Poettering announces tool in new systemd version to replace sudo

malaizhichun

malaizhichun

The creator of systemd, Microsoft employee Lennart Poettering, has announced that he would be including a new tool, known as run0, in the upcoming v256 release of systemd.
Poettering said run0 was meant as a replacement for sudo, "a tool that allows an unprivileged user to temporarily acquire privileges from within the existing login session, for just one command, or maybe for a sub-shell".

systemd was proposed as the default init system by Poettering about 11 years ago. Its adoption by many Linux distributions caused a great deal of angst, with some developers even quitting the projects to which they had contributed for a long time.
Some Debian developers who preferred the older init system, sysVinit, forked the distribution and set up Devuan where sysV is still the default.

In a Mastodon postabout run0, Poettering wrote: "sudo is very, very useful as it … allows users to operate at minimum privilege: do most of their work without privileges, but temporarily acquire them where needed, all without leaving the shell workflow, integratable with shell scripts, pipelines and so on.

"sudo has serious problems, though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on."
Ubuntu is one well-known Linux distribution that uses sudo.

Poettering said: "This has led various people to revisit the problem and come up with alternatives: most prominently there's probably OpenBSD's sudo replacement called 'doas'. While it greatly simplifies the tool and removes much of the attack surface, it doesn't change one key thing: it's still a SUID binary.
"I personally think that the biggest problem with sudo is the fact it's a SUID binary though – the big attack surface, the plugins, network access and so on that come after it just make the key problem…… worse, but are not in themselves the main issue with sudo.

"SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context, I mean the myriad properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on.

"A few of these settings the kernel is nice enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.

"So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, manual clean-up is just not how security engineering should be done in 2024 anymore.

"With systemd v256 we are going one step towards this. There's a new tool in systemd, called 'run0'. Or actually, it's not a new tool, it's actually the long existing tool systemd-run, but when invoked under the run0 name (via a symlink) it behaves a lot like a sudo clone.

"But with one key difference: it's *not* in fact SUID. Instead it just asks the service manager to invoke a command or shell under the target user's UID. It allocates a new PTY for that, and then shovels data back and forth from the originating TTY and this PTY."

Asked for his take on run0, veteran Debian developer Russell Coker told iTWire: "Changing colour of a terminal window to indicate changed privileges is a good idea.
"Polkit has been a major pain to configure, they have had some sort of change to the configuration language and I haven't yet tried configuring the new one. I don't think that the Polkit language is less bad than sudo config files.

"The claim that sudo is insecure and that going to something based on polkit is better is dubious. If we can have just run0 instead of sudo, polkit, and a mix of other things that will be an improvement.
"Addressing issues of tty character injection via a proxy is good. It's something I did for SE Linux about 20 years ago and a re-implementation of the same concept is in the current SE Linux code base.
"Generally I think this is a good thing, having one place where it's done and getting that one place right is better than having lots of SETUID programs doing different things."
 
Some discussion here:

forums.freebsd.org

Lennart Poettering goes to Microsoft

1. Microsoft is an ENEMY OF THE FREE SOFTWARE movement and I love the FreeSoftware movement. Microsoft used to be a competitor of open source. It did what all competitors do: try to overtake and damage the competition. It did exactly the same thing to Digital Research, IBM, Borland, Sun, Oracle...
forums.freebsd.org forums.freebsd.org
 
Poettering wrote:

malaizhichun said:
"sudo has serious problems, though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on."
Click to expand...
That argument is correct. Sudo is way too complex, which in and of itself is a bad thing, in particular from a security standpoint.

"SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context, I mean the myriad properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on.

"A few of these settings the kernel is nice enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.

"So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, manual clean-up is just not how security engineering should be done in 2024 anymore.
Click to expand...
That argument is also correct.

The only problem is that SUID exists for a reason: Sometimes unprivileged users need to do something that by all logic requires privilege. That creates complexity. Complexity can not be made to vanish, but it can be managed with good clean design. In my humble opinion, systemd is not the place to add more complexity, nor is it a system that has distinguished itself by good clean design.
 
ralphbsz said:
In my humble opinion, systemd is not the place to add more complexity, nor is it a system that has distinguished itself by good clean design.
Click to expand...
I agree with this opinion. I'm thinking that systemd is a stealthy way to actually replace the entire OS. If it's the first thing run after loading the kernel, why not have it completely replace the kernel?
 
mer said:
If it's the first thing run after loading the kernel, why not have it completely replace the kernel?
Click to expand...
That would bee a jolly good idea. Systemd relies very heavily on things only the Linux kernel provides, and that would need replacing. All in all it would require the systemd team years of 24/7 to get this off the ground, not speaking of it flying. It would be a complete CF for years, and all that time they won't have time to make the existing ecosystem worse.
 
