"run0" as a sudo replacement
So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore.
(Log in to post comments)
"run0" as a sudo replacement
Posted Apr 30, 2024 14:15 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
S_ISUID too, not S_ISETUID?
I think calling the flags "setuid" (as lwn appears to prefer?) just blurs things, since that's the name of a syscall (setuid()), which does something related, but is not actually involved in the concept that the inode SUID flag is about.
Hence, I am a bit confused what that comment here is supposed to achieve? It just creates confusion?
Lennart
SUID
Posted Apr 30, 2024 14:21 UTC (Tue) by corbet (editor, #1) [Link]
Lennart, the purpose was to be sure that readers knew what the term meant in the quote, nothing more.
SUID
Posted Apr 30, 2024 17:00 UTC (Tue) by rsidd (subscriber, #2582) [Link]
SUID
Posted Apr 30, 2024 17:08 UTC (Tue) by corbet (editor, #1) [Link]
I will admit to being entirely confused about what the problem is here. Nobody is being singled out; the purpose was simply to give a definition to an acronym. Are people reading in some sort of criticism that was not intended to be there?
SUID
Posted Apr 30, 2024 17:36 UTC (Tue) by marcH (subscriber, #57642) [Link]
... which "he" calls...
Easily over-interpreted as "which [only] he calls"
That aside, language questions tend to be emotional in general. Feeling misunderstood hurts.
SUID
Posted Apr 30, 2024 19:53 UTC (Tue) by The_Barbarian (guest, #48152) [Link]
SUID
Posted Apr 30, 2024 20:27 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
SUID
Posted Apr 30, 2024 20:54 UTC (Tue) by AdamW (subscriber, #48457) [Link]
"avoiding the use of SUID permissions entirely."
The way you wrote it implies that everyone else calls it "setuid", so you have to explain Lennart's odd choice of word so that we will explain. There doesn't appear to be any other reason not to just write it more simply.
SUID
Posted Apr 30, 2024 21:00 UTC (Tue) by corbet (editor, #1) [Link]
Because. I. wanted. to. define. the. acronym. SUID."Setuid" is the term we have always used; SUID is not. I have some reason to believe that LWN readers are familiar with seeing "setuid" by now. I was not so sure about SUID; since it appeared in the quote, I felt the need to (as we normally do) give it a meaning.
I'm sorry if I offended somebody by so doing. But can we please give this a break now? If that is the worst thing we've written this day, we're doing pretty well.
SUID
Posted May 19, 2024 16:25 UTC (Sun) by DanilaBerezin (subscriber, #168271) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 15:08 UTC (Tue) by jrtc27 (subscriber, #107748) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 15:16 UTC (Tue) by PengZheng (subscriber, #108006) [Link]
IIRC, "setuid" is actually the preferred term of man7.org, from which lots of Linux users get their Linux knowledge.
That comments serves to resolve their possible confusion.
"run0" as a sudo replacement
Posted May 3, 2024 20:31 UTC (Fri) by jwilk (subscriber, #63328) [Link]
Source: https://manpages.debian.org/bookworm/manpages/man-pages.7...
"run0" as a sudo replacement
Posted Apr 30, 2024 14:34 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 14:37 UTC (Tue) by vadim (subscriber, #35271) [Link]
Any enforcement, policies and so on are up to the userspace program being run. And setuid isn't a good mechanism in that it allows the user to attempt to subvert the execution of setuid tools like sudo.
"run0" as a sudo replacement
Posted Apr 30, 2024 14:47 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]
By comparison this sounds like an invitation to repeat CVE-2021-3560
"run0" as a sudo replacement
Posted Apr 30, 2024 14:57 UTC (Tue) by farnz (subscriber, #17727) [Link]
The kernel doesn't enforce LD_PRELOAD and other controls - it relies on userspace getting environment variable handling across SUID correct. The kernel "merely" changes the real UID when running a setUID program; it's then up to user space to correctly handle the rest of the process execution environment (environment variables, groups, umask, effective UID etc).
And that's what this aims to address - because this goes back to a daemon which starts things from a known environment, instead of having to scrub everything it knows about to get to a sane state, noting that if it doesn't know about something important, it's got a security hole, it instead starts things in a sane state and copies over just enough environment to be useful.
"run0" as a sudo replacement
Posted Apr 30, 2024 15:10 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 15:17 UTC (Tue) by vadim (subscriber, #35271) [Link]
No, it doesn't. Give it a try.
> Is the environment that systemd starts things in known? Really no, rather it's defined but in order to know you've got to go look in about a bajillion different spots.
A lot more defined in fact in that it's not controlled by the calling user.
"run0" as a sudo replacement
Posted Apr 30, 2024 15:22 UTC (Tue) by mattdm (subscriber, #18) [Link]
Do you know about `systemctl show` (possibly with `--all`)?
"run0" as a sudo replacement
Posted Apr 30, 2024 15:33 UTC (Tue) by farnz (subscriber, #17727) [Link]
No, SUID on its own does not start from a known environment. It starts from the environment set by the caller of exec, except that where a normal process has the same real UID as the caller of exec, a SUID binary has the real UID taken from the file that was executed.
This is why SUID binaries are so hard to get right - the entire process execution environment is under attacker control, except for the real UID of the process. Everything that runs in the SUID process has to pay attention to whether real UID == effective UID, and if it doesn't, it has to go into a "secure" mode where it doesn't trust the environment - but this includes things like the ELF interpreter, ld.so. If a new feature is added to ld.so by the glibc team, and they don't realise that it has security implications, then they may not remember to put the "am I SUID?" check around it, and the result is an exploit. Similar applies if the SUID binary itself is influenced by environment variables, but doesn't properly check to see if they could have been set by an attacker.
