Run0, a systemd based alternative to sudo, announced

(mastodon.social)

466 points CoolCold | 1 comments | 29 Apr 24 23:59 UTC | HN request time: 0.202s | source

Show context

Iridescent_ ◴[30 Apr 24 06:39 UTC] No.40207911[source]▶

>>40205714 (OP) #

Wasn't the recent liblzma attack already exploiting the fact that systemd has its hands in pretty much everything? Wouldn't this expand further the attack surface of systemd and the systems that connect with it?

replies(4): >>40207975 #>>40207977 #>>40209200 #>>40215575 #

viraptor ◴[30 Apr 24 06:51 UTC] No.40207975[source]▶

>>40207911 #

That's not a great summary of lzma. It was systems adding custom patch to ssh which used a systemd-related library which it didn't really need in the first place. It's a stack of issues that don't have much to do with systemd itself really.

But re. expanding the attack surface - unlikely. Systemd's primary purpose is to start processes with the right environment / permissions. systemd-run/run0 basically give you the tool to invoke that functionality with a terminal attached to it. That's smaller scope of extra code than sudo/doas deal with.

replies(1): >>40219360 #

metta2uall ◴[01 May 24 03:58 UTC] No.40219360[source]▶

>>40207975 #

Isn't it a fault of systemd that libsystemd had a dependency on libxz? (because it implements too many things). It should have been possible to add the notification functionality using a tiny libsystemd-notify.

replies(1): >>40229627 #

1. viraptor ◴[01 May 24 21:21 UTC] No.40229627[source]▶

>>40219360 #

It's not a fault. They needed xz for some functionality and didn't want to split that library into multiple pieces. That's just a choice.

But either way, you could always do notification in a few lines yourself (probably as many as you needed to link that library in the first place). I've done multiple 3-line "implementations" in Python and Ruby in the past and never linked it for example.

↑