|
|
Subscribe / Log in / New account

"run0" as a sudo replacement

[Posted April 30, 2024 by corbet]

This Mastodon stream from Lennart Poettering describes a sudo replacement — called run0 — that will be part of the upcoming systemd 256 release. It takes a rather different approach to the execution of privileged commands, avoiding the use of setuid (which he calls "SUID") permissions entirely.

So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore.

(Log in to post comments)

"run0" as a sudo replacement

Posted Apr 30, 2024 14:15 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

I don't think I am the only one calling the concept "suid", am I? a quick grep reveals that the kernel calls it that too, in concepts such as /proc/sys/fs/suid_dumpable, or the mount() system call's MS_NOSUID, and so on? I mean, the inode flags are called
S_ISUID too, not S_ISETUID?

I think calling the flags "setuid" (as lwn appears to prefer?) just blurs things, since that's the name of a syscall (setuid()), which does something related, but is not actually involved in the concept that the inode SUID flag is about.

Hence, I am a bit confused what that comment here is supposed to achieve? It just creates confusion?

Lennart

SUID

Posted Apr 30, 2024 14:21 UTC (Tue) by corbet (editor, #1) [Link]

Lennart, the purpose was to be sure that readers knew what the term meant in the quote, nothing more.

SUID

Posted Apr 30, 2024 17:00 UTC (Tue) by rsidd (subscriber, #2582) [Link]

I agree with Lennart, he is hardly the only one to call it SUID. It is about as common as "setuid" in things I have read, spanning unixen. To single him out ("which [Lennart] calls SUID") is really odd.

SUID

Posted Apr 30, 2024 17:08 UTC (Tue) by corbet (editor, #1) [Link]

I will admit to being entirely confused about what the problem is here. Nobody is being singled out; the purpose was simply to give a definition to an acronym. Are people reading in some sort of criticism that was not intended to be there?

SUID

Posted Apr 30, 2024 17:36 UTC (Tue) by marcH (subscriber, #57642) [Link]

> Nobody is being singled out;

... which "he" calls...

Easily over-interpreted as "which [only] he calls"

That aside, language questions tend to be emotional in general. Feeling misunderstood hurts.

SUID

Posted Apr 30, 2024 19:53 UTC (Tue) by The_Barbarian (guest, #48152) [Link]

Maybe "setuid (also known as SUID)" or something? I admit it had me doubting myself for a second, I went searching to make sure I wasn't crazy thinking they were both common names for the same thing.

SUID

Posted Apr 30, 2024 20:27 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

Yeah, I think writing it like that, i.e. without reference to my person would not have made me question what this sentence was supposed to mean.

SUID

Posted Apr 30, 2024 20:54 UTC (Tue) by AdamW (subscriber, #48457) [Link]

The question is why you didn't just write:

"avoiding the use of SUID permissions entirely."

The way you wrote it implies that everyone else calls it "setuid", so you have to explain Lennart's odd choice of word so that we will explain. There doesn't appear to be any other reason not to just write it more simply.

SUID

Posted Apr 30, 2024 21:00 UTC (Tue) by corbet (editor, #1) [Link]

Because. I. wanted. to. define. the. acronym. SUID.

"Setuid" is the term we have always used; SUID is not. I have some reason to believe that LWN readers are familiar with seeing "setuid" by now. I was not so sure about SUID; since it appeared in the quote, I felt the need to (as we normally do) give it a meaning.

I'm sorry if I offended somebody by so doing. But can we please give this a break now? If that is the worst thing we've written this day, we're doing pretty well.

SUID

Posted May 19, 2024 16:25 UTC (Sun) by DanilaBerezin (subscriber, #168271) [Link]

Strangest and silliest thing I've ever seen someone be dog pilled for. I immediately understood what the purpose of the comment was, still don't understand what everyone else is struggling with.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:08 UTC (Tue) by jrtc27 (subscriber, #107748) [Link]

It seems that Unix V4 called it SUID, Unix V6 introduced the odd lowercase "suid" in comments and Unix V7 is the first place where "setuid" appears referring to the file mode rather than the system call. (Source: grep of TUHS's unixtree.tar.bz2)

"run0" as a sudo replacement

Posted Apr 30, 2024 15:16 UTC (Tue) by PengZheng (subscriber, #108006) [Link]

> as lwn appears to prefer

IIRC, "setuid" is actually the preferred term of man7.org, from which lots of Linux users get their Linux knowledge.
That comments serves to resolve their possible confusion.

"run0" as a sudo replacement

Posted May 3, 2024 20:31 UTC (Fri) by jwilk (subscriber, #63328) [Link]

If you mean the man-pages project, their preferred term is "set-user-ID".

Source: https://manpages.debian.org/bookworm/manpages/man-pages.7...

"run0" as a sudo replacement

Posted Apr 30, 2024 14:34 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]

Am I the only one who would much rather allow the kernel to continue enforcing this security boundary well rather than allowing the likes of polkit and systemd to enforce it poorly?

"run0" as a sudo replacement

Posted Apr 30, 2024 14:37 UTC (Tue) by vadim (subscriber, #35271) [Link]

Yes. I mean, the kernel isn't really enforcing anything here. A binary with setuid just runs as root, and that's that.

Any enforcement, policies and so on are up to the userspace program being run. And setuid isn't a good mechanism in that it allows the user to attempt to subvert the execution of setuid tools like sudo.

"run0" as a sudo replacement

Posted Apr 30, 2024 14:47 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]

The kernel enforces the elevation, which includes file permissions and other controls (like LD_PRELOAD for example).

By comparison this sounds like an invitation to repeat CVE-2021-3560

"run0" as a sudo replacement

Posted Apr 30, 2024 14:57 UTC (Tue) by farnz (subscriber, #17727) [Link]

The kernel doesn't enforce LD_PRELOAD and other controls - it relies on userspace getting environment variable handling across SUID correct. The kernel "merely" changes the real UID when running a setUID program; it's then up to user space to correctly handle the rest of the process execution environment (environment variables, groups, umask, effective UID etc).

And that's what this aims to address - because this goes back to a daemon which starts things from a known environment, instead of having to scrub everything it knows about to get to a sane state, noting that if it doesn't know about something important, it's got a security hole, it instead starts things in a sane state and copies over just enough environment to be useful.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:10 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]

SUID already starts things from a known environment, though. That's my point. Is the environment that systemd starts things in known? Really no, rather it's defined but in order to know you've got to go look in about a bajillion different spots.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:17 UTC (Tue) by vadim (subscriber, #35271) [Link]

> SUID already starts things from a known environment, though.

No, it doesn't. Give it a try.

> Is the environment that systemd starts things in known? Really no, rather it's defined but in order to know you've got to go look in about a bajillion different spots.

A lot more defined in fact in that it's not controlled by the calling user.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:22 UTC (Tue) by mattdm (subscriber, #18) [Link]

> Really no, rather it's defined but in order to know you've got to go look in about a bajillion different spots.

Do you know about `systemctl show` (possibly with `--all`)?

"run0" as a sudo replacement

Posted Apr 30, 2024 15:33 UTC (Tue) by farnz (subscriber, #17727) [Link]

No, SUID on its own does not start from a known environment. It starts from the environment set by the caller of exec, except that where a normal process has the same real UID as the caller of exec, a SUID binary has the real UID taken from the file that was executed.

This is why SUID binaries are so hard to get right - the entire process execution environment is under attacker control, except for the real UID of the process. Everything that runs in the SUID process has to pay attention to whether real UID == effective UID, and if it doesn't, it has to go into a "secure" mode where it doesn't trust the environment - but this includes things like the ELF interpreter, ld.so. If a new feature is added to ld.so by the glibc team, and they don't realise that it has security implications, then they may not remember to put the "am I SUID?" check around it, and the result is an exploit. Similar applies if the SUID binary itself is influenced by environment variables, but doesn't properly check to see if they could have been set by an attacker.

In contrast, systemd's environment is entirely under systemd's control; the kernel starts process ID 1 in a defined environment, and systemd can ensure that when it starts a process at run0's request, it does so in a clean environment where there's nothing to surprise a newly started process. Instead, run0 has to explicitly copy over the parts of the execution environment that you want in your escalated process - and we know from long experience that "explicitly copy over what I want" is a better security boundary than "copy over everything, then remove the dangerous bits".

"run0" as a sudo replacement

Posted Apr 30, 2024 15:04 UTC (Tue) by josh (subscriber, #17465) [Link]

> The kernel enforces the elevation, which includes file permissions and other controls (like LD_PRELOAD for example).

No, it largely doesn't. The kernel sets AT_SECURE in the auxiliary vector, and then the C library and dynamic linker turns off the use of various environment variables when AT_SECURE is set.