In contrast, systemd's environment is entirely under systemd's control; the kernel starts process ID 1 in a defined environment, and systemd can ensure that when it starts a process at run0's request, it does so in a clean environment where there's nothing to surprise a newly started process. Instead, run0 has to explicitly copy over the parts of the execution environment that you want in your escalated process - and we know from long experience that "explicitly copy over what I want" is a better security boundary than "copy over everything, then remove the dangerous bits".
"run0" as a sudo replacement
Posted Apr 30, 2024 15:04 UTC (Tue) by josh (subscriber, #17465) [Link]
No, it largely doesn't. The kernel sets AT_SECURE in the auxiliary vector, and then the C library and dynamic linker turns off the use of various environment variables when AT_SECURE is set.
(There are some kernel mechanisms around suid, but that isn't one of them.)
"run0" as a sudo replacement
Posted Apr 30, 2024 15:09 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]
> but that isn't one of them
OK.
"run0" as a sudo replacement
Posted May 1, 2024 11:11 UTC (Wed) by pbonzini (subscriber, #60935) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 19:39 UTC (Tue) by wahern (subscriber, #37304) [Link]
The new process only has root privileges if the owner of the file is root. You can use SUID to simply change privileges to some other dedicated user. Likewise, you can use the SGID bit to change group privileges. This is how
BSD Auth, an alternative to PAM, works on OpenBSD: there are several binaries under /usr/libexec/auth that utilize SUID and SGID.
> Any enforcement, policies and so on are up to the userspace program being run. And setuid isn't a good mechanism in that it allows the user to attempt to subvert the execution of setuid tools like sudo.
You can use normal file permission policies, specifically group permissions, to control who can execute an SUID or SGID binary. Again, this is how BSD Auth works on OpenBSD. Unlike with PAM, for example, I can grant a daemon permissions to verify system passwords by adding that service user to the `auth` group, whereas with PAM you'd normally need to run as root. (Access control to the specialized authentication binaries, which themselves variously use SUID and SGID, is accomplished using read and exec restrictions on the /usr/libexec/auth subdirectory where the binaries live.)
Traditional Unix file permissions permit much more sophisticated access models than commonly encountered on typical Linux systems. They're not perfect, but they're woefully underutilized, supplementary groups in particular.
There are myriad pitfalls to utilizing SUID and SGID permissions, but *most* pitfalls will be common to any privilege brokering scheme--they're mostly variations of the Confused Deputy problem. There are only a few specific to SUID/SGID, most notably dynamic library loading (e.g. LD_PRELOAD) and file descriptor inheritance. One of the reasons those were a problem historically is incomplete facilities available for dealing with them. OpenBSD added issetugid(2) to make it easier for components to determine if they've been run SUID/SGID. And you can easily imagine a simple system library that could be made available to re-exec into a scrubbed environment. We don't have these nice things because attention is elsewhere, not because SUID/SGID is fundamentally broken. They're certainly not as ideal as a fine-grained capability system, but making profitable use of SUID/SGID is achievable by anyone today using long-existing tools, and they can even provide a bridge toward capability systems without needing to shunt everything through a root-owned (UID 0) broker. SUID/SGID aren't adequate alone, but they can certainly be part of robust solutions. And as compared to monolithic brokers, using several different binaries and processes also gives the benefit of hardware-enforced memory isolation and similar process boundaries.
"run0" as a sudo replacement
Posted Apr 30, 2024 20:36 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
Linux has an equivalent of issetugid() since a long time btw: getauxval(AT_SECURE). It also covers fcaps binaries. In systemd we do use this at various places (mostly through secure_getenv()). Not because we'd ourselves have any suid/sgid/fcaps binaries (we don't, and we explicitly declare it's not acceptable in our tree), but because people might end up using libsystemd in suid binaries, and we don't want to be responsible for making a bad idea a security hole.
Lennart
"run0" as a sudo replacement
Posted Apr 30, 2024 22:08 UTC (Tue) by smcv (subscriber, #53363) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 2:02 UTC (Wed) by WolfWings (subscriber, #56790) [Link]
Setuid/Setgid has been around as a term longer than the 40+ years I've been alive since V7 released a few months before I was born; insisting on describing things based on the API/ABI/Header/ENUM/whatever instead seems weird to me by comparison?
"run0" as a sudo replacement
Posted May 1, 2024 21:48 UTC (Wed) by jackhalford (guest, #129675) [Link]
I've never thought of that, that's super scary. Anyway we usually don't give fine grained access via unix groups. Usually groups get f*ed anyway when sharing via smb/nfs. Still It's fair to say linux could do better in 2024.
"run0" as a sudo replacement
Posted May 2, 2024 2:47 UTC (Thu) by NYKevin (subscriber, #129325) [Link]
* To "fix my audio" (or WLAN, or whichever part of the desktop stack has gotten itself hilariously broken this time), by poking a hole in the security boundary that is somehow preventing it from working. Risk: Negligible, because the user that receives the access is already root-equivalent (in most cases, it's the human owner of the machine).
* To durably grant a specific daemon (e.g. the www-server) or family of related daemons access to a specific subtree of the filesystem (e.g. /var/www/...) without giving it full ownership (e.g. so I can deny write). Risk: Probably acceptable for pets? For cattle, I would prefer something more sophisticated like a container.
This notion that groups are a "real" security mechanism is crazy to me. I've never heard anyone suggest that they are reasonable and complete means of implementing discretionary access controls on pets, let alone the mandatory/role-based access controls that we would like to have on (most) cattle.
"run0" as a sudo replacement
Posted May 2, 2024 8:21 UTC (Thu) by jem (subscriber, #24231) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 16:57 UTC (Thu) by NYKevin (subscriber, #129325) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 18:29 UTC (Thu) by jem (subscriber, #24231) [Link]
I wouldn't be so sure shared computers are that rare yet. Just a few years ago specifications for multi-seat Linux workstations were written, i.e. support for several users working simultaneously on a single PC.
