Lennart Pottering introduced run0 utility, which allows you to run processes under the identifiers of other users. The new utility is positioned as a more secure replacement for the sudo program, implemented as an add-on to the systemd-run command and allowing you to get rid of the use of an executable file with the SUID flag. The run0 utility is included in systemd release 256, which located at the release candidate stage.
It is noted that changing the identifier using the SUID flag in sudo carries additional risks due to the fact that the SUID process inherits an execution context that includes many properties controlled by unprivileged users, such as environment variables, file descriptors, scheduler parameters, and cgroup bindings. Some of these properties are automatically cleared for SUID processes by the kernel, and some are cleared by the application itself. However, vulnerabilities continue to be regularly found in complex SUID programs such as sudo due to careless handling of external data that can be influenced by an unprivileged user.
Advertisement
run0, instead of using SUID, asks the system manager to launch a shell or process with the specified user ID, create a new pseudo-terminal (PTY), and transfer data between it and the current terminal (TTY). This behavior is more reminiscent of running it using ssh than running it using classic sudo. The privileged process runs in an isolated context, which is spawned by process PID 1 and not by the user process, i.e. does not inherit the properties of the user's environment, with the exception of forwarding the $TERM environment variable. Forwarding is regulated through a list of explicitly allowed properties, instead of trying to prohibit dangerous properties (the concept of a white list, instead of a black list).
Polkit is used to authorize and determine user capabilities in run0. The classic rules language (/etc/sudoers) used by sudo is not supported. Functionality for running programs with other privileges is built into systemd-run, and the run0 command is created as a symbolic link to systemd-run, which when used provides a sudo-like command line interface.
One of the additional features of run0 is the indication of working with elevated privileges by setting a reddish background in the terminal and adding a red dot to the window title. After terminating execution with other privileges, the dot disappears and the background changes to normal. In addition, run0 supports processing the “–property” parameter, through which it can set arbitrary settings for systemd services (for example, “CPUWeight=200 MemoryMax=2G IPAccounting=yes”).
Thanks for reading:
Advertisement