(There are some kernel mechanisms around suid, but that isn't one of them.)

"run0" as a sudo replacement

Posted Apr 30, 2024 15:09 UTC (Tue) by DimeCadmium (subscriber, #157243) [Link]

> The kernel sets AT_SECURE in the auxiliary vector

> but that isn't one of them

OK.

"run0" as a sudo replacement

Posted May 1, 2024 11:11 UTC (Wed) by pbonzini (subscriber, #60935) [Link]

That = "getting environment variable handling across SUID correct", which is done by userspace (lib and ld-linux.so) not by the kernel.

"run0" as a sudo replacement

Posted Apr 30, 2024 19:39 UTC (Tue) by wahern (subscriber, #37304) [Link]

> A binary with setuid just runs as root, and that's that.

The new process only has root privileges if the owner of the file is root. You can use SUID to simply change privileges to some other dedicated user. Likewise, you can use the SGID bit to change group privileges. This is how
BSD Auth, an alternative to PAM, works on OpenBSD: there are several binaries under /usr/libexec/auth that utilize SUID and SGID.

> Any enforcement, policies and so on are up to the userspace program being run. And setuid isn't a good mechanism in that it allows the user to attempt to subvert the execution of setuid tools like sudo.

You can use normal file permission policies, specifically group permissions, to control who can execute an SUID or SGID binary. Again, this is how BSD Auth works on OpenBSD. Unlike with PAM, for example, I can grant a daemon permissions to verify system passwords by adding that service user to the `auth` group, whereas with PAM you'd normally need to run as root. (Access control to the specialized authentication binaries, which themselves variously use SUID and SGID, is accomplished using read and exec restrictions on the /usr/libexec/auth subdirectory where the binaries live.)

Traditional Unix file permissions permit much more sophisticated access models than commonly encountered on typical Linux systems. They're not perfect, but they're woefully underutilized, supplementary groups in particular.

There are myriad pitfalls to utilizing SUID and SGID permissions, but *most* pitfalls will be common to any privilege brokering scheme--they're mostly variations of the Confused Deputy problem. There are only a few specific to SUID/SGID, most notably dynamic library loading (e.g. LD_PRELOAD) and file descriptor inheritance. One of the reasons those were a problem historically is incomplete facilities available for dealing with them. OpenBSD added issetugid(2) to make it easier for components to determine if they've been run SUID/SGID. And you can easily imagine a simple system library that could be made available to re-exec into a scrubbed environment. We don't have these nice things because attention is elsewhere, not because SUID/SGID is fundamentally broken. They're certainly not as ideal as a fine-grained capability system, but making profitable use of SUID/SGID is achievable by anyone today using long-existing tools, and they can even provide a bridge toward capability systems without needing to shunt everything through a root-owned (UID 0) broker. SUID/SGID aren't adequate alone, but they can certainly be part of robust solutions. And as compared to monolithic brokers, using several different binaries and processes also gives the benefit of hardware-enforced memory isolation and similar process boundaries.

"run0" as a sudo replacement

Posted Apr 30, 2024 20:36 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

Uh, access control via UNIX groups sucks, because they are "sticky". Once someone is a member of a group they can create an sgid binary (i.e. what LWN would probably call "setgid binary"), and then will have them forever. A security mechanism you cannot reasonably recall is really terrible. And beyond that: conceptually I think it's weak too, because quite often you want to authentication operations, and not just objects. That is after all precisely one of the main reasons why polkit was originally created, that we can leave UNIX permissions behind and focus authorizing actions, not objects.

Linux has an equivalent of issetugid() since a long time btw: getauxval(AT_SECURE). It also covers fcaps binaries. In systemd we do use this at various places (mostly through secure_getenv()). Not because we'd ourselves have any suid/sgid/fcaps binaries (we don't, and we explicitly declare it's not acceptable in our tree), but because people might end up using libsystemd in suid binaries, and we don't want to be responsible for making a bad idea a security hole.

Lennart

"run0" as a sudo replacement

Posted Apr 30, 2024 22:08 UTC (Tue) by smcv (subscriber, #53363) [Link]

The fact that libsystemd needs to check for AT_SECURE nicely illustrates one of the problems with setuid (and setgid and fscaps): it's the author or integrator of the privileged executable who decided it ought to have elevated privileges, but they don't control all of its library dependencies, and frequently expect/assume that general-purpose libraries (libsystemd, libdbus, GLib and so on) are safe to use from a setuid executable and will distrust its execution environment just as much as the executable does. That puts a security responsibility on the maintainers of those libraries that they never really asked for or agreed to.

"run0" as a sudo replacement

Posted May 1, 2024 2:02 UTC (Wed) by WolfWings (subscriber, #56790) [Link]

I mean... until this post I've never in my entire life seen it called anything except set[gu]id for the filesystem bits in question or what they do, internal header names and constants often are shortened in less obvious ways from the public terms for what the flags mean.

Setuid/Setgid has been around as a term longer than the 40+ years I've been alive since V7 released a few months before I was born; insisting on describing things based on the API/ABI/Header/ENUM/whatever instead seems weird to me by comparison?

"run0" as a sudo replacement

Posted May 1, 2024 21:48 UTC (Wed) by jackhalford (guest, #129675) [Link]

> Uh, access control via UNIX groups sucks, because they are "sticky". Once someone is a member of a group they can create an sgid binary (i.e. what LWN would probably call "setgid binary")

I've never thought of that, that's super scary. Anyway we usually don't give fine grained access via unix groups. Usually groups get f*ed anyway when sharing via smb/nfs. Still It's fair to say linux could do better in 2024.

"run0" as a sudo replacement

Posted May 2, 2024 2:47 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

Maybe this is a stupid opinion, but to my mind, groups basically serve two useful purposes:

* To "fix my audio" (or WLAN, or whichever part of the desktop stack has gotten itself hilariously broken this time), by poking a hole in the security boundary that is somehow preventing it from working. Risk: Negligible, because the user that receives the access is already root-equivalent (in most cases, it's the human owner of the machine).
* To durably grant a specific daemon (e.g. the www-server) or family of related daemons access to a specific subtree of the filesystem (e.g. /var/www/...) without giving it full ownership (e.g. so I can deny write). Risk: Probably acceptable for pets? For cattle, I would prefer something more sophisticated like a container.

This notion that groups are a "real" security mechanism is crazy to me. I've never heard anyone suggest that they are reasonable and complete means of implementing discretionary access controls on pets, let alone the mandatory/role-based access controls that we would like to have on (most) cattle.

"run0" as a sudo replacement

Posted May 2, 2024 8:21 UTC (Thu) by jem (subscriber, #24231) [Link]

Imagine a system admin has granted you the right to dial out from a shared computer by adding you to the uucp group. You can now create an executable which is setgid uucp and make it available to anybody on the computer, effectively granting uucp group rights to all users.

"run0" as a sudo replacement

Posted May 2, 2024 16:57 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

Yes, but that is assuming we're operating on a shared computer in the first place (that isn't access controlled via containers or another comprehensive measure). In the Year of our Lord two thousand twenty-four, such systems mostly don't exist. In the rare cases where they do exist, the security is usually supplemented by layer 8 mechanisms (e.g. "raise a security incident, revoke Kevin's credentials, kill all of his terminal sessions, and then tell HR that we don't need his services anymore").

"run0" as a sudo replacement

Posted May 2, 2024 18:29 UTC (Thu) by jem (subscriber, #24231) [Link]

Linux was built on the premise that it is a multi-user system. If it no longer is a multi-user system, this fact should be officially acknowledged, instead of sweeping the problems under the carpet and taking the attitude that "it doesn't matter anymore in the year 2024".

I wouldn't be so sure shared computers are that rare yet. Just a few years ago specifications for multi-seat Linux workstations were written, i.e. support for several users working simultaneously on a single PC.

Obligatory XKCD: https://xkcd.com/1200

"run0" as a sudo replacement

Posted May 3, 2024 8:27 UTC (Fri) by anton (subscriber, #25547) [Link]

And the problem with that is? If the user wants to do some dialing out for others, they can already do so without setgid binaries.

There is a problem, as pointed out elsewhere, about revoking group permissions, which requires eliminating setgid binaries owned by the users; the scanning approach is racy. It seems like that might be something for the security layers that put additional controls on system calls: For a setgid binary that is owned by a user that is not (no longer) in the group, ignore the setgid bit.

"run0" as a sudo replacement

Posted May 3, 2024 8:38 UTC (Fri) by cortana (subscriber, #24596) [Link]

Remind me why unprivileged users are able to create setuid/setgid files again!

"run0" as a sudo replacement

Posted May 3, 2024 8:44 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

I think assuming this was a well-considered deliberate choice is not necessarily sensible - a lot of this behaviour dates back to much simpler times when there may just not have been an obvious reason not to allow it, and now we've learned why there *is* a good reason not to allow it we can't because it'd break some userspace app written in 1983.