Obligatory XKCD: https://xkcd.com/1200
"run0" as a sudo replacement
Posted May 3, 2024 8:27 UTC (Fri) by anton (subscriber, #25547) [Link]
And the problem with that is? If the user wants to do some dialing out for others, they can already do so without setgid binaries.There is a problem, as pointed out elsewhere, about revoking group permissions, which requires eliminating setgid binaries owned by the users; the scanning approach is racy. It seems like that might be something for the security layers that put additional controls on system calls: For a setgid binary that is owned by a user that is not (no longer) in the group, ignore the setgid bit.
"run0" as a sudo replacement
Posted May 3, 2024 8:38 UTC (Fri) by cortana (subscriber, #24596) [Link]
"run0" as a sudo replacement
Posted May 3, 2024 8:44 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
"run0" as a sudo replacement
Posted May 3, 2024 9:36 UTC (Fri) by malmedal (subscriber, #56172) [Link]
It was understood from the beginning that this was problematic in some cases, so the administrators would usually mount home-directories and things like /tmp with nosuid and nodev options to disallow setgid and setuid.
It is less convenient today where it is common to use a single partition for everything, so I'd recommend people don't do that, use LVM.
"run0" as a sudo replacement
Posted May 3, 2024 4:35 UTC (Fri) by donald.buczek (subscriber, #112892) [Link]
We have many many hundreds of seperate storage areas (directories trees). These are mostly for scientific projects. They are accessible over nfs from a few hundreds multi-user systems. There is fine-grained access control: Only the group of scientists who work on a specific project have access to the related storage area. This is implemented via group membership. Each area has its own group and the directories have g=rwxs. User umask have zero in the group bits. I'd really like to know if anything is fundamentally wrong with this.
"run0" as a sudo replacement
Posted May 3, 2024 4:42 UTC (Fri) by mjg59 (subscriber, #23239) [Link]
"run0" as a sudo replacement
Posted May 3, 2024 7:18 UTC (Fri) by donald.buczek (subscriber, #112892) [Link]
Yes, that's a valid concern. There are some others. For example, often there is a service user for a project to run daemons, and people could drop a public key into the daemons authorized_keys or install a cronjob to secure their access. Or they could install something into a binary in the project and wait for someone else in the group to execute it. And, of course, users could just harvest all the data while they still have access.
You are right, you need to be aware of that and implement appropriate counter-measures, like monitoring and alarms.
Group membership as security measure
Posted May 3, 2024 10:44 UTC (Fri) by farnz (subscriber, #17727) [Link]
I think the key point here is that group membership as a security measure is largely like signs as a security measure; a sign on a closed door saying "Only Team Stripy Green past this point" is a security measure, it's just very weak, and only works when your people can be trusted anyway.
Group membership as security measure
Posted May 3, 2024 11:36 UTC (Fri) by donald.buczek (subscriber, #112892) [Link]
That is not true. If the Unix permissions don't allow you access to a file, because you don't have the required auxiliary group, there is no way for you to ignore the modes and access the file anyway.
And vice versa, even the most secure door lock will not help, if you just replace the lock in an attempt to deny access to the Green Team if you don't
- check, that no Green Team member hides in the room
- check, that a Green Team member did not open the window
- check, that a Green Team member did not already steal you stuff
- check, that a Green Team member did not install surveillance or a remote controllable robot in the room
- verify that the Red Team members do not trust notes or devices a Green Team member might have left in the room
and so on.
Group membership as security measure
Posted May 3, 2024 13:27 UTC (Fri) by farnz (subscriber, #17727) [Link]
But if I know someone who's a member of Team Stripy Green, they can transitively give me access to the group via setGID programs. And if I ever had group membership, you can't take it away without searching for any possible place I might have smuggled a setGID program. As with signs, as long as I respect the rules, groups are good security. But as soon as someone might have broken the rules, you need to do a lot more work to make things secure.
Signs are effective security as long as everyone obeys the rules that make them secure. Group membership is effective security as long as nobody breaks the rules; but as soon as I (e.g.) put a world-executable setGID shell in a public location, I've broken the security completely.
If you use groups expecting them to be a security measure, then you need to be aware of this. If you use them expecting them to have the capabilities of signs, you won't get caught out by the holes.
"run0" as a sudo replacement
Posted May 3, 2024 18:11 UTC (Fri) by sfeam (subscriber, #2841) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 14:40 UTC (Tue) by kleptog (subscriber, #1183) [Link]
Having a privileged component spawn the process and then passing you the TTY descriptor just seems much safer all round.
"run0" as a sudo replacement
Posted Apr 30, 2024 15:09 UTC (Tue) by MarcB (subscriber, #101804) [Link]
It is completely up to user-space to stick to some rules administrators have set (I'd like to point out, that the man page of "sudoers" still contains the legendary "Quick guide to EBNF", as immortalized by https://xkcd.com/1343/).
And to make it worse, this user-space starts from a hostile environment, from which it has to disentangle itself first. This is the huge advantage of the uid0 solution: Privileges are handed out from a clean, already privileged context instead of from an unprivileged context that tunnels through security boundaries.
"run0" as a sudo replacement
Posted Apr 30, 2024 15:40 UTC (Tue) by NYKevin (subscriber, #129325) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 15:46 UTC (Tue) by intelfx (subscriber, #130118) [Link]
Yes, you are. Because "poorly" and "well" in your comment are pretty much switched around compared to reality.
Publication format
Posted Apr 30, 2024 14:41 UTC (Tue) by zdzichu (subscriber, #17118) [Link]
Publication format
Posted Apr 30, 2024 17:05 UTC (Tue) by rsidd (subscriber, #2582) [Link]
Mastodon is not great but it's better than the rest, especially in that (unlike Google Plus, or for that matter blogspot etc) a corporation can't decide to just delete it all one day.