Here are some more articulations of why I don't like sytemd taking over duties such as this:

1) if I have to update systemd-sudo I have to update all of systemd. And that has a lot of implications and can mess up a lot of other things. If I have to update plain sudo I only update sudo.

2) if there is an update to systemd-sudo that I need then I have to reboot since it is effectively pid 1. If I have to replace plain sudo I can do that without reboot.
 
3) due to 1) I can not update systemd-sudo without the help of the distribution. I am at their mercy. If I have to replace plain sudo I can in an emergency compile it myself. I can even have my own compiled sudo as an additional installation in /opt/alt/bin/sudo or whatever. Not possible with systemd-sudo.
 
mer said:
I'm thinking that systemd is a stealthy way to actually replace the entire OS. If it's the first thing run after loading the kernel, why not have it completely replace the kernel?
Click to expand...
I think I kind of "get it". Or at least I think I can see why non-unix people might like systemd.

Linux is a real mess. An absolute hodgepodge of "freeware". If you were to build it from scratch, i.e cp individual files, the majority of them you would find unnecessary cruft or have no clue what they are.

So by people encapsulating this into a large black box called "systemd", they feel less overwhelmed at a cognitive level. What they probably don't know is that the mess is still there, just inside the compiled binary. A mixture of "ignorance is bliss" (or just outright "ignorance") keeps things ticking forward with this approach.

So yeah, bung sudo in there too. Then it is one less scary program on your system right? Not quite.
 
Item #1 is a big one in my opinion. a reason for adding run0 is "sudo is too complex"; as ralphbsz pointed out systemd is also complex. My experience has been starting with something complex and making it more complex makes it harder to test: regression test to make sure nothing got broken, new feature test to make sure it actually works.

sudo, being complex, is still only trying to do one thing, giving it a chance to at least attempt to have a clean design.
doas, accomplishing the same functionality I believe is smaller and less complex than sudo, which means a higher probability of correctness.

So a standalone complex program that has a clean enough design to verify or adding more complexity to an already complex program?

I would still take the standalone complex program
 
mer said:
I would still take the standalone complex program
Click to expand...
Certainly! Though I guess they see it as:

"Two complex programs is worse than one complex program"

Completely overlooking that the complexity is still there. systemd is now even more complex. But since systemd was already pretty much impossibly complex for many to fully understand, they don't see more complexity as a problem. They have already reached the critical mass of complexity. Now it is just magic.
 
Alain De Vos said:
I never used sudo only su and then i exit when I don't need privileges anymore.
So for me no need for sudo.
Click to expand...

What do you do about your shell's config? Do you work with a different config when userid == 0? Or do you have root's shell configured as well?

For me it is very important that the config doesn't suddenly change, especially when it comes to history. I don't want to fire up the wrong command from history when I am uid 0.
 
  • Like
Reactions: mer
mer said:
I agree with this opinion. I'm thinking that systemd is a stealthy way to actually replace the entire OS. If it's the first thing run after loading the kernel, why not have it completely replace the kernel?
Click to expand...
"Replace" the kernel does not work in a normal OS design (whether it be Unix, VMS, or zOS=MVS). The kernel runs in system mode, where it can do things like memory accesses and interacting with devices that normal processes can not and should not. So we continue to need a split between system mode and user mode, unless we want to run everything in system mode, which would be a security and difficulty nightmare.

The function of process 1 is different. It runs in user space. Its purpose is to start programs, for example daemons, and somewhat indirectly user processes (via getty -> login -> shell). Traditionally, it was tiny, since there were very few daemons, and their configuration could be described in a single and simple file (for example /etc/inittab). But that's not the world we live in today: there is an enormous amount of system initialization to be done. I just counted on my 13.2 system: The total of /etc/rc* (including subdirectories) is 4108 lines of shell, plus 10 types of daemons that are started (with millions of lines of source). Merging all that stuff with the kernel (another millions of lines of source) would be a design nightmare. Better to keep it cleanly separated.

What is true that in some OS designs (microkernels), the actual kernel is extremely tiny, and just handles message passing between kernel daemons, which handle things like memory management, file systems, device IO, and networking, and are independent processes. From a "clean design" standpoint that looks nice; in practice, it has (solvable) performance issues, and ultimate the "interconnectedness of all things" makes is just as complex as a monolithic kernel.

Systemd tries to solve a real problem: Initializing the system (the parts the kernel doesn't do) is hard today, and starting all the processes even harder. The old inittab + /etc/sysconfig was a disaster. Systemd is definitely less bad, and some aspects of it are quite nice, but it suffers from having been thrown together bit by bit and then growing to solve more and more problems, without ever having gone through a coherent overall design. And that's why (in my not humble opinion) it should not take on more tasks, without first getting refactored. In particular not tasks for which good solutions (like doas) already exist.
 