"run0" as a sudo replacement

Posted May 3, 2024 9:36 UTC (Fri) by malmedal (subscriber, #56172) [Link]

> a lot of this behaviour dates back to much simpler timer

It was understood from the beginning that this was problematic in some cases, so the administrators would usually mount home-directories and things like /tmp with nosuid and nodev options to disallow setgid and setuid.

It is less convenient today where it is common to use a single partition for everything, so I'd recommend people don't do that, use LVM.

"run0" as a sudo replacement

Posted May 3, 2024 4:35 UTC (Fri) by donald.buczek (subscriber, #112892) [Link]

> This notion that groups are a "real" security mechanism is crazy to me. I've never heard anyone suggest that they are reasonable and complete means of implementing discretionary access controls on pets, let alone the mandatory/role-based access controls that we would like to have on (most) cattle.

We have many many hundreds of seperate storage areas (directories trees). These are mostly for scientific projects. They are accessible over nfs from a few hundreds multi-user systems. There is fine-grained access control: Only the group of scientists who work on a specific project have access to the related storage area. This is implemented via group membership. Each area has its own group and the directories have g=rwxs. User umask have zero in the group bits. I'd really like to know if anything is fundamentally wrong with this.

"run0" as a sudo replacement

Posted May 3, 2024 4:42 UTC (Fri) by mjg59 (subscriber, #23239) [Link]

Someone who's a group member can make an sgid binary and keep access to that group even after they're removed from it, so you need to ensure that you scan for that if you remove someone from a group.

"run0" as a sudo replacement

Posted May 3, 2024 7:18 UTC (Fri) by donald.buczek (subscriber, #112892) [Link]

> Someone who's a group member can make an sgid binary and keep access to that group even after they're removed from it, so you need to ensure that you scan for that if you remove someone from a group.

Yes, that's a valid concern. There are some others. For example, often there is a service user for a project to run daemons, and people could drop a public key into the daemons authorized_keys or install a cronjob to secure their access. Or they could install something into a binary in the project and wait for someone else in the group to execute it. And, of course, users could just harvest all the data while they still have access.

You are right, you need to be aware of that and implement appropriate counter-measures, like monitoring and alarms.

Group membership as security measure

Posted May 3, 2024 10:44 UTC (Fri) by farnz (subscriber, #17727) [Link]

I think the key point here is that group membership as a security measure is largely like signs as a security measure; a sign on a closed door saying "Only Team Stripy Green past this point" is a security measure, it's just very weak, and only works when your people can be trusted anyway.

Group membership as security measure

Posted May 3, 2024 11:36 UTC (Fri) by donald.buczek (subscriber, #112892) [Link]

> I think the key point here is that group membership as a security measure is largely like signs as a security measure; a sign on a closed door saying "Only Team Stripy Green past this point" is a security measure, it's just very weak, and only works when your people can be trusted anyway.

That is not true. If the Unix permissions don't allow you access to a file, because you don't have the required auxiliary group, there is no way for you to ignore the modes and access the file anyway.

And vice versa, even the most secure door lock will not help, if you just replace the lock in an attempt to deny access to the Green Team if you don't

- check, that no Green Team member hides in the room
- check, that a Green Team member did not open the window
- check, that a Green Team member did not already steal you stuff
- check, that a Green Team member did not install surveillance or a remote controllable robot in the room
- verify that the Red Team members do not trust notes or devices a Green Team member might have left in the room

and so on.

Group membership as security measure

Posted May 3, 2024 13:27 UTC (Fri) by farnz (subscriber, #17727) [Link]

But if I know someone who's a member of Team Stripy Green, they can transitively give me access to the group via setGID programs. And if I ever had group membership, you can't take it away without searching for any possible place I might have smuggled a setGID program. As with signs, as long as I respect the rules, groups are good security. But as soon as someone might have broken the rules, you need to do a lot more work to make things secure.

Signs are effective security as long as everyone obeys the rules that make them secure. Group membership is effective security as long as nobody breaks the rules; but as soon as I (e.g.) put a world-executable setGID shell in a public location, I've broken the security completely.

If you use groups expecting them to be a security measure, then you need to be aware of this. If you use them expecting them to have the capabilities of signs, you won't get caught out by the holes.

"run0" as a sudo replacement

Posted May 3, 2024 18:11 UTC (Fri) by sfeam (subscriber, #2841) [Link]

Isn't that really an argument against allowing sgid binaries rather than an example of unintended membership persistence?

"run0" as a sudo replacement

Posted Apr 30, 2024 14:40 UTC (Tue) by kleptog (subscriber, #1183) [Link]

This is the kernel enforcing the security boundary. SUID is not a security boundary, it's a gaping hole that we've managed to to stuff with enough wads of paper that not too much leaks through.

Having a privileged component spawn the process and then passing you the TTY descriptor just seems much safer all round.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:09 UTC (Tue) by MarcB (subscriber, #101804) [Link]

Which security boundary do you mean? Setuid by definition is a complete violation of all security boundaries the kernel could enforce.

It is completely up to user-space to stick to some rules administrators have set (I'd like to point out, that the man page of "sudoers" still contains the legendary "Quick guide to EBNF", as immortalized by https://xkcd.com/1343/).

And to make it worse, this user-space starts from a hostile environment, from which it has to disentangle itself first. This is the huge advantage of the uid0 solution: Privileges are handed out from a clean, already privileged context instead of from an unprivileged context that tunnels through security boundaries.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:40 UTC (Tue) by NYKevin (subscriber, #129325) [Link]

/etc/sudoers has never been parsed or "enforced" by the kernel. sudo(8) is entirely implemented in userspace, with the sole exception that the kernel deigns to allow the binary to start as root rather than the invoking user. The userspace process is then responsible for checking whether the invoking user should be allowed to execute the command... *after* root privileges have already been granted by the kernel.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:46 UTC (Tue) by intelfx (subscriber, #130118) [Link]

> Am I the only one who would much rather allow the kernel to continue enforcing this security boundary well rather than allowing the likes of polkit and systemd to enforce it poorly?

Yes, you are. Because "poorly" and "well" in your comment are pretty much switched around compared to reality.

Publication format

Posted Apr 30, 2024 14:41 UTC (Tue) by zdzichu (subscriber, #17118) [Link]

Ugh, series of microposts, split in random places, for something which should be a blog note. No, thanks.

Publication format

Posted Apr 30, 2024 17:05 UTC (Tue) by rsidd (subscriber, #2582) [Link]

There are advantages to platforms where followers will see what you say without remembering to check your blog or adding your blog to an RSS feed.

Mastodon is not great but it's better than the rest, especially in that (unlike Google Plus, or for that matter blogspot etc) a corporation can't decide to just delete it all one day.

Publication format

Posted Apr 30, 2024 18:28 UTC (Tue) by rgb (subscriber, #57129) [Link]

Posting a link to your fresh blog post on Mastodon would work just as well.

Publication format

Posted Apr 30, 2024 20:01 UTC (Tue) by The_Barbarian (guest, #48152) [Link]

or use an instance that allows long posts

Publication format

Posted Apr 30, 2024 21:17 UTC (Tue) by iabervon (subscriber, #722) [Link]

FWIW, the Fediverse mechanism works for having a Mastodon micropost about a longer-form blog post, with the both of them presenting the same (Mastodon-style) replies. One of the advantages of Mastodon among microblog platforms is that it doesn't exclude non-microblogs from federation. Of course, that just means that there's a better technical solution that's possible but not built-in, so it costs time and effort and hosting, but not downsides for subscribers.

"run0" as a sudo replacement

Posted Apr 30, 2024 15:07 UTC (Tue) by linuxrocks123 (subscriber, #34648) [Link]

This is actually a good idea. Can it run on-systemd init systems and/or on the BSDs?

"run0" as a sudo replacement

Posted Apr 30, 2024 15:08 UTC (Tue) by linuxrocks123 (subscriber, #34648) [Link]

That should be "on non-systemd init systems"

"run0" as a sudo replacement

Posted Apr 30, 2024 16:30 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

No. It fires off a request to the service manager via IPC to start the target program/shell for you.

The other init systems on Linux do not support a concept like that to my knowledge (i.e. an IPC API for transiently defining and invoking services without first prepping some file on disk).

"run0" as a sudo replacement

Posted Apr 30, 2024 17:07 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

One can write a specialized daemon with a custom implementation of the necessary parts of the systemd functionality.

"run0" as a sudo replacement

Posted Apr 30, 2024 17:20 UTC (Tue) by willy (subscriber, #9762) [Link]

We could even call it "sudod" ...