Publication format
Posted Apr 30, 2024 18:28 UTC (Tue) by rgb (subscriber, #57129) [Link]
Publication format
Posted Apr 30, 2024 20:01 UTC (Tue) by The_Barbarian (guest, #48152) [Link]
Publication format
Posted Apr 30, 2024 21:17 UTC (Tue) by iabervon (subscriber, #722) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 15:07 UTC (Tue) by linuxrocks123 (subscriber, #34648) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 15:08 UTC (Tue) by linuxrocks123 (subscriber, #34648) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 16:30 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
The other init systems on Linux do not support a concept like that to my knowledge (i.e. an IPC API for transiently defining and invoking services without first prepping some file on disk).
"run0" as a sudo replacement
Posted Apr 30, 2024 17:07 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 17:20 UTC (Tue) by willy (subscriber, #9762) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 1:53 UTC (Wed) by ejr (subscriber, #51652) [Link]
While this is a tempest, I'm not terribly sure I want to sip from this teapot. I'm amazed that our esteemed editor is willing to suffer the abuse from any mention of the systemd team / authors / author.
"run0" as a sudo replacement
Posted Apr 30, 2024 23:02 UTC (Tue) by Gaelan (subscriber, #145108) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 8:53 UTC (Wed) by jhe (subscriber, #164815) [Link]
There are many great features in systemd, but they are unnecessarily coupled to an rather mediocre service supervisor and that's not okay.
"run0" as a sudo replacement
Posted May 1, 2024 9:10 UTC (Wed) by mezcalero (subscriber, #45103) [Link]
I mean sure, write your own "sudod" or whatever, but you are just reimplementing a service manager than, and probably a worse one?
"run0" as a sudo replacement
Posted May 1, 2024 10:59 UTC (Wed) by jhe (subscriber, #164815) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 11:10 UTC (Wed) by mb (subscriber, #50428) [Link]
A service is something that runs in a well defined environment under well defined credentials. That is what the service manager provides. And that is exactly what sudo-like tools want. It's just triggered by the user instead of something else.
"run0" as a sudo replacement
Posted May 1, 2024 13:25 UTC (Wed) by joseph.h.garvin (subscriber, #64486) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 12:15 UTC (Wed) by foom (subscriber, #14868) [Link]
You definitely CAN write a long-lived daemon, akin to sshd, to give authorized people a root shell without needing a service manager. But if you already HAVE a service manager available, which already has the necessary features (including the existing ability to spawn temporary "services"/"commands"), isn't it a lot simpler to rely on that instead of writing it from scratch?
Of course, if you have a system without a full-featured service manager, you don't have the option of relying on it, and would need to write the standalone daemon. But for everyone else, this architecture seems like a nice simplification and reduction of the attack surface.
"run0" as a sudo replacement
Posted May 1, 2024 15:09 UTC (Wed) by mezcalero (subscriber, #45103) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 16:02 UTC (Thu) by Karellen (subscriber, #67644) [Link]
Even if that's not strictly true, it's mostly true enough of the time that it's an easy mental shortcut to fall into, especially if you don't spend non-trivial amount of time every day thinking about the subtleties of your init system and service management in general.
"run0" as a sudo replacement
Posted May 1, 2024 12:58 UTC (Wed) by gmaxwell (guest, #30048) [Link]
Why can't the 'sudo attack surface' be eliminated by giving the user access to a trivial program that will fork whatever they want (-- perhaps just bash), setting the setuid bit on it, and using file permissions so only the authorized user can run it?
Then the security attack surface is just the kernel filesystem permissions. No need for a potentially vulnerable and highly opaque network service to run privileged commands on demand.
Surely I'm missing something massive?
"run0" as a sudo replacement
Posted May 1, 2024 13:05 UTC (Wed) by mb (subscriber, #50428) [Link]
You just effectively gave the user full root privileges without any checks, passwords, rules or authentication. That is the second to largest attack surface possible. Only a kernel exploit would give you higher permissions.
You can just log in and work as root. That's much simpler.
"run0" as a sudo replacement
Posted May 1, 2024 23:31 UTC (Wed) by gmaxwell (guest, #30048) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 7:34 UTC (Thu) by NYKevin (subscriber, #129325) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 10:59 UTC (Thu) by niner (subscriber, #26151) [Link]
"run0" as a sudo replacement
Posted May 6, 2024 7:22 UTC (Mon) by anselm (subscriber, #2796) [Link]
On openSUSE I'm still asked for a password.
I haven't looked at openSUSE in a while, but does its sudo still ask for the root password rather than that of the current user? That used to be one of the more dubious and inexplicable aspects of the SUSE sudo configuration.
"run0" as a sudo replacement
Posted May 6, 2024 7:32 UTC (Mon) by niner (subscriber, #26151) [Link]
"run0" as a sudo replacement
Posted May 18, 2024 17:37 UTC (Sat) by mrugiero (guest, #153040) [Link]
I actually came to mention that, because I saw some pushback to the idea that I slightly suspect comes just from anti-systemd sentiments. Showing a solution in that same camp could help calm the waters if that's the case. It is a good idea that solves a real problem, whether you like who is implementing it or not (and whether you like the particular implementation choices or not).
"run0" as a sudo replacement
Posted Apr 30, 2024 15:56 UTC (Tue) by carlosrodfern (subscriber, #166486) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 16:05 UTC (Tue) by mb (subscriber, #50428) [Link]
------------------------------------------------------------------------------- Language files blank comment code ------------------------------------------------------------------------------- C 374 16153 23054 113185 PO File 73 29548 47647 76641 Bourne Shell 93 8817 6354 51068 C/C++ Header 93 1861 5000 18994 m4 24 1335 602 14704 yacc 2 262 175 2609 Markdown 10 678 0 2522 lex 1 172 126 1295 Perl 4 311 362 1151 Puppet 3 79 365 560 Python 10 152 209 345 YAML 5 16 38 260 JSON 7 0 0 236 sed 4 16 1 229 Protocol Buffers 2 22 49 136 Expect 7 0 0 108 Dockerfile 7 7 0 59 Text 1 0 0 1 ------------------------------------------------------------------------------- SUM: 720 59429 83982 284103 -------------------------------------------------------------------------------because sudo is simple That is not my definition of "simple" https://www.sudo.ws/repos/sudo/file/tip
"run0" as a sudo replacement
Posted Apr 30, 2024 16:45 UTC (Tue) by carlosrodfern (subscriber, #166486) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 20:25 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
I mean, that's the thing, systemd with its many many binaries is roughly the same amount of code as wpa supplicant (currently a bit more, but over the years sometimes we were ahead, and sometimes them). People really should put that into perspective from time to time: systemd isn't actually that big.
