• @SwingingTheLamp@midwest.social
    link
    fedilink
    English
    57 months ago

    This just sounds like a bad idea, a solution in search of a problem. Sure, sudo is a setuid binary, but it’s a fairly simple program, and at some point, you have to trust the code. It’s also a very fundamental piece of the system that you want to always work, even (especially!) when other things get borked. The brief description of run0 already has too many potential points of failure.

      • @LeFantome@programming.dev
        link
        fedilink
        57 months ago

        I mostly agree with your write-up here. That said, I do think that systemd does want to eliminate SUID. I also think they want to absorb most of the low level system plumbing.

          • TechNom (nobody)
            link
            fedilink
            English
            07 months ago

            There are other applications that use suid (like newuidmap). And there are programs that use capabilities (like ping). I’m pretty sure that this logic will be used to justify assimilating those applications too. But I’m sure that the crowd will cheer them on as if they did something revolutionary.

    • lemmyvore
      link
      fedilink
      English
      477 months ago

      sudo is a setuid binary, but it’s a fairly simple program

      Sudo is actually fairly huge and complex. Alternatives like really or doas or su are absolutely tiny by comparison.

    • lemmyreader
      link
      fedilink
      English
      227 months ago

      Sure, sudo is a setuid binary, but it’s a fairly simple program, and at some point, you have to trust the code.

      Have to trust the code ? doas for OpenBSD was created because of issues with sudo.

      Talking with deraadt and millert, however, I wasn’t quite alone. There were some concerns that sudo was too big, running too much code in a privileged process. And there was also pressure to enable even more options, because the feature set shipped in base wasn’t big enough.

    • Max-P
      link
      fedilink
      187 months ago

      I’ve actually ran into some of those problems. If you run sudo su --login someuser, it’s still part of your user’s process group and session. With run0 that would actually give you a shell equivalent to as if you logged in locally, and manage user units, all the PAM modules.

      systemd-run can do a lot of stuff, basically anything you can possibly do in a systemd unit, which is basically every property you can set on a process. Processor affinity, memory limits, cgroups, capabilities, NUMA node binding, namespaces, everything.

      I’m not sure I would adopt run0 as my goto since if D-Bus is hosed you’re really locked out and stuck. But it’s got its uses, and it’s just a symlink, it’s basically free so its existence is kBs of bloat at most. There’s always good ol su when you’re really stuck.

    • Para_lyzed
      link
      fedilink
      14
      edit-2
      7 months ago

      sudo is not a fairly simple program. Last I checked, it had ~177k lines of code. It provides functionality far beyond what is needed of an average user. doas is a simpler alternative (also using SUID) at ~3k lines of code. It comes from OpenBSD. There is absolutely a problem when it comes to SUID binaries. If you can find a way to exploit the permissions given at the start of the SUID binary before user authentication occurs (since the UID is set before the binary runs), you have yourself a full privilege escalation vulnerability. systemd is very well integrated with the distros that use it, being the first process to run after the kernel is initialized. There will never be a point at which systemd is not functioning, but the rest of your system is perfectly fine. It is an absolutely necessary part of the system (assuming your distro uses it), and if it goes down, you have to restart your system. As such, I don’t see any validity to the statement “you want to always work, even (especially!) when other things get borked”. What exactly do you see as being an issue with run0? What specific part of its implementation do you seem to have a problem with? It’s just a symlink to systemd-run, which is already very well tested and has been around for a long time. It’s also far simpler than sudo, and removes the attack surface of running an SUID binary of its size. What “points of failure” do you see here, exactly?

    • I have 0 knowledge of these things, but I do know that people always comment that sudo is bloated, that nobody is truly using everything that sudo can do, only one basic command.

      • The Doctor
        link
        fedilink
        English
        17 months ago

        Nobody is using all of sudo’s features because those features are for different use cases. Case in point, LDAP support. At home, pretty much nobody uses it. But on the job, where there are tens to hundreds of machines that someone might need, and they’re all hooked into LDAP for centralized authentication management, it makes sense to have that built into sudo. Same with Kerberos support - at home, forget it, but in a campus environment where Kerberos (and possibly AFS) are part of the network, it makes sense.

    • ferret
      link
      fedilink
      English
      147 months ago

      Have you seen the average sudoers file? It is not simple in the slightest

    • @Zucca@sopuli.xyz
      link
      fedilink
      English
      107 months ago

      sudo is a setuid binary, but it’s a fairly simple program

      Some people would disagree to this.

      The brief description of run0 already has too many potential points of failure.

      If the “listener” is PID1, which will run the privileged command, in theory, it would be quite bullet proof (in a working system PID1 is always there). But since this is systemd, PID1 is much more than that and much more complex. On the other hand spawning another daemon from PID1 to be the “listener” makes it, perhaps, even more complicated. You’d have to make sure the listener is always running and have some process supervisor there to watch if it exits… and maybe even a watchdog polling it to make sure it isn’t frozen.

      So my conclusion is the same as yours:

      a solution in search of a problem

      We already have a working solution. Have a well written SUID program. I’ve been using doas for some years now. It’s simple enough that I trust it.

      • lemmyvore
        link
        fedilink
        English
        27 months ago

        I’ve always wondered why we even bother with SUID commands. Why not just log in as root?

        • Kata1yst
          link
          fedilink
          77 months ago

          On a server, it allows you to track who initiates which root season session. It also greatly minimizes the attack surface from a security perspective to have admin privileged accounts unable to be remotely connected to.

          • lemmyvore
            link
            fedilink
            English
            27 months ago

            On a server, it allows you to track who initiates which root season session.

            Wouldn’t separate SSH keys achieve the same?

            greatly minimizes the attack surface from a security perspective to have admin privileged accounts unable to be remotely connected to.

            Really? How, exactly? Break the ssh key authentication? And wouldn’t that apply to all accounts equally?

            • Kata1yst
              link
              fedilink
              47 months ago

              Wouldn’t separate SSH keys achieve the same?

              Separate ssh keys for the user and the admin? Yeah, see point 2, admins should not be remotely accessible.

              Really? How, exactly? Break the ssh key authentication? And wouldn’t that apply to all accounts equally?

              Keys aren’t perfect security. They can easily be mishandled, sometimes getting published to GitHub, copied to USB drives which can easily be lost, etc.

              Further, there have been attacks against SSH that let malicious actors connect remotely to any session, or take over existing sessions. By not allowing remote access on privileged accounts, you minimize risk.

              Forcing a non privileged remote session to authenticate with a password establishes a second factor of security that is different from the first. This means a cracked password or a lost key is still not enough for a malicious actor to accomplish administrative privileges.

              A key is something you have

              A password is something you know

              So, by not allowing remote privileged sessions, we’re forcing a malicious actor to take one more non-trivial step before arriving at their goals. A step that will likely be fairly obvious in logs on a monitored machine.

              • lemmyvore
                link
                fedilink
                English
                0
                edit-2
                7 months ago

                If I get into your non-privileged account I can set up a program that acts like sudo and I bet 99% of people will never notice they just gave their password away. And even if they do it’s too late anyway because I’ve just compromised root and locked everybody out and I’m in there shitting on the filesystems or whatever. Because root can do anything.

                And if I can’t break into your non-privileged account then I can’t break into a privileged account either.

                These artificial distinctions between “non-privileged” and “superuser” accounts need to stop. This is not good security, this is not zero trust. Either you don’t trust anybody and enforce explicit privilege escalation for specific things, or just accept that you’re using a