The sudo command is widely regarded as a fundamental tool in our everyday Linux operations, so much so that we almost take its presence for granted. But what if I told you that its days might well be numbered, and new versions of systemd may mark the beginning of its sunset? No, I’m not rambling. Here’s what it’s all about.
In his latest post, Lennart Poettering, the mastermind behind systemd, shares a thoughtful critique and robust replacement for the longstanding sudo command.
He argues that the core issue with sudo lies in its SUID nature, which allows a process to execute with elevated privileges partially controlled by unprivileged code, demanding meticulous manual cleanupโa recipe for potential security breaches.
“I personally think that the biggest problem with sudo is the fact it’s a SUID binary though โ the big attack surface, the plugins, network access and so on that come after it it just make the key problem worse…”
In light of this, his vision for a more secure system involves completely eliminating SUID binaries, pushing for an architecture where privileged code operates independently of unprivileged interference.
“So, in my ideal world, we’d have an OS entirely without SUID. Let’s throw out the concept of SUID on the dump of UNIX’ bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, manual clean-up is just not how security engineering should be done in 2024 anymore.”
Enter run0, systemd’s latest innovation slated for release in v256. It is not just a new tool but a reimagined systemd-run, accessible via a symlink, that mimics sudo without actually being an SUID binary.
It operates by requesting the service manager to execute commands under the target user’s UID, creating a new PTY (pseudoterminal), and transferring data between the original TTY and this PTY.
This setup ensures that the command executes in an isolated environment, freshly forked off from PID 1, without inheriting any problematic context from the client.
Moreover, run0 eschews traditional configuration complexities by utilizing polkit for authorization, streamlining user interactions, and further securing the execution process.
The tool also adds a touch of user-friendly flair: when operating with elevated privileges, it modifies the terminal background to a reddish hue, serving as a visual cue of one’s elevated statusโa simple yet effective reminder to manage privileges responsibly.
In conclusion, one thing is certainโthis will spark further debate within the Linux community. Another certainty is that systemd v256 is now 88% complete, with little left until its final stable release. And what will happen after that remains to be seen.
For detailed information, here is Poettering’s post.