I mean, there's are many reasons we have a monorepo for our components, and yes, the ability to *easily* reuse code (and thus strongly reduce footprint) is one of them.
Lennart
"run0" as a sudo replacement
Posted May 1, 2024 2:13 UTC (Wed) by WolfWings (subscriber, #56790) [Link]
Sometimes I lean on iwd for the WPA aspect on the wireless devices that will wander into random coffee shops more, but by and large most real-world configurations I'm finding are simpler to define and backup with networkd because it's not trying to be perl line-noise density, and likewise -boot is FAR less hassle than grub to customize to do what I want without a lot of rigamarole.
"run0" as a sudo replacement
Posted May 2, 2024 6:36 UTC (Thu) by gutschke (subscriber, #27910) [Link]
Yes, it is yet another new tool to learn. And I am usually the first in line to complain that change is hard. But it didn't take me very long to figure out, and it was so worth it. I wish all distributions would switch to it by default -- at least when deploying a server. Maybe, for a mobile device with networking that changes regularly, there are other options that are still a better fit. But I find that these days I don't have many of those systems. Most things run inside various virtual machines and systemd-networkd works beautifully for those.
"run0" as a sudo replacement
Posted Apr 30, 2024 23:43 UTC (Tue) by ras (subscriber, #33059) [Link]
But Lennart pounds on in his post about security being one of those wins, and that seems highly unlikely to me. Sudo hasn't had the many problems over the years, and I can't think of an "unsurprising" one - they've all been bring things like buffer overflows. That's to be expected. It's one standlone tool, it does one job, and a configuration format needing a BNF to describe it notwithstanding it's easy for one man to get his head around all of it.
Getting your head around what the 66MB of source in systemd does is not so easy. And it's damned complex event driven code, with a lot of the events delivered via RPC. I was stunned by how uttered unexpected interactions between systemd and dll's were exploited by the XZ utils attack to infect an unrelated binary that ran as root. But that's exactly the outcome I'd expect from something as complex as the thing systemd has become. Run0 would have been a very juicy target for the XZ utils hack.
"run0" as a sudo replacement
Posted May 1, 2024 0:47 UTC (Wed) by ras (subscriber, #33059) [Link]
sudo: 284K, systemd: 1,981K
Note: I'm just comparing total lines because I'm too lazy to put the effort you put into your table.
"run0" as a sudo replacement
Posted May 1, 2024 1:05 UTC (Wed) by bluca (subscriber, #118303) [Link]
Also, this functionality already exists, and already has to be robust, there's nothing fundamentally new, apart from a nice and tidy user interface (which is of course fundamental). But the security-relevant stuff is all pre-existing and quite old at this point, and it has to work as intended or we'd already be in big troubles, that's one of the main advantages of run0.
"run0" as a sudo replacement
Posted May 1, 2024 1:08 UTC (Wed) by bluca (subscriber, #118303) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 4:55 UTC (Wed) by ras (subscriber, #33059) [Link]
That aside, if you look at what sudo project does and what the systemd project does one is clearly; nay blatantly much more ambitious and complex than the other. Attempts to paint it otherwise are drawing a very long bow.
"run0" as a sudo replacement
Posted May 2, 2024 11:08 UTC (Thu) by niner (subscriber, #26151) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 16:11 UTC (Tue) by warrax (subscriber, #103205) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 16:13 UTC (Tue) by farnz (subscriber, #17727) [Link]
sudo is not simple, by any stretch of the imagination; it has a plug-in architecture, a complex file format for /etc/sudoers (with associated parser), and a whole pile of code whose job is to sanitise the execution environment so that it's "safe" for the rest of sudo to run. If any of that code has a bug, then there's a root exploit.
In contrast, systemd-run runs as you - if the code to parse your request for privilege escalation has a bug, it's not an exploit. The attack surface is the stuff that takes the parsed request, and decides what to do with it - which is much smaller than sudo.
"run0" as a sudo replacement
Posted Apr 30, 2024 16:50 UTC (Tue) by carlosrodfern (subscriber, #166486) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 17:04 UTC (Tue) by farnz (subscriber, #17727) [Link]
The other important gap is that sudo's security boundary is "the entirety of sudo including all its dependencies". This is implicit in being a SUID binary; privilege escalation happens before any of sudo's code is run, and thus an exploitable bug in sudo's code is running as root immediately.
In contrast, in the run0 design, the thing that's running as root is the init system - which has to be safe to invoke as root, since that's what the kernel does on start-up. Further, the socket used to send run0 requests to the root code is already present and usable in the absence of run0, so it has to be secure.
This is nice because it's using a security boundary that you already have on your system, and repurposing it to replace a big lump of security-relevant code with a simple binary that sends a message over IPC to the privileged core.
"run0" as a sudo replacement
Posted Apr 30, 2024 17:39 UTC (Tue) by developer122 (guest, #152928) [Link]
I suppose it's not a terrible solution to the complexity of dropping all the process context that has accumulated over the last 50 years or so (since setuid was invented). It's simple enough that it seems this could have been invented 30 years earlier, and should be pretty simple to implement in other *nixes. Maybe an unprivileged sudo client utility and a sudod server that forks off privileged processes. Name it whatever you want.