"run0" as a sudo replacement

Posted May 1, 2024 1:53 UTC (Wed) by ejr (subscriber, #51652) [Link]

Or something as cataclysmic as "userv."

While this is a tempest, I'm not terribly sure I want to sip from this teapot. I'm amazed that our esteemed editor is willing to suffer the abuse from any mention of the systemd team / authors / author.

"run0" as a sudo replacement

Posted Apr 30, 2024 23:02 UTC (Tue) by Gaelan (subscriber, #145108) [Link]

The s6-sudo family of tools is along these lines: https://skarnet.org/software/s6/s6-sudo.html

"run0" as a sudo replacement

Posted May 1, 2024 8:53 UTC (Wed) by jhe (subscriber, #164815) [Link]

There is no technical reason why run0 needs to be part of the init system. This is off-putting. A privileged daemon could have done the same job.

There are many great features in systemd, but they are unnecessarily coupled to an rather mediocre service supervisor and that's not okay.

"run0" as a sudo replacement

Posted May 1, 2024 9:10 UTC (Wed) by mezcalero (subscriber, #45103) [Link]

Uh? "run0" is a tiny tool that asks the *service manager* to start a *service*. And that's really pretty much it.

I mean sure, write your own "sudod" or whatever, but you are just reimplementing a service manager than, and probably a worse one?

"run0" as a sudo replacement

Posted May 1, 2024 10:59 UTC (Wed) by jhe (subscriber, #164815) [Link]

You did make it a "service" just to argue my point. On mastodon, you called it "command" yourself. And i agree with the mastodon version of you - a command like `nano /etc/...` would not constitute something that needs to be managed by a service supervisor.

"run0" as a sudo replacement

Posted May 1, 2024 11:10 UTC (Wed) by mb (subscriber, #50428) [Link]

There's no fundamental difference between a service that is started by boot, socket activity, or user request or anything else.
A service is something that runs in a well defined environment under well defined credentials. That is what the service manager provides. And that is exactly what sudo-like tools want. It's just triggered by the user instead of something else.

"run0" as a sudo replacement

Posted May 1, 2024 13:25 UTC (Wed) by joseph.h.garvin (subscriber, #64486) [Link]

The obvious distinction being made here is a one off command vs one that continues running in the background and gets restarted if it goes down etc. Most people don't think of nano as a "service" because if they did the distinction between service vs app/command becomes meaningless. Even if it's the definition systemd uses.

"run0" as a sudo replacement

Posted May 1, 2024 12:15 UTC (Wed) by foom (subscriber, #14868) [Link]

Not sure the point of this argumrnt.

You definitely CAN write a long-lived daemon, akin to sshd, to give authorized people a root shell without needing a service manager. But if you already HAVE a service manager available, which already has the necessary features (including the existing ability to spawn temporary "services"/"commands"), isn't it a lot simpler to rely on that instead of writing it from scratch?

Of course, if you have a system without a full-featured service manager, you don't have the option of relying on it, and would need to write the standalone daemon. But for everyone else, this architecture seems like a nice simplification and reduction of the attack surface.

"run0" as a sudo replacement

Posted May 1, 2024 15:09 UTC (Wed) by mezcalero (subscriber, #45103) [Link]

I am not sure what the major difference between a "service" and a "command" is supposed to be. systemd-run (the tool that run0 is just an alias name for with slightly different argument parsing) is a tool for invoking commands/programs/binaries/executables/scripts/whateveryouwannacallit from a pristine well-defined execution context (a concept which systemd calls a "service", but that's just because it's a nice moniker for such a thing). Whether the invoked "command" is httpd or nano doesn't really matter at all, from systemd's perspective it's just two different strings.

"run0" as a sudo replacement

Posted May 2, 2024 16:02 UTC (Thu) by Karellen (subscriber, #67644) [Link]

I think the confusion comes from some people thinking that "a service" is defined by a service/unit file, and cannot be just an ad-hoc command.

Even if that's not strictly true, it's mostly true enough of the time that it's an easy mental shortcut to fall into, especially if you don't spend non-trivial amount of time every day thinking about the subtleties of your init system and service management in general.

"run0" as a sudo replacement

Posted May 1, 2024 12:58 UTC (Wed) by gmaxwell (guest, #30048) [Link]

My understanding is that this tool is primarily targeting single human user systems where the single user has the authority to run commands at will as root (but presumably varrious daemon user accounts cannot).

Why can't the 'sudo attack surface' be eliminated by giving the user access to a trivial program that will fork whatever they want (-- perhaps just bash), setting the setuid bit on it, and using file permissions so only the authorized user can run it?

Then the security attack surface is just the kernel filesystem permissions. No need for a potentially vulnerable and highly opaque network service to run privileged commands on demand.

Surely I'm missing something massive?

"run0" as a sudo replacement

Posted May 1, 2024 13:05 UTC (Wed) by mb (subscriber, #50428) [Link]

>Then the security attack surface is just the kernel filesystem permissions.

You just effectively gave the user full root privileges without any checks, passwords, rules or authentication. That is the second to largest attack surface possible. Only a kernel exploit would give you higher permissions.

You can just log in and work as root. That's much simpler.

"run0" as a sudo replacement

Posted May 1, 2024 23:31 UTC (Wed) by gmaxwell (guest, #30048) [Link]

That is (unfortunately?) how sudo is deployed on distributions today, no?-- granting the wheel user free reign to run anything as root. And I understand that's what this thin run0 shim is intended to provide. Or am I confused? If not-- what provides the policy and how is it threat minimized? The all that policy and protection is what makes sudo have a large attack surface.

"run0" as a sudo replacement

Posted May 2, 2024 7:34 UTC (Thu) by NYKevin (subscriber, #129325) [Link]

run0 talks to polkit, which can be configured with an arbitrary security policy if desired. The main advantage polkit has over sudo is that it runs as a daemon in a known, standardized environment, and only receives a narrow slice of data from run0 describing the user's request. This is not to say that polkit is necessarily more secure than sudo, but at least it exposes less of its attack surface directly to the untrusted environment.

"run0" as a sudo replacement

Posted May 2, 2024 10:59 UTC (Thu) by niner (subscriber, #26151) [Link]

Some distributions. Ubuntu for sure. On openSUSE I'm still asked for a password.

"run0" as a sudo replacement

Posted May 6, 2024 7:22 UTC (Mon) by anselm (subscriber, #2796) [Link]

On openSUSE I'm still asked for a password.

I haven't looked at openSUSE in a while, but does its sudo still ask for the root password rather than that of the current user? That used to be one of the more dubious and inexplicable aspects of the SUSE sudo configuration.

"run0" as a sudo replacement

Posted May 6, 2024 7:32 UTC (Mon) by niner (subscriber, #26151) [Link]

No, it asks for the user's.

"run0" as a sudo replacement

Posted May 18, 2024 17:37 UTC (Sat) by mrugiero (guest, #153040) [Link]

No, but there's prior art that can run on non-systemd (and possibly the BSDs but I'm not sure): https://skarnet.org/software/s6/s6-sudod.html

I actually came to mention that, because I saw some pushback to the idea that I slightly suspect comes just from anti-systemd sentiments. Showing a solution in that same camp could help calm the waters if that's the case. It is a good idea that solves a real problem, whether you like who is implementing it or not (and whether you like the particular implementation choices or not).

"run0" as a sudo replacement

Posted Apr 30, 2024 15:56 UTC (Tue) by carlosrodfern (subscriber, #166486) [Link]

systemd-run is a neat concept, and suid has its issues, but I don't like the idea of solely depending on systemd to do privilege escalation, because sudo is simple, but systemd is complex, so there is a greater chance of systemd having an obscure and catastrophic bug than sudo.

"run0" as a sudo replacement

Posted Apr 30, 2024 16:05 UTC (Tue) by mb (subscriber, #50428) [Link] 

-------------------------------------------------------------------------------
Language                     files          blank        comment           code
-------------------------------------------------------------------------------
C                              374          16153          23054         113185
PO File                         73          29548          47647          76641
Bourne Shell                    93           8817           6354          51068
C/C++ Header                    93           1861           5000          18994
m4                              24           1335            602          14704
yacc                             2            262            175           2609
Markdown                        10            678              0           2522
lex                              1            172            126           1295
Perl                             4            311            362           1151
Puppet                           3             79            365            560
Python                          10            152            209            345
YAML                             5             16             38            260
JSON                             7              0              0            236
sed                              4             16              1            229
Protocol Buffers                 2             22             49            136
Expect                           7              0              0            108
Dockerfile                       7              7              0             59
Text                             1              0              0              1
-------------------------------------------------------------------------------
SUM:                           720          59429          83982         284103
-------------------------------------------------------------------------------
because sudo is simple

That is not my definition of "simple"

https://www.sudo.ws/repos/sudo/file/tip

"run0" as a sudo replacement

Posted Apr 30, 2024 16:45 UTC (Tue) by carlosrodfern (subscriber, #166486) [Link]

Thank you for showing me that. Eye-opening, indeed.

