←back to thread

Run0, a systemd based alternative to sudo, announced

(mastodon.social)
466 points CoolCold | 1 comments | 29 Apr 24 23:59 UTC | HN request time: 0.203s | source
Show context
constantcrying ◴[30 Apr 24 07:23 UTC] No.40208131[source]
Why do they have to do this? This is really, really stupid.

My issue isn't even that someone tries to replace sudo. That may or may not be a completely fine thing to do, depending on the state of sudo and what improvements can be made. But what makes me really upset is this completely unexplainable need to make everything part of one particular init system. There is absolutely no reason to tie your new sudo replacement to systemd. Absolutely none.

This is a completely insane way to develop software, instead of creating a new piece of software in a separate project they will force all their projects simultaneously onto all their users for absolutely no reason.

I am very glad to have jumped ship from systemd. It is particularly bad software created by a team of people who engage in very bad practices and a totally unhealthy view of software in general.

replies(15): >>40208192 #>>40208204 #>>40208221 #>>40208253 #>>40208266 #>>40208277 #>>40208280 #>>40208283 #>>40208314 #>>40208386 #>>40208516 #>>40209218 #>>40215207 #>>40215247 #>>40215377 #
paulddraper ◴[30 Apr 24 19:32 UTC] No.40215247[source]
> There is absolutely no reason to tie your new sudo replacement to systemd

It is said right there: the reason is to avoid the awkward SUID issues, and to have a privileged process create the process.

replies(1): >>40217353 #
immibis ◴[30 Apr 24 22:44 UTC] No.40217353[source]
Instead you get awkward state management issues. Will the child really inherit everything it needs from the parent or has systemd forgotten to transmit something? If I chroot and then run0 will that process also run in the chroot? What about systems with older versions of systemd?
replies(1): >>40220997 #
_flux ◴[01 May 24 08:59 UTC] No.40220997[source]
I imagine these questions are what might make this project non-trivial, but surely achievable.

> If I chroot and then run0 will that process also run in the chroot?

That's an interesting question and it's not quite clear to me what should be the answer. For example, one legit answer might be that it would not work at all (in which case you would need to use some other tool that fits your needs), or another would be that the policy can decide what to do in that case.

But wouldn't you agree that it is better security hygiene to explicitly opt-in to inheriting properties when going to an elevated security level, instead of opting out from them?

replies(1): >>40261818 #
immibis ◴[05 May 24 02:24 UTC] No.40261818[source]
I expect that when I run "sudo rm /foo" it should try to affect the same file as "rm /foo". Especially when I just checked, without sudo, that /foo was the correct file.
replies(1): >>40262975 #
1. _flux ◴[05 May 24 07:27 UTC] No.40262975[source]
If there is a non-error effect in running sudo rm /foo, then indeed it should have the same effect as rm /foo as root in the chroot environment.

But using sudo, or even root, in a chroot environment isn't good security practice in the first place. For example, the environment's /etc/sudoers, /etc/shadow, /etc/passwd can all be different (but actual user ids are shared), while the environment could mknod the root filesystem device, mount parts of the host under /usr and /home and quite possibly elevate its access to the host filesystem, in which case sudo in a chroot environment would interact with the host in perhaps ways that are not directly constrainable in sudoers in the first place.

I imagine it's possible to carefully construct the chroot environment and craft /etc/sudoers in a way to avoid this, but I wouldn't even try.

In a better contained system implemented with namespaces (as in docker) sudo should work as expected. I imagine e.g. with docker you could have a service that responds to the system dbus messages, either as a separate daemon in the container or something even provided by docker itself. Or, maybe the requests from the container could be forwarded to the main systemd, with information about the context the request comes from, and let it choose how to move forward.

In the end I don't think I agree that a sudo replacement exchanging messages directly with the systemd is the best way to go. There could be another daemon, run by systemd (or not), that handles these messages. I suppose in the case of dbus there is no "dbus firewall" to limit the access to dbus as one can limit access to Unix domain sockets with plain old permissions, though, so perhaps the security benefits would be minimal in the dbus architecture.