I think this is not quite the panacea it might be mistaken for though. There's more to spawning a privileged process than just someone with higher authority doing it for you. There's also a lot of accumulated experience with setuid (with varying success, see above) but this whole idea of asking a daemon to spawn privileged processes for you is pretty much brand-new. It hasn't seen the kind of use that sudo has.
With this sort of client-server model you need to handle logins, for a start. In this case there's also some tomfoolery with redirecting terminals that I'm sure will be the subject of hijacking attempts, and which will also cause input/output to get lost or leaked.
There's also the problem of the context you might WANT to propagate, beyond just command-line arguments. What if a privileged process wants to check an environment variable in the user context, like a print spooler checking someone's preferred $PRINTER variable? Here there doesn't seem to be a mechanism for the server to make such requests back to the user's shell.
"run0" as a sudo replacement
Posted Apr 30, 2024 17:46 UTC (Tue) by developer122 (guest, #152928) [Link]
Create a privileged server to spawn processes and a client app to request it. Come up with a way to establish an exclusive connection between them, and a protocol to handle things like login, request for environment variables, and future extensions for other requests for context. Come up with a way to tunnel stdin/stout/stderr, and make sure that the streams won't cross with the out-of-band management that handles requests for the user context's environment variables and such.
Maybe dbus is an easy way to set up such a channel of communication, or maybe the BSDs can think of something simpler. I dunno.
"run0" as a sudo replacement
Posted Apr 30, 2024 19:02 UTC (Tue) by dbnichol (subscriber, #39622) [Link]
I personally wouldn't want the privileged process to be asking further "hey do you want to add anything more to the environment" questions. If you want to pass through your printer variable, --setenv=PRINTER. It seems much more sane to tell the privileged process how to setup the environment once than have some interactive dialog with it.
"run0" as a sudo replacement
Posted Apr 30, 2024 18:03 UTC (Tue) by farnz (subscriber, #17727) [Link]
There's also the problem of the context you might WANT to propagate, beyond just command-line arguments. What if a privileged process wants to check an environment variable in the user context, like a print spooler checking someone's preferred $PRINTER variable? Here there doesn't seem to be a mechanism for the server to make such requests back to the user's shell.
This doesn't need to be done as a request back to the user's shell - the thing requesting a process invocation can pass forward all the context that you want to propagate. And we know from painful experience that it's easier to have a setup where we build up the invoked process's environment from the bits it's "supposed" to get, than to have one where we remove the things it "shouldn't" get.
"run0" as a sudo replacement
Posted May 1, 2024 8:51 UTC (Wed) by NYKevin (subscriber, #129325) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 18:05 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]
You can specify them explicitly in your unit's description.
"run0" as a sudo replacement
Posted Apr 30, 2024 18:16 UTC (Tue) by bluca (subscriber, #118303) [Link]
It is absolutely not brand-new, it's been there in all major Linux distributions for the past decade, as the new command is a nice and welcome interface around existing mechanisms. Both systemd-run and polkit have existed for a long time now.
Just try it: on your existing Linux distro desktop installation, without this new version, run 'systemd-run -t id' and see what happens.
"run0" as a sudo replacement
Posted May 1, 2024 9:49 UTC (Wed) by marcin (subscriber, #159076) [Link]
user@localhost:~$ systemd-run -t id Running as unit: run-u120.service Press ^] three times within 1s to disconnect TTY. uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0 user@localhost:~$ sudo id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 user@localhost:~$Well, the difference I see, on my Fedora 40 system, is a different SELinux context.
"run0" as a sudo replacement
Posted May 1, 2024 11:48 UTC (Wed) by bluca (subscriber, #118303) [Link]
"run0" as a sudo replacement
Posted May 18, 2024 17:56 UTC (Sat) by mrugiero (guest, #153040) [Link]
Not really. This is what's called a rediscovery. See: https://skarnet.org/software/s6/s6-sudod.html
Written 10 years ago according to: https://github.com/skarnet/s6/commits/master/doc/s6-sudod...
"run0" as a sudo replacement
Posted Apr 30, 2024 18:09 UTC (Tue) by flussence (subscriber, #85566) [Link]
Tangential to this but I'd like to see all existing suid usage on traditional Linux systems replaced with filecaps. Alas, that's currently impossible with NFS involved because it silently discards the capability xattrs. And not for security reasons either, because it allows the setuid bit itself through just fine.
"run0" as a sudo replacement
Posted Apr 30, 2024 20:44 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
(i don't think fcaps are much of an improvement over suid though. They are simply too coarse to be useful for anything beyond ping. i.e. if you have to give a binary CAP_SYS_ADMIN you might as well give it suid root (or, as LWN would call it, give it "setuid root").
The concept of being able to acquire additional privs is the problem. it doesn't matter if it's all of root you get that way or just "almost root"...
NNP FTW! NNP or death!
"run0" as a sudo replacement
Posted Apr 30, 2024 21:39 UTC (Tue) by flussence (subscriber, #85566) [Link]
Regarding fcaps you're right; it's more of a stop-gap measure than something to encourage proliferation of. After spending months studying all this stuff, enforcing security policy top-down makes a whole lot of sense. (It's also a good way to drive oneself mad by becoming acutely aware of the general state of the union - the “bad kerning” effect all over again)
"run0" as a sudo replacement
Posted May 1, 2024 12:42 UTC (Wed) by aragilar (subscriber, #122569) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 13:11 UTC (Wed) by mezcalero (subscriber, #45103) [Link]
See PR_SET_NO_NEW_PRIVS on https://man7.org/linux/man-pages/man2/prctl.2.html
It disables the effect of suid/sgid/fcaps (or as LWN would say: "setuid" & "setgid").
