The sudo command is widely regarded as a fundamental tool in our everyday Linux operations, so much so that we almost take its presence for granted. But what if I told you that its days might well be numbered, and new versions of systemd may mark the beginning of its sunset? No, I’m not rambling. Here’s what it’s all about.
In his latest post, Lennart Poettering, the mastermind behind systemd, shares a thoughtful critique and robust replacement for the longstanding sudo command.
He argues that the core issue with sudo lies in its SUID nature, which allows a process to execute with elevated privileges partially controlled by unprivileged code, demanding meticulous manual cleanup—a recipe for potential security breaches.
“I personally think that the biggest problem with sudo is the fact it’s a SUID binary though – the big attack surface, the plugins, network access and so on that come after it it just make the key problem worse…”
In light of this, his vision for a more secure system involves completely eliminating SUID binaries, pushing for an architecture where privileged code operates independently of unprivileged interference.
“So, in my ideal world, we’d have an OS entirely without SUID. Let’s throw out the concept of SUID on the dump of UNIX’ bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, manual clean-up is just not how security engineering should be done in 2024 anymore.”
Enter run0, systemd’s latest innovation slated for release in v256. It is not just a new tool but a reimagined systemd-run, accessible via a symlink, that mimics sudo without actually being an SUID binary.
It operates by requesting the service manager to execute commands under the target user’s UID, creating a new PTY (pseudoterminal), and transferring data between the original TTY and this PTY.
This setup ensures that the command executes in an isolated environment, freshly forked off from PID 1, without inheriting any problematic context from the client.
Moreover, run0 eschews traditional configuration complexities by utilizing polkit for authorization, streamlining user interactions, and further securing the execution process.
The tool also adds a touch of user-friendly flair: when operating with elevated privileges, it modifies the terminal background to a reddish hue, serving as a visual cue of one’s elevated status—a simple yet effective reminder to manage privileges responsibly.
In conclusion, one thing is certain—this will spark further debate within the Linux community. Another certainty is that systemd v256 is now 88% complete, with little left until its final stable release. And what will happen after that remains to be seen.
For detailed information, here is Poettering’s post.
This idea isn’t new and LP reinvented the wheel again, but attached heavy marketing to it and made it with a hard dependency on libsystemd. The same idea was originally explored by s6 project’s s6-sudod program, probably even earlier.
Unprivileges accounts on Linux servers are only for running sudo. It is because of several reasons: fragmented bash history across multiple accounts, inabilility to share tmux sessions between users, read log files and doing anything. It’s like Internet Explorer, when everyone was just downloading a browser with it.
Let sudo stays where it is. Do run0 and admins will switch for new features.
Exactly which intelligence agencies is Mr. Poettering connected with? Even if you dismiss that question as part of a paranoid fantasy, why should a single person have so much say in how the Linux world moves forward? This is the problem with a component such as systemd having its tentacles dug into things much deeper that is necessary or desirable. Some people only learn the hard way, if at all.
I’m ok with a more secure terminal as long as all commands and functions remain the same. I do not want somthing where I type sudo whatever and it does not work so hopefully I can still type sudo in this.. I know how to use current terminal and do not want to learn anything new..
They will not in this case, because the problem with sudo is not with the syntax, thou gimnastics with env varibles using sudo, or subtle differencies between sudo and linger capable account using podman are quite tricky.
It would not be sysadmins problems at all, since run0 mimics sudo commands pretty well from day 1. Problem is for developers, if they want both run0 capabilities and sudo compabilities. Like everything with wayland and x nowadays.
Remember that Poettering works for Microsoft and its corporate policy is embrace-extend-extinguish. The company is already heavily entrenched in the Linux Foundation as well.
Don’t touch sudo please. You’ll just disrupt the industry.
Here he goes again, fixing something that isn’t broke. Sudo works perfectly and has been since the early days of Unix.
Let me rephrase that for you: here goes another anti-systemd-bandwagon quip without actually understanding why this exists nor reading the post.
Why do those with vocal anti-systemd rhetoric most of the time seem to be those who don’t even need to think about it, and haven’t administered Linux/Unix systems long enough to know the pains of the so-called early days?