"run0" as a sudo replacement

Posted Apr 30, 2024 20:25 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

If I count correctly this means systemd with all its components, all its supposed "bloat", all its test cases, all the headers we import from the kernel, and so on is just a little bit more than 5x as large as sudo.

I mean, that's the thing, systemd with its many many binaries is roughly the same amount of code as wpa supplicant (currently a bit more, but over the years sometimes we were ahead, and sometimes them). People really should put that into perspective from time to time: systemd isn't actually that big.

I mean, there's are many reasons we have a monorepo for our components, and yes, the ability to *easily* reuse code (and thus strongly reduce footprint) is one of them.

Lennart

"run0" as a sudo replacement

Posted May 1, 2024 2:13 UTC (Wed) by WolfWings (subscriber, #56790) [Link]

Also unlike the on-going fights of inflexible to edit network configuration files (really, YAML!?) it's been a breath of fresh air dealing with -networkd and -boot on newer installs where I can utilize them.

Sometimes I lean on iwd for the WPA aspect on the wireless devices that will wander into random coffee shops more, but by and large most real-world configurations I'm finding are simpler to define and backup with networkd because it's not trying to be perl line-noise density, and likewise -boot is FAR less hassle than grub to customize to do what I want without a lot of rigamarole.

"run0" as a sudo replacement

Posted May 2, 2024 6:36 UTC (Thu) by gutschke (subscriber, #27910) [Link]

Credit where credit is due. systemd-networkd is an amazing piece of code. I find it to work so much better than any of many other ways of configuring networks.

Yes, it is yet another new tool to learn. And I am usually the first in line to complain that change is hard. But it didn't take me very long to figure out, and it was so worth it. I wish all distributions would switch to it by default -- at least when deploying a server. Maybe, for a mobile device with networking that changes regularly, there are other options that are still a better fit. But I find that these days I don't have many of those systems. Most things run inside various virtual machines and systemd-networkd works beautifully for those.

"run0" as a sudo replacement

Posted Apr 30, 2024 23:43 UTC (Tue) by ras (subscriber, #33059) [Link]

Yeah, I agree. Run0 being able to leverage the other security mechanisms already built into systemd is kinda neat. It could easily be a big win in sense tacking a new tool onto a swiss army knife that has a lot of complementary tools can be a win.

But Lennart pounds on in his post about security being one of those wins, and that seems highly unlikely to me. Sudo hasn't had the many problems over the years, and I can't think of an "unsurprising" one - they've all been bring things like buffer overflows. That's to be expected. It's one standlone tool, it does one job, and a configuration format needing a BNF to describe it notwithstanding it's easy for one man to get his head around all of it.

Getting your head around what the 66MB of source in systemd does is not so easy. And it's damned complex event driven code, with a lot of the events delivered via RPC. I was stunned by how uttered unexpected interactions between systemd and dll's were exploited by the XZ utils attack to infect an unrelated binary that ran as root. But that's exactly the outcome I'd expect from something as complex as the thing systemd has become. Run0 would have been a very juicy target for the XZ utils hack.

"run0" as a sudo replacement

Posted May 1, 2024 0:47 UTC (Wed) by ras (subscriber, #33059) [Link]

Hmmm. I just realised you are arguing sudo is very complex. That's hard to deny, and is probably why the BSD's have doas. But still, if you just compare lines in the source tree sudo is hardly comparable to systemd:

sudo: 284K, systemd: 1,981K

Note: I'm just comparing total lines because I'm too lazy to put the effort you put into your table.

"run0" as a sudo replacement

Posted May 1, 2024 1:05 UTC (Wed) by bluca (subscriber, #118303) [Link]

You are counting the hwdb entries and other such things, which is not really source code. The current count under src/ in main is at this very moment 916499 locs, less than half, and that includes unit tests too.
Also, this functionality already exists, and already has to be robust, there's nothing fundamentally new, apart from a nice and tidy user interface (which is of course fundamental). But the security-relevant stuff is all pre-existing and quite old at this point, and it has to work as intended or we'd already be in big troubles, that's one of the main advantages of run0.

"run0" as a sudo replacement

Posted May 1, 2024 1:08 UTC (Wed) by bluca (subscriber, #118303) [Link]

In fact by only counting the run0 tool and pid1 the locs go down to ~340k, and that still includes imported kernel headers, compared to sudo's 250k. Not bad considering that's the entirety of the system and service management component.

"run0" as a sudo replacement

Posted May 1, 2024 4:55 UTC (Wed) by ras (subscriber, #33059) [Link]

True, but sudo includes a lot of vendored code. If you just count code lines written for sudo it's closer it's 16K, so it cuts both ways.

That aside, if you look at what sudo project does and what the systemd project does one is clearly; nay blatantly much more ambitious and complex than the other. Attempts to paint it otherwise are drawing a very long bow.

"run0" as a sudo replacement

Posted May 2, 2024 11:08 UTC (Thu) by niner (subscriber, #26151) [Link]

While sudo's implementation itself has been reasonably secure, the same cannot be said about its configuration. It so easy to make mistakes when you forget that e.g. "if no command line arguments are specified, the user may run the command with any arguments they choose".

"run0" as a sudo replacement

Posted Apr 30, 2024 16:11 UTC (Tue) by warrax (subscriber, #103205) [Link]

sudo is not simple by any stretch of the imagination.

"run0" as a sudo replacement

Posted Apr 30, 2024 16:13 UTC (Tue) by farnz (subscriber, #17727) [Link]

sudo is not simple, by any stretch of the imagination; it has a plug-in architecture, a complex file format for /etc/sudoers (with associated parser), and a whole pile of code whose job is to sanitise the execution environment so that it's "safe" for the rest of sudo to run. If any of that code has a bug, then there's a root exploit.

In contrast, systemd-run runs as you - if the code to parse your request for privilege escalation has a bug, it's not an exploit. The attack surface is the stuff that takes the parsed request, and decides what to do with it - which is much smaller than sudo.

"run0" as a sudo replacement

Posted Apr 30, 2024 16:50 UTC (Tue) by carlosrodfern (subscriber, #166486) [Link]

You are absolutely right. `sudo` hides a lot of complexity for an apparently simple feature, and systemd, on the other hand, the plethora of features indicates a very complex system underneath; but once you look under the sudo hood, the high complexity shows.

"run0" as a sudo replacement

Posted Apr 30, 2024 17:04 UTC (Tue) by farnz (subscriber, #17727) [Link]

The other important gap is that sudo's security boundary is "the entirety of sudo including all its dependencies". This is implicit in being a SUID binary; privilege escalation happens before any of sudo's code is run, and thus an exploitable bug in sudo's code is running as root immediately.

In contrast, in the run0 design, the thing that's running as root is the init system - which has to be safe to invoke as root, since that's what the kernel does on start-up. Further, the socket used to send run0 requests to the root code is already present and usable in the absence of run0, so it has to be secure.

This is nice because it's using a security boundary that you already have on your system, and repurposing it to replace a big lump of security-relevant code with a simple binary that sends a message over IPC to the privileged core.

"run0" as a sudo replacement

Posted Apr 30, 2024 17:39 UTC (Tue) by developer122 (guest, #152928) [Link]

So effectively this is a sudo daemon. A sudod, if you like.

I suppose it's not a terrible solution to the complexity of dropping all the process context that has accumulated over the last 50 years or so (since setuid was invented). It's simple enough that it seems this could have been invented 30 years earlier, and should be pretty simple to implement in other *nixes. Maybe an unprivileged sudo client utility and a sudod server that forks off privileged processes. Name it whatever you want.

I think this is not quite the panacea it might be mistaken for though. There's more to spawning a privileged process than just someone with higher authority doing it for you. There's also a lot of accumulated experience with setuid (with varying success, see above) but this whole idea of asking a daemon to spawn privileged processes for you is pretty much brand-new. It hasn't seen the kind of use that sudo has.

With this sort of client-server model you need to handle logins, for a start. In this case there's also some tomfoolery with redirecting terminals that I'm sure will be the subject of hijacking attempts, and which will also cause input/output to get lost or leaked.

There's also the problem of the context you might WANT to propagate, beyond just command-line arguments. What if a privileged process wants to check an environment variable in the user context, like a print spooler checking someone's preferred $PRINTER variable? Here there doesn't seem to be a mechanism for the server to make such requests back to the user's shell.