"run0" as a sudo replacement
Posted May 1, 2024 13:23 UTC (Wed) by atnot (subscriber, #124910) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 20:54 UTC (Tue) by smcv (subscriber, #53363) [Link]
If the capability your setuid program needs to exercise is one of the ones that are genuinely narrowly-scoped (like CAP_AUDIT_READ and CAP_BLOCK_SUSPEND), then maybe that's a positive, but if the capability you need to exercise is one of the ones that is root-equivalent anyway, then replacing setuid with setcap has no benefit. I'd estimate that about half the capabilities are in each category. (Please interpret "root" in this comment as shorthand for "unrestricted uid 0 with all capabilities".)
For example, CAP_CHOWN lets you give yourself ownership of /bin/sh and trojan other processes, or temporarily give yourself ownership of /etc/sudoers and subvert sudo, so that's root-equivalent; CAP_DAC_OVERRIDE lets you write to system files, ditto; CAP_SETFCAP lets you give yourself any other capability; CAP_SETUID lets you become uid 0 and do AF_UNIX IPC to any process that trusts uid 0, like for example systemd; CAP_SYS_ADMIN does dozens of miscellaneous things including manipulating the mount table, which for example lets you swap out authorization configuration and become root that way; CAP_SYS_PTRACE lets you attach a debugger to a privileged process and make it execute arbitrary code for you; and so on.
Unfortunately, a lot of the behaviours we want from setuid programs do need one of the capabilities that is root-equivalent. bubblewrap briefly supported being installed either setuid-root or setcap on systems where unprivileged users can't normally create new user namespaces, but then its maintainers realised that there was no actual security benefit to it being setcap, because one of the capabilities it needs is CAP_SYS_ADMIN, so for simplicity it now only supports the two extreme positions: either completely unprivileged, or setuid-root.
"run0" as a sudo replacement
Posted Apr 30, 2024 20:59 UTC (Tue) by smcv (subscriber, #53363) [Link]
... and the reason why services like systemd trust uid 0, rather than trusting processes that have (say) CAP_SYS_ADMIN, is that there is a secure, race-free, widely-available mechanism to ask the kernel "does this AF_UNIX connection come from uid 0?", but no widely available way to ask "does the other end of this AF_UNIX connection have CAP_SYS_ADMIN?" without an exploitable race condition.
(pidfd might solve that, but is not yet ubiquitous.)
"run0" as a sudo replacement
Posted Apr 30, 2024 21:54 UTC (Tue) by flussence (subscriber, #85566) [Link]
The general sense I've gotten from exploring capability stuff is that it's still useful for defense in depth, but like you point out it's not watertight. That may just be from a lack of eyes on it.
"run0" as a sudo replacement
Posted May 1, 2024 8:55 UTC (Wed) by NYKevin (subscriber, #129325) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 19:38 UTC (Tue) by jlayton (subscriber, #31672) [Link]
Is that more secure? Possibly. setuid binaries are horrible, so having this power concentrated in a running daemon may be better and simpler to audit.
One thing I might wish for here: today I do occasionally have to kill off a privileged process that was spawned via sudo. It would be nice to keep a table of requestor pid vs. privileged spawned pid that could be queried in some fashion, in case you do need to do that sort of tracking down of processes.
"run0" as a sudo replacement
Posted Apr 30, 2024 20:50 UTC (Tue) by mezcalero (subscriber, #45103) [Link]
We do not propagate info about the originating user right now into the service metadata. I guess we could do that though, for example simply in the description string for the service. Makes sense I guess.
"run0" as a sudo replacement
Posted May 1, 2024 8:54 UTC (Wed) by PhilippWendler (subscriber, #126612) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 9:39 UTC (Thu) by taladar (subscriber, #68407) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 9:25 UTC (Wed) by vegard (subscriber, #52330) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 9:52 UTC (Wed) by bluca (subscriber, #118303) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 21:53 UTC (Tue) by timrichardson (subscriber, #72836) [Link]
"run0" as a sudo replacement
Posted Apr 30, 2024 22:05 UTC (Tue) by bluca (subscriber, #118303) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 1:57 UTC (Wed) by ejr (subscriber, #51652) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 6:12 UTC (Wed) by wtarreau (subscriber, #51152) [Link]
I'm not completely sold to it. I think it could be a nice complement to sudo but am not 100% convinced that users (or developers) will be willing to alias sudo to run0 everywhere yet.
"run0" as a sudo replacement
Posted May 1, 2024 8:21 UTC (Wed) by mezcalero (subscriber, #45103) [Link]
This isn't novel. It's exactly what ssh does too (and telnet before it). The C-c is routed to the right place following the semantics UNIX intended.
"run0" as a sudo replacement
Posted May 1, 2024 16:30 UTC (Wed) by damaya1982 (subscriber, #170817) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 16:59 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]
PolKit is indeed a strange beast, and it also needs to be replaced. It's not the worst auth framework, though.
"run0" as a sudo replacement
Posted May 1, 2024 17:46 UTC (Wed) by ferringb (subscriber, #20752) [Link]
The most important step here is decoupling the policy being SUID side (and relying on SUID), and getting a standard API for CLI privilege escalation. Once that's in place folks can change up the backend as desired.
"run0" as a sudo replacement
Posted May 1, 2024 18:37 UTC (Wed) by damaya1982 (subscriber, #170817) [Link]
Before I could have a system without sudo at all. It sounds like every system will have run0 by virtue of the fact that it uses systemd, which to me is ridiculous. Why should I need all of these things simply because I am using an init system?
"run0" as a sudo replacement
Posted May 1, 2024 18:47 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 19:11 UTC (Wed) by pizza (subscriber, #46) [Link]
The only new functionality here is tying the pty of the launched executable back to the terminal of the user instead of redirecting all output to the journal. Well, and some cmdline syntactic sugar that lets run0 be a drop-in replacement for most sudo invocations.
