a systemd based alternative to sudo, announced

    (mastodon.social)
    466 points CoolCold | 18 comments | 29 Apr 24 23:59 UTC | HN request time: 0.704s | source | bottom
    Show context
    jimrandomh ◴[01 May 24 07:13 UTC] No.40220398[source]
    > Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client (well, admittedly, we do propagate $TERM, but that's an explicit exception, i.e. allowlist rather than denylist).

    I think in practice, this is going to be an endless source of problems, so much so that it won't be adopted. The usual use case of sudo is that you have a normal shell command, making use of the environment for context in all the ways that shell commands do, but it doesn't have all the permissions it needs, so you add "sudo" as an adverb.

    Sometimes it makes use of environment variables. Sometimes stdin or stdout is redirected to a file, or to something more exotic than a file. Sometimes that means it runs inside of a chroot, or a Docker container. Sometimes you care about which process group it runs in.

    And sometimes the thing you're running is a complicated shell script or shell-script-like object, eg "sudo make install". In this case, you don't really know what its dependencies are. In fact this is a common enough case that, if run0 becomes widespread, I expect it'll have a flag or a set of flags that make it act exactly like sudo, and I expect people to wind up learning that they should always give run0 those flags.

    And I'm kind of worried that when this breaks stuff, the systemd project is going to push forward with some plan to get rid of sudo, and not gracefully accept the feedback that this is breaking things. I'm particularly worried about this because of the whole saga of KillUsersProcesses breaking nohup and screen, which to my knowledge is still broken many years later.

    replies(8): >>40220545 #>>40220776 #>>40221057 #>>40221964 #>>40222111 #>>40223577 #>>40225155 #>>40233172 #
    1. lyu07282 ◴[01 May 24 08:15 UTC] No.40220776[source]
    I think what is perhaps something to consider is how much of an attack surface sudo is and how unaware people are of the fact. Many people think they can configure sudo to be safe to use for unprivileged users, by only allowing specific things to run with it. But they don't realize all the ways it can be abused for privilege escalation. Getting rid of all that configuration removes that false sense of security, which is a good thing, it has been a huge footgun in Linux for decades. Some incompatibility is price well worth paying for that imho
    replies(1): >>40221072 #
    2. lupusreal ◴[01 May 24 09:16 UTC] No.40221072[source]
    I think these problems are basically negligible because the amount of people trying to "configure sudo to be safe to use for unprivileged users, by only allowing specific things to run with it" is negligible. Virtually all users of sudo are using it on their own computer which they are the sole user and ultimately the administrator of. Even in corporate contexts where the company owns the machine instead of the user, I've only ever seen cases where the use of sudo is unrestricted albeit logged. Where are these organizations where developers or syaadmins are allowed to use sudo but only with white listed commands? I don't doubt that some people are doing this, I just think it's not common.

    Replacing the whole of sudo with some weird new thing to better support a niche usecase seems disconnected from reality to me.

    replies(5): >>40221164 #>>40221703 #>>40222619 #>>40225606 #>>40227592 #
    3. sapphire_tomb ◴[01 May 24 09:31 UTC] No.40221164[source]
    My last job was at a UK bank. All our *nix systems were configured with a specific whitelist of commands that could be run via sudo. We found this an enormous pain in the arse when the powers that be decided to deploy ansible everywhere, and found that none of its "become" methods would work if sudo was set up like that.
    replies(3): >>40221316 #>>40221476 #>>40223361 #
    4. WesolyKubeczek ◴[01 May 24 10:00 UTC] No.40221316{3}[source]
    Not even using "su" as become_method? Granted, it would require the root's password, so it's another tradeoff, but...
    5. jeremyjh ◴[01 May 24 10:25 UTC] No.40221476{3}[source]
    Those environments could continue to use sudo. I'm sure Red Hat will support it until long after we all dead.
    6. Hendrikto ◴[01 May 24 11:03 UTC] No.40221703[source]
    > Virtually all users of sudo are using it on their own computer which they are the sole user and ultimately the administrator of.

    This is not the case at all. The vast vast majority of Linux installs are on servers.

    replies(3): >>40222682 #>>40223195 #>>40225069 #
    7. lyu07282 ◴[01 May 24 13:06 UTC] No.40222619[source]
    Its a common finding during pentests, but that's just unconvincing anecdote vs. anecdote. Another argument, besides misconfiguration, is the reduced attack surface by removing the huge complexity of sudo entirely. If your argument is basically that its fine because nobody is using the complexity of sudo, then I don't quite understand what your objection is to removing that complexity. You might need to manually restore some env-vars, whats the big deal?

    But I suspect this would just turn into a "doing things differently is bad because its doing things differently" argument, its not a very useful conversation to have.

    8. troyvit ◴[01 May 24 13:11 UTC] No.40222682{3}[source]
    Then I propose letting systemd hijack sudo's usefulness only on server installs.
    9. tomxor ◴[01 May 24 13:48 UTC] No.40223195{3}[source]
    That's not what parent means. They are arguing it's not generally used to delegate partial root access to unprivileged users, i.e by adding narrow sudoers rules to allow "some" specific things to be run as root for some users who don't have full root access otherwise.

    I tend to agree that 99% or use cases are just a convenient way to gain full root for users with full root access. Configuring sudoers for the former use case has long known to be a bit dangerous, i.e it's easy to get it wrong and create privilege escalation holes.

    10. fullstop ◴[01 May 24 14:00 UTC] No.40223361{3}[source]
    I had a job once which had a sudo whitelist, but vi was included. !sh and you had root.
    replies(3): >>40224067 #>>40225238 #>>40225813 #
    11. TheRealDunkirk ◴[01 May 24 14:50 UTC] No.40224067{4}[source]
    Classic case of #CorporateIT applying white paper "rules" and not understanding what they're doing. If I had a nickel...
    replies(1): >>40226402 #
    12. ◴[01 May 24 16:09 UTC] No.40225238{4}[source]
    13. crabbone ◴[01 May 24 16:34 UTC] No.40225606[source]
    > Virtually all users of sudo are using it on their own computer

    Nope. If I had to guess, it's in containers, like Docker. And those run in lots of places, and often in places with easy access to company's cloud account, credit card info etc.

    14. acdha ◴[01 May 24 16:48 UTC] No.40225813{4}[source]
    I also liked one where you could `sudo rpm -i`
    15. fullstop ◴[01 May 24 17:27 UTC] No.40226402{5}[source]
    Exactly, forms were filled in and boxes were checked off.
    16. otabdeveloper4 ◴[01 May 24 18:50 UTC] No.40227592[source]
    'systemd-run except with privilege escalation' is a thing I wished for for a long time, needed in production.

    Glad they finally made it, too bad it took them so long. (To be honest, it feels like it should have just been part of systemd-run in the first place.)

    replies(1): >>40234624 #
    17. intelfx ◴[02 May 24 10:33 UTC] No.40234624{3}[source]
    I mean, systemd-run could do privilege escalation from day one. It's even the default (otherwise overridable by systemd-run -pUser=<user>). I have used systemd-run --shell on countless occasions when I needed a clean root shell without any traces of the current environment.

    What is being announced is merely a thin layer of cmdline syntactic sugar over an existing feature, to make it closer to sudo in usage.

    So I'm not sure what exactly you were missing?

    replies(1): >>40245294 #
    18. otabdeveloper4 ◴[03 May 24 07:56 UTC] No.40245294{4}[source]
    Currently you have to do `sudo systemd-run --shell` if you want a root shell from a regular user's account.