"run0" as a sudo replacement

Posted Apr 30, 2024 17:46 UTC (Tue) by developer122 (guest, #152928) [Link]

If I were one of the BSDs looking at this and thinking about my own way to solve the problem, I'd probably set up a client-server model with an explicit interface rather than this terminal redirecting malarkey.

Create a privileged server to spawn processes and a client app to request it. Come up with a way to establish an exclusive connection between them, and a protocol to handle things like login, request for environment variables, and future extensions for other requests for context. Come up with a way to tunnel stdin/stout/stderr, and make sure that the streams won't cross with the out-of-band management that handles requests for the user context's environment variables and such.

Maybe dbus is an easy way to set up such a channel of communication, or maybe the BSDs can think of something simpler. I dunno.

"run0" as a sudo replacement

Posted Apr 30, 2024 19:02 UTC (Tue) by dbnichol (subscriber, #39622) [Link]

What is the way you're going to "Come up with a way to tunnel stdin/stdout/stderr" for a client/server model that's better than this "malarkey"? As far as I can tell, systemd-run does this in the most simple and efficient way possible. In fact, D-Bus is the way it's done by sending the file descriptors over a UNIX socket using SCM_RIGHTS. If you want a login shell, it just opens a PTY beforehand instead of using the current file descriptors.

I personally wouldn't want the privileged process to be asking further "hey do you want to add anything more to the environment" questions. If you want to pass through your printer variable, --setenv=PRINTER. It seems much more sane to tell the privileged process how to setup the environment once than have some interactive dialog with it.

"run0" as a sudo replacement

Posted Apr 30, 2024 18:03 UTC (Tue) by farnz (subscriber, #17727) [Link]

There's also the problem of the context you might WANT to propagate, beyond just command-line arguments. What if a privileged process wants to check an environment variable in the user context, like a print spooler checking someone's preferred $PRINTER variable? Here there doesn't seem to be a mechanism for the server to make such requests back to the user's shell.

This doesn't need to be done as a request back to the user's shell - the thing requesting a process invocation can pass forward all the context that you want to propagate. And we know from painful experience that it's easier to have a setup where we build up the invoked process's environment from the bits it's "supposed" to get, than to have one where we remove the things it "shouldn't" get.

"run0" as a sudo replacement

Posted May 1, 2024 8:51 UTC (Wed) by NYKevin (subscriber, #129325) [Link]

There is also the fact that, if you need to configure a lot of complicated context, systemd is already designed to do that! Just write a real unit file instead of invoking run0.

"run0" as a sudo replacement

Posted Apr 30, 2024 18:05 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

> There's also the problem of the context you might WANT to propagate, beyond just command-line arguments.

You can specify them explicitly in your unit's description.

"run0" as a sudo replacement

Posted Apr 30, 2024 18:16 UTC (Tue) by bluca (subscriber, #118303) [Link]

> There's more to spawning a privileged process than just someone with higher authority doing it for you. There's also a lot of accumulated experience with setuid (with varying success, see above) but this whole idea of asking a daemon to spawn privileged processes for you is pretty much brand-new. It hasn't seen the kind of use that sudo has.

It is absolutely not brand-new, it's been there in all major Linux distributions for the past decade, as the new command is a nice and welcome interface around existing mechanisms. Both systemd-run and polkit have existed for a long time now.

Just try it: on your existing Linux distro desktop installation, without this new version, run 'systemd-run -t id' and see what happens.

"run0" as a sudo replacement

Posted May 1, 2024 9:49 UTC (Wed) by marcin (subscriber, #159076) [Link] 

user@localhost:~$ systemd-run -t id
Running as unit: run-u120.service
Press ^] three times within 1s to disconnect TTY.
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0
user@localhost:~$ sudo id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
user@localhost:~$
Well, the difference I see, on my Fedora 40 system, is a different SELinux context.

"run0" as a sudo replacement

Posted May 1, 2024 11:48 UTC (Wed) by bluca (subscriber, #118303) [Link]

Yes, because one is a service started from the service manager. You can set the context with SELinuxContext= if you want to.

"run0" as a sudo replacement

Posted May 18, 2024 17:56 UTC (Sat) by mrugiero (guest, #153040) [Link]

> but this whole idea of asking a daemon to spawn privileged processes for you is pretty much brand-new

Not really. This is what's called a rediscovery. See: https://skarnet.org/software/s6/s6-sudod.html
Written 10 years ago according to: https://github.com/skarnet/s6/commits/master/doc/s6-sudod...

"run0" as a sudo replacement

Posted Apr 30, 2024 18:09 UTC (Tue) by flussence (subscriber, #85566) [Link]

Sounds a lot like s6-sudod, which is not a complaint, consistency and interoperability is a good thing. This separate process tree design is also how you achieve the (desirable) goal of running openssh with minimal capability bits - you could try that today on a conventional su/do/as system and it'll be very secure, but a nightmare to remotely administrate because root in that process tree will be no more powerful than a regular user.

Tangential to this but I'd like to see all existing suid usage on traditional Linux systems replaced with filecaps. Alas, that's currently impossible with NFS involved because it silently discards the capability xattrs. And not for security reasons either, because it allows the setuid bit itself through just fine.

"run0" as a sudo replacement

Posted Apr 30, 2024 20:44 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

iirc fedora is using fcaps pretty widely in their distro, and rpm is smart enough to turn fcaps into sgid when unpacking to an fs that doesn't do fcaps.

(i don't think fcaps are much of an improvement over suid though. They are simply too coarse to be useful for anything beyond ping. i.e. if you have to give a binary CAP_SYS_ADMIN you might as well give it suid root (or, as LWN would call it, give it "setuid root").

The concept of being able to acquire additional privs is the problem. it doesn't matter if it's all of root you get that way or just "almost root"...

NNP FTW! NNP or death!

"run0" as a sudo replacement

Posted Apr 30, 2024 21:39 UTC (Tue) by flussence (subscriber, #85566) [Link]

Now that's a sentiment I can agree with :-)

Regarding fcaps you're right; it's more of a stop-gap measure than something to encourage proliferation of. After spending months studying all this stuff, enforcing security policy top-down makes a whole lot of sense. (It's also a good way to drive oneself mad by becoming acutely aware of the general state of the union - the “bad kerning” effect all over again)

"run0" as a sudo replacement

Posted May 1, 2024 12:42 UTC (Wed) by aragilar (subscriber, #122569) [Link]

What's NNP?

"run0" as a sudo replacement

Posted May 1, 2024 13:11 UTC (Wed) by mezcalero (subscriber, #45103) [Link]

NNP = "NO_NEW_PRIVS"

See PR_SET_NO_NEW_PRIVS on https://man7.org/linux/man-pages/man2/prctl.2.html

It disables the effect of suid/sgid/fcaps (or as LWN would say: "setuid" & "setgid").

"run0" as a sudo replacement

Posted May 1, 2024 13:23 UTC (Wed) by atnot (subscriber, #124910) [Link]

come on, I laughed at the "as lwn would call it" thing the first time, but the nth time it just comes across as petty and bitter

"run0" as a sudo replacement

Posted Apr 30, 2024 20:54 UTC (Tue) by smcv (subscriber, #53363) [Link]

> Tangential to this but I'd like to see all existing suid usage on traditional Linux systems replaced with filecaps

If the capability your setuid program needs to exercise is one of the ones that are genuinely narrowly-scoped (like CAP_AUDIT_READ and CAP_BLOCK_SUSPEND), then maybe that's a positive, but if the capability you need to exercise is one of the ones that is root-equivalent anyway, then replacing setuid with setcap has no benefit. I'd estimate that about half the capabilities are in each category. (Please interpret "root" in this comment as shorthand for "unrestricted uid 0 with all capabilities".)

For example, CAP_CHOWN lets you give yourself ownership of /bin/sh and trojan other processes, or temporarily give yourself ownership of /etc/sudoers and subvert sudo, so that's root-equivalent; CAP_DAC_OVERRIDE lets you write to system files, ditto; CAP_SETFCAP lets you give yourself any other capability; CAP_SETUID lets you become uid 0 and do AF_UNIX IPC to any process that trusts uid 0, like for example systemd; CAP_SYS_ADMIN does dozens of miscellaneous things including manipulating the mount table, which for example lets you swap out authorization configuration and become root that way; CAP_SYS_PTRACE lets you attach a debugger to a privileged process and make it execute arbitrary code for you; and so on.

Unfortunately, a lot of the behaviours we want from setuid programs do need one of the capabilities that is root-equivalent. bubblewrap briefly supported being installed either setuid-root or setcap on systems where unprivileged users can't normally create new user namespaces, but then its maintainers realised that there was no actual security benefit to it being setcap, because one of the capabilities it needs is CAP_SYS_ADMIN, so for simplicity it now only supports the two extreme positions: either completely unprivileged, or setuid-root.