99% of the time, the local user has full rights to make sudo execute whatever they want, often without even entering a password; run0 is a vastly simpler replacement for that overwhelmingly common use case. For the remaining 1% where you have finer-grained access control (and/or its wide swath of authentication/permission mechanisms) in /etc/sudoers, 'sudo' remains available.
Personally, there doesn't appear to be anything I use sudo for that run0 can't handle. Indeed, it would actually _simplify_ some stuff that requires me to further sanitize the environment that sudo creates..
"run0" as a sudo replacement
Posted May 2, 2024 11:43 UTC (Thu) by farnz (subscriber, #17727) [Link]
IIUC, some of that 1% with finer-grained access control can be met for run0 via polkit rules controlling what you can and cannot do, at that.
"run0" as a sudo replacement
Posted May 2, 2024 0:12 UTC (Thu) by ferringb (subscriber, #20752) [Link]
If you don't like what a developer is doing- someone donating code *to everyone, including the ungrateful*- then don't use it, or better yet, skip the chat boards and go write an alternative and try to convince folks it's better.
Udev, systemd, systemd-boot, etc; if you were around/hacking on the old init system internals and trying to make this all do the things needed, you'd find that eventually the best approach is to have them under the same house. The fact is there are interdependencies across all of it and bash absolutely does not cut it. Trace the eveolution of openrc's metadata additions if in doubt.
Look, go back to bash scripts. For your needs perhaps it's enough, but everything I've worked with across 25 years, the systemd folks are on the right track, including building actual community support across the developers/maintainers- the folks who actually do the work.
"run0" as a sudo replacement
Posted May 2, 2024 2:45 UTC (Thu) by sjj (subscriber, #2020) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 10:12 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 9:37 UTC (Thu) by motk (subscriber, #51120) [Link]
"run0" as a sudo replacement
Posted May 2, 2024 10:36 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]
* who ignores POSIX standards
* created Avahi
* has no issue with breaking userspace (though complains when kernel devs break systemd)
* thinks you reduce the attack surface by putting everything under PID 1
* has a real goal of putting everything in systemd
started to have a real say in the direction of things. Now that he works for Microsoft I'd suggest he go screw that OS up, but that mission accomplished banner flew a long time ago.
"run0" as a sudo replacement
Posted May 2, 2024 11:21 UTC (Thu) by niner (subscriber, #26151) [Link]
Please, since it doesn't affect you anyway, feel free to completely ignore systemd and keep your thoughts on it an Lennart off lwn.net. I don't think anyone sees these comments as a benefit to LWN readers. In fact a few people clearly say the opposite.
"run0" as a sudo replacement
Posted May 2, 2024 11:51 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]
As I said above, the unit files are great. Systemd has done a pretty good job as an init system, and most people would have zero complaints if that is all it did. However, Lennart wants to put everything under the umbrella of system. So, when using an init system you're getting far more than an init system, and the replacements within systemd are often flaky junk. Maybe it is because trying to do everything spreads a person thin?
And frankly, Lennart is no saint. He acts like an insecure person when he is critiqued. I'm not wishing death on the guy, or harm to him in any way. I am simply saying that his contributions have been a net negative. Had systemd remained an init system, I would not be saying that.
A request
Posted May 2, 2024 13:41 UTC (Thu) by corbet (editor, #1) [Link]
If you think that there is something technically wrong with run0, feel free to discuss it here. But you need to refrain from attacks on people, even the ones you disagree with. That is not what LWN is for.
A request
Posted May 2, 2024 14:22 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]
A request
Posted May 2, 2024 14:37 UTC (Thu) by niner (subscriber, #26151) [Link]
For what it's worth, I do not see your assumption supported by Lennart's actual actions. Instead for every single new solution that systemd picks up, I see a well argued reason for why this is better than what existed before. It's also not just arguments. The fact alone that in this case run0 is just a thin convenience wrapper over functionality that emerged from the existing low level building blocks also suggests, that this is just good engineering.
A request
Posted May 2, 2024 15:06 UTC (Thu) by farnz (subscriber, #17727) [Link]
Indeed, their attack is against something that I, personally, do not see Lennart doing; Lennart's philosophy from my perspective is twofold: first, don't work around bugs when you could go to the upstream or downstream project and fix them (which is where a lot of PulseAudio issues came from), and secondly, try to minimize divergence for divergence's sake between Linux distros (e.g. spelling it "up" in one distro and "start" in another).
Plus, a lot of systemd code comes from people other than Lennart.
"run0" as a sudo replacement
Posted May 3, 2024 14:44 UTC (Fri) by mtthu (subscriber, #123091) [Link]
"run0" as a sudo replacement
Posted May 1, 2024 20:02 UTC (Wed) by mb (subscriber, #50428) [Link]
That greatly reduces the attack surface.
systemd (and systemd-run) is installed on all of my systems, anyway.
TIOCSTI
Posted May 2, 2024 9:38 UTC (Thu) by cortana (subscriber, #24596) [Link]
(I know modern kernels have a sysctl that disables TIOCSTI but that's not been backported to Debian or RHEL's kernels...)
"run0" as a sudo replacement
Posted May 2, 2024 12:59 UTC (Thu) by e-rk (subscriber, #166547) [Link]
I'm just hoping that the command won't have a number in its name, because it makes it awkward to type.
Finally admin actions will start working just as well as audio (with PulseAudio)
Posted May 5, 2024 12:34 UTC (Sun) by habets (guest, #72220) [Link]
Finally admin actions will start working just as well as audio (with PulseAudio)
Posted May 5, 2024 13:58 UTC (Sun) by pizza (subscriber, #46) [Link]
Haven't you heard? Thanks to Azure, what's good for Linux is _very_ good for MSFT these days.
Meanwhile, AAPL is going to AAPL and continue to vertically integrate whatever the f- regulators let them get away with. They don't give a gnat's crap about what "Linux" does.
"run0" as a sudo replacement
Posted May 6, 2024 20:31 UTC (Mon) by immibis (subscriber, #105511) [Link]