Alain De Vos said:
I never used sudo only su and then i exit when I don't need privileges anymore.
So for me no need for sudo.
Click to expand...
Sudo and doas have more functionality than su. For example, sometimes cgi scripts have to execute things that the user that the web server (apache...) runs at can not do. As an example: I have a pump/well monitoring and control system, and there are privileged commands (such as "turn well off, turn emergency pump on") that normal users can't do. But they are accessible via password-secured web pages. Those web pages use doas to execute commands that user www would never be allowed to.

Similarly, some users can do very specific things that are usually reserved to root or the wheel group, without being in that group. Examples on my system include emergency shutdown of the system, or running tcpdump as my normal user (because debugging network problems is sadly a common task).

So they have their uses, for fine-grain control of which user can do what.
 
cracauer@ said:
What do you do about your shell's config? Do you work with a different config when userid == 0? Or do you have root's shell configured as well?
Click to expand...
I work more or less like Alain: When I'm doing normal user stuff (e-mail, programming, document management, taking notes...) I'm logged in as a regular user. When I'm doing system administration, I change to a root shell. It is configured mostly similar (same shell, many aliases are the same, same editor config), but it has a completely different prompt (which is bright red). I'm disciplined enough to never edit user files (for example things that are under source control) as root, and to document everything I do in my sys admin log files, at least as bullet points.

But I do understand that other people like a totally different style, where they are logged in as a user, and run individual commands that require root privileges with sudo. Good for them.
 
cracauer@ said:
I have to reboot
Click to expand...
From the perspective of a Microsoftist, it is probably perfectly OK to reboot 10x a day, just to make sure the system is clean.

The only Linux I use from time to time is Debian, so I hope that with the new Microsoft dana gift it will still be possible to open a terminal similar to
sudo su -
.
 
malaizhichun said:
"sudo is very, very useful as it … allows users to operate at minimum privilege: do most of their work without privileges, but temporarily acquire them where needed, all without leaving the shell workflow, integratable with shell scripts, pipelines and so on."

"sudo has serious problems, though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on."
Ubuntu is one well-known Linux distribution that uses sudo.
Click to expand...
It's important to recognise that the same strategy that brought systemd to it's dominant position in the Linux ecosystem is in use here again. These statements, to discredit and denounce the existing tool are always the first stage. Let's pretend that systemd doesn't have some of the same problems he identifies in sudo?
 
I understand where Lennart is coming from, which is that there's no reason why he can't try and fix stuff, but everybody here is probably thinking "your idea sucks." Of course the difference is that he's the one doing the driving. It's hard to "fix" problems in stuff like sudo, but it's easy to fix them if you roll it into a new tool under your purview. If you make a mistake, you can fix that too.
 
msplsh said:
I understand where Lennart is coming from, which is that there's no reason why he can't try and fix stuff, but everybody here is probably thinking "your idea sucks." Of course the difference is that he's the one doing the driving. It's hard to "fix" problems in stuff like sudo, but it's easy to fix them if you roll it into a new tool under your purview. If you make a mistake, you can fix that too.
Click to expand...
Most sane developers will agree that Poettering tries so solve a valid point, because this is why e.g. doas became a thing.

But most sane developers will also agree that the idea was dead on arrival after Poettering mentioned it will be using systemd's infrastructure, and depend on it. This is why doas will remain to be a thing.
 
I agree with hardworkingnewbie What was a premise behind systemd? Init system is too hard and complex and leads to errors. Does systemd improve on that or is it "as good as?" One of my "things I hate about systemd" is the logging: you go from nice text based logging to binary logging with obscure error messages. Then systemd "evolved" into a lot more than an init replacement; it's practically taken over everything and has it's own replacements for standard system tools.

Now go back to the arguments on this latest: sudo is too complex. The solution is to take a complex bit of software that is providing critical infrastructure to a system and add more complexity on it?

So no, I don't hate systemd for no reason or where it came from.
 
I think the point is to layer it so there's not separate points of failure, just a single one to focus on hardening. Oops one thing got suid and now you're screwed. Seems like taking the current model and trying to put a type of capabilities-based thing on top of it like the Fuchsia OS has built in. Shuffles the complexity around to somewhere more manageable for a different priority.
 
msplsh said:
Shuffles the complexity around to somewhere more manageable for a different priority.
Click to expand...
My experience has shown that shuffling around complexity merely moves a problem to a different place and doesn't actually address anything. Kind of "Not my problem anymore, now it's yours"
Kind of like not root causing a bug
 
You must log in or register to reply here.
Back
Top