run0: a systemd-based, more secure replacement for sudo

Lennart Poettering, main developer of systemd, has announced run0, a systemd-based replacement for the well-known sudo command that fixes many of he inherent issues with the widely used tool to gain temporary elevated privileges. There are various problems with sudo, which basically come down to that it’s a large SUID binary, meaning it consists of privileged code that unprivileged users can run from their own context. This makes sudo a fairly large attack surface, and why OpenBSD uses doas instead; while doas suffers from the same main problem, it’s much smaller and reduces the attack surface considerably.

SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on. A few of these settings the kernel is nice enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.

Lennart Poettering

Poettering wants to address this problem, and has come up with run0, which behaves like sudo, but works entirely differently and is not SUID. Run0 asks the services manager to create a shell or command under the target user’s ID, creating a new PTY, sending data back and forth from the originating TTY and the new PTY.

Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client (well, admittedly, we *do* propagate $TERM, but that’s an explicit exception, i.e. allowlist rather than denylist).

One could say, “run0” is closer to behaviour of “ssh” than to “sudo”, in many ways. Except that it doesn’t bother with encryption or cryptographic authentication, key management and stuff, but instead relies on the kernel’s local identification mechanisms.

run0 doesn’t implement a configuration language of its own btw (i.e. no equivalent of /etc/sudoers). Instead, it just uses polkit for that, i.e. how we these days usually let unpriv local clients authenticate against priv servers.

Lennart Poettering

This approach addresses a whole slew of attack vectors on sudo, and it comes with fun additional features like being able to give your terminal a different background tint when using it, or displaying a little red dot in the terminal window title to further indicate you’re using elevated privileges. It will ship as part of the upcoming release of systemd 256.

40 Comments

  1. 2024-04-29 8:08 am
    • 2024-04-29 8:30 am
      • 2024-05-03 10:25 pm
        • 2024-05-03 11:44 pm
    • 2024-04-29 4:46 pm
      • 2024-05-03 10:28 pm
    • 2024-04-29 7:56 pm
      • 2024-04-29 10:36 pm
      • 2024-04-30 12:27 am
        • 2024-04-30 7:43 am
      • 2024-05-03 10:30 pm
    • 2024-04-29 11:57 pm
      • 2024-04-30 12:33 am
        • 2024-04-30 1:19 am
  2. 2024-04-29 11:46 am
    • 2024-04-30 12:28 am
  3. 2024-04-29 1:10 pm
    • 2024-04-30 12:34 am
  4. 2024-04-29 2:28 pm
    • 2024-04-29 6:10 pm
      • 2024-04-30 3:57 am
        • 2024-04-30 7:49 am
          • 2024-05-01 1:12 am
        • 2024-05-01 1:10 am
      • 2024-04-30 9:32 am
    • 2024-04-30 12:37 am
    • 2024-05-01 5:45 am
      • 2024-05-01 7:49 am
  5. 2024-04-29 2:32 pm
  6. 2024-04-29 3:43 pm
    • 2024-04-30 12:41 am
      • 2024-04-30 10:21 am
        • 2024-05-01 12:51 am
  7. 2024-04-29 4:45 pm
  8. 2024-04-30 1:13 am
    • 2024-04-30 8:20 am
      • 2024-05-01 1:00 am
  9. 2024-05-02 1:51 am
  10. 2024-05-03 4:08 pm
  11. 2024-05-05 2:19 am