"run0" as a sudo replacement

Posted Apr 30, 2024 20:59 UTC (Tue) by smcv (subscriber, #53363) [Link]

> AF_UNIX IPC to any process that trusts uid 0, like for example systemd

... and the reason why services like systemd trust uid 0, rather than trusting processes that have (say) CAP_SYS_ADMIN, is that there is a secure, race-free, widely-available mechanism to ask the kernel "does this AF_UNIX connection come from uid 0?", but no widely available way to ask "does the other end of this AF_UNIX connection have CAP_SYS_ADMIN?" without an exploitable race condition.

(pidfd might solve that, but is not yet ubiquitous.)

"run0" as a sudo replacement

Posted Apr 30, 2024 21:54 UTC (Tue) by flussence (subscriber, #85566) [Link]

Good explanations, thank you.

The general sense I've gotten from exploring capability stuff is that it's still useful for defense in depth, but like you point out it's not watertight. That may just be from a lack of eyes on it.

"run0" as a sudo replacement

Posted May 1, 2024 8:55 UTC (Wed) by NYKevin (subscriber, #129325) [Link]

I'm pretty sure the only security benefit of root-equivalent capabilities (which is most of the interesting ones) is to make bootstrapping an RCE attack more complicated.

"run0" as a sudo replacement

Posted Apr 30, 2024 19:38 UTC (Tue) by jlayton (subscriber, #31672) [Link]

Seems effectively like sudo implemented in a different way. Instead of a setuid binary that consults /etc/sudoers to enforce permissions, you have a running daemon that spawns privileged processes on demand and based on polkit.

Is that more secure? Possibly. setuid binaries are horrible, so having this power concentrated in a running daemon may be better and simpler to audit.

One thing I might wish for here: today I do occasionally have to kill off a privileged process that was spawned via sudo. It would be nice to keep a table of requestor pid vs. privileged spawned pid that could be queried in some fashion, in case you do need to do that sort of tracking down of processes.

"run0" as a sudo replacement

Posted Apr 30, 2024 20:50 UTC (Tue) by mezcalero (subscriber, #45103) [Link]

If you use run0 to acquire a privileged shell, than this really just means that systemd forks off a new service (and session scope) for you that the shell is in, on a pty chosen by the client. This means your shell shows up in the regular list of running services in "systemctl". And you can interact with it like any other unit, i.e. kill the thing, see which processes it contains, do resource accounting on it, even manage resources, and so on.

We do not propagate info about the originating user right now into the service metadata. I guess we could do that though, for example simply in the description string for the service. Makes sense I guess.

"run0" as a sudo replacement

Posted May 1, 2024 8:54 UTC (Wed) by PhilippWendler (subscriber, #126612) [Link]

Oh yes, that would be appreciated. If I login to a server and see a shell running as root, I definitively want to be able to trace it back to the user who started it.

"run0" as a sudo replacement

Posted May 2, 2024 9:39 UTC (Thu) by taladar (subscriber, #68407) [Link]

It would probably be a good idea to have at least basic metadata available in a more machine readable way than as part of the description string.

"run0" as a sudo replacement

Posted May 1, 2024 9:25 UTC (Wed) by vegard (subscriber, #52330) [Link]

As far as I can tell, run0 still needs /usr/libexec/polkit-agent-helper-1 to be setuid-root in order to authenticate the user. That's a much smaller attack surface than sudo but this mechanism is still using setuid-root at some point.

"run0" as a sudo replacement

Posted May 1, 2024 9:52 UTC (Wed) by bluca (subscriber, #118303) [Link]

Yes, that's an implementation detail of polkit, and iirc is related to PAM - however, the key difference is that program won't run on input from the caller or using the caller's payload. Yes ideally it should be reimplemented to do the same without setuid.

"run0" as a sudo replacement

Posted Apr 30, 2024 21:53 UTC (Tue) by timrichardson (subscriber, #72836) [Link]

based on recent form of systemd proactively reducing attack surface area and unknowingly thwarting the xz attack, does this mean that we are a few months away from a currently-secret exploit of sudo?

"run0" as a sudo replacement

Posted Apr 30, 2024 22:05 UTC (Tue) by bluca (subscriber, #118303) [Link]

...somewhere, Jia Tan is going: "Oh come on, not again!!"

"run0" as a sudo replacement

Posted May 1, 2024 1:57 UTC (Wed) by ejr (subscriber, #51652) [Link]

And you, dear person, win the award for most relevant comment in my opinion.

"run0" as a sudo replacement

Posted May 1, 2024 6:12 UTC (Wed) by wtarreau (subscriber, #51152) [Link]

There are good ideas there but I suspect it could shift the complexity to how to prevent abuses and/or how to make sure a user can always kill their processes. Because if I Ctrl-C a setuid process I just started, the terminal sends it SIGINT and it can stop (assuming it doesn't intercept the signal). Until the process switches its ruid the user can even send it whatever signal it wants and kill it. If the process faces some dirty errors, it can die. Here, the errors in the client might be harder to convert into the right action on the started process. On the other hand, the daemon will always have the permissions to kill that process when properly instructed to do so, but I really suspect that dealing with corner cases in that area will not be trivial to satisfy all users. For example I can easily use sudo to start a process that I want to run in foreground after redirecting stdio to /dev/null and issuing disown. Here, doing so will mean the client stays connected and redirected. It can make sense sometimes but it not necessarily desirable. Also, one will have to define what environment variables have to be passed, and at some point if a dynamic linker has trouble dealing with one such variable, we're back to the current problem of cleaning the environment.

I'm not completely sold to it. I think it could be a nice complement to sudo but am not 100% convinced that users (or developers) will be willing to alias sudo to run0 everywhere yet.

"run0" as a sudo replacement

Posted May 1, 2024 8:21 UTC (Wed) by mezcalero (subscriber, #45103) [Link]

run0 puts the source pty in raw mode (i.e. disables processing of C-c) and the target pty in cooked mode (i.e. it will processing of C-c and turn it into SIGINT for the fg process group). This means that C-c just works like it always works, i.e. will kill the last process in the chain.

This isn't novel. It's exactly what ssh does too (and telnet before it). The C-c is routed to the right place following the semantics UNIX intended.

"run0" as a sudo replacement

Posted May 1, 2024 16:30 UTC (Wed) by damaya1982 (subscriber, #170817) [Link]

Someone needs to keep Lennart busy. He spends a lot of time sitting around thinking about how to fix things that are not broken. His evidence that sudo is problematic is a single post from 2016 on someone's blog, while totally ignoring previous security issues related to polkit.

"run0" as a sudo replacement

Posted May 1, 2024 16:59 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

The problems with sudo have been known for decades by now. That's why OpenBSD has `doas`.

PolKit is indeed a strange beast, and it also needs to be replaced. It's not the worst auth framework, though.

"run0" as a sudo replacement

Posted May 1, 2024 17:46 UTC (Wed) by ferringb (subscriber, #20752) [Link]

I think the thing folks are forgetting here is that the most important interface here is run0; there's nothing stopping others from implementing alternative policy backings, and for migration (behind the scenes) to become an option. Consider the replacement of pulseaudio with wireplumber, and the shims folks built to (mostly) make this transparent.

The most important step here is decoupling the policy being SUID side (and relying on SUID), and getting a standard API for CLI privilege escalation. Once that's in place folks can change up the backend as desired.

"run0" as a sudo replacement

Posted May 1, 2024 18:37 UTC (Wed) by damaya1982 (subscriber, #170817) [Link]

Beyond replacing bash scripts with unit files, I have yet to see how migrating everything into systemd has been a great improvement. If systemd were simply an init system, then I'd have very few complaints since it fulfills that need quite well. This to me is yet another case of Lennart thinking he needs to add something to systemd that simply does not to be under that umbrella.

Before I could have a system without sudo at all. It sounds like every system will have run0 by virtue of the fact that it uses systemd, which to me is ridiculous. Why should I need all of these things simply because I am using an init system?

"run0" as a sudo replacement

Posted May 1, 2024 18:47 UTC (Wed) by Cyberax (✭ supporter ✭, #52523) [Link]

Well, don't use run0 then.

"run0" as a sudo replacement

Posted May 1, 2024 19:11 UTC (Wed) by pizza (subscriber, #46) [Link]

You are missing the point that 'run0' is little more than a command line wrapper for functionality that systemd has had from the beginning -- ie the functionality needed to launch (and otherwise manage) executables running as arbitrary users in a controlled environment.

The only new functionality here is tying the pty of the launched executable back to the terminal of the user instead of redirecting all output to the journal. Well, and some cmdline syntactic sugar that lets run0 be a drop-in replacement for most sudo invocations.

99% of the time, the local user has full rights to make sudo execute whatever they want, often without even entering a password; run0 is a vastly simpler replacement for that overwhelmingly common use case. For the remaining 1% where you have finer-grained access control (and/or its wide swath of authentication/permission mechanisms) in /etc/sudoers, 'sudo' remains available.

Personally, there doesn't appear to be anything I use sudo for that run0 can't handle. Indeed, it would actually _simplify_ some stuff that requires me to further sanitize the environment that sudo creates..

"run0" as a sudo replacement

Posted May 2, 2024 11:43 UTC (Thu) by farnz (subscriber, #17727) [Link]

IIUC, some of that 1% with finer-grained access control can be met for run0 via polkit rules controlling what you can and cannot do, at that.

"run0" as a sudo replacement

Posted May 2, 2024 0:12 UTC (Thu) by ferringb (subscriber, #20752) [Link]

I mean... as others said, don't use it. Also lay off the ad hominem crap towards Lennart; any argument you may have sounds markedly dafter via behaving like that.

If you don't like what a developer is doing- someone donating code *to everyone, including the ungrateful*- then don't use it, or better yet, skip the chat boards and go write an alternative and try to convince folks it's better.

Udev, systemd, systemd-boot, etc; if you were around/hacking on the old init system internals and trying to make this all do the things needed, you'd find that eventually the best approach is to have them under the same house. The fact is there are interdependencies across all of it and bash absolutely does not cut it. Trace the eveolution of openrc's metadata additions if in doubt.

Look, go back to bash scripts. For your needs perhaps it's enough, but everything I've worked with across 25 years, the systemd folks are on the right track, including building actual community support across the developers/maintainers- the folks who actually do the work.

"run0" as a sudo replacement

Posted May 2, 2024 2:45 UTC (Thu) by sjj (subscriber, #2020) [Link]

Your comments are totally uncalled for ad hominem attacks for no reason. From behind a nym. You should be ashamed.

"run0" as a sudo replacement

Posted May 2, 2024 10:12 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]

When it comes to Lennart, I feel no shame in criticizing him. I stand by the statement, Lennart looks to fix things that are not broken in the first place, and that fix is "Put it under the systemd umbrella" every single time.

"run0" as a sudo replacement

Posted May 2, 2024 9:37 UTC (Thu) by motk (subscriber, #51120) [Link]

Please feel free to stick with Slackware or whatever, thanks.

"run0" as a sudo replacement

Posted May 2, 2024 10:36 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]

I made the switch to FreeBSD a long time ago. This was around the time some guy

* who ignores POSIX standards
* created Avahi
* has no issue with breaking userspace (though complains when kernel devs break systemd)
* thinks you reduce the attack surface by putting everything under PID 1
* has a real goal of putting everything in systemd

started to have a real say in the direction of things. Now that he works for Microsoft I'd suggest he go screw that OS up, but that mission accomplished banner flew a long time ago.

"run0" as a sudo replacement

Posted May 2, 2024 11:21 UTC (Thu) by niner (subscriber, #26151) [Link]

So you have no actual experience with systemd and the improvements it brings and only know the broken state pre-systemd as normal yet still feel qualified to judge.

Please, since it doesn't affect you anyway, feel free to completely ignore systemd and keep your thoughts on it an Lennart off lwn.net. I don't think anyone sees these comments as a benefit to LWN readers. In fact a few people clearly say the opposite.

"run0" as a sudo replacement

Posted May 2, 2024 11:51 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]

I'm pretty sure making the choice to switch the OS on my own systems does not mean I no longer have to work with other operating systems. Maybe I should keep my comments to other forums (e.g., Hackernews) where there's actual discussion regarding what Lennart puts forward, rather than simply acting like everything Lennart does is perfect, exactly what we need.

As I said above, the unit files are great. Systemd has done a pretty good job as an init system, and most people would have zero complaints if that is all it did. However, Lennart wants to put everything under the umbrella of system. So, when using an init system you're getting far more than an init system, and the replacements within systemd are often flaky junk. Maybe it is because trying to do everything spreads a person thin?

And frankly, Lennart is no saint. He acts like an insecure person when he is critiqued. I'm not wishing death on the guy, or harm to him in any way. I am simply saying that his contributions have been a net negative. Had systemd remained an init system, I would not be saying that.

A request

Posted May 2, 2024 13:41 UTC (Thu) by corbet (editor, #1) [Link]

If you think that there is something technically wrong with run0, feel free to discuss it here. But you need to refrain from attacks on people, even the ones you disagree with. That is not what LWN is for.

A request

Posted May 2, 2024 14:22 UTC (Thu) by damaya1982 (subscriber, #170817) [Link]

My attack is literally against the person and their philosophy concerning development. Their original post on Mastadon falls in line with their general philosophy, that is to replace everything with something (often flaky) within systemd. I'm not entirely sure how you expect people to completely separate Lennart from his entire philosophy.

A request

Posted May 2, 2024 14:37 UTC (Thu) by niner (subscriber, #26151) [Link]

Your attack is not against Lennart's philosophy. It's against your _assumption_ of what Lennart's philosophy might be. Have you ever considered that your assumption may just be wrong? That would leave you attacking a person for no good reason, wouldn't it? Can you see why people would frown upon that? Even more, you lament the unwillingness to discuss here. But you didn't discuss either, did you? Going by your own words, you attacked. I don't think attacking someone has ever led to a fruitful discussion. So again, are you really surprised that one didn't spring up here?

For what it's worth, I do not see your assumption supported by Lennart's actual actions. Instead for every single new solution that systemd picks up, I see a well argued reason for why this is better than what existed before. It's also not just arguments. The fact alone that in this case run0 is just a thin convenience wrapper over functionality that emerged from the existing low level building blocks also suggests, that this is just good engineering.

A request

Posted May 2, 2024 15:06 UTC (Thu) by farnz (subscriber, #17727) [Link]

Indeed, their attack is against something that I, personally, do not see Lennart doing; Lennart's philosophy from my perspective is twofold: first, don't work around bugs when you could go to the upstream or downstream project and fix them (which is where a lot of PulseAudio issues came from), and secondly, try to minimize divergence for divergence's sake between Linux distros (e.g. spelling it "up" in one distro and "start" in another).

Plus, a lot of systemd code comes from people other than Lennart.

"run0" as a sudo replacement

Posted May 3, 2024 14:44 UTC (Fri) by mtthu (subscriber, #123091) [Link]

Well, this depends on your definition of "broken". I mean a house which is on fire is also not technically broken.

"run0" as a sudo replacement

Posted May 1, 2024 20:02 UTC (Wed) by mb (subscriber, #50428) [Link]

With run0 I will finally be able to uninstall sudo on almost all of my systems.
That greatly reduces the attack surface.
systemd (and systemd-run) is installed on all of my systems, anyway.

TIOCSTI

Posted May 2, 2024 9:38 UTC (Thu) by cortana (subscriber, #24596) [Link]

I'm quite surprised that various utilities (su, runuser, pkexec) never got patched by distros to make them secure against TIOCSTI attacks. Expecting users to never once forget to add --pty to su when dropping privileges, or when running runuser, just isn't even good enough. Not to mention expecting all scripts to be rewritten... and as for pkexec, it doesn't even have an option to protect from TIOCSTI!

(I know modern kernels have a sysctl that disables TIOCSTI but that's not been backported to Debian or RHEL's kernels...)

"run0" as a sudo replacement

Posted May 2, 2024 12:59 UTC (Thu) by e-rk (subscriber, #166547) [Link]

It was very informative to read the problems that SUID programs have to deal with and the run0 approach seems to make a lot of sense.
I'm just hoping that the command won't have a number in its name, because it makes it awkward to type.

Finally admin actions will start working just as well as audio (with PulseAudio)

Posted May 5, 2024 12:34 UTC (Sun) by habets (guest, #72220) [Link]

This will do wonders for my AAPL and MSFT investments.

Finally admin actions will start working just as well as audio (with PulseAudio)

Posted May 5, 2024 13:58 UTC (Sun) by pizza (subscriber, #46) [Link]

> This will do wonders for my AAPL and MSFT investments.

Haven't you heard? Thanks to Azure, what's good for Linux is _very_ good for MSFT these days.

Meanwhile, AAPL is going to AAPL and continue to vertically integrate whatever the f- regulators let them get away with. They don't give a gnat's crap about what "Linux" does.

"run0" as a sudo replacement

Posted May 6, 2024 20:31 UTC (Mon) by immibis (subscriber, #105511) [Link]

This is an invitation to inadvertent state changes (or rather non-copying of state). If I run "sudo rm /foo/bar" I expect it to affect the same /foo/bar that I just inspected without sudo. It only takes one private mount point or chroot or namespace to not be correctly copied over to the new "rm" process for me to delete the wrong file.


Copyright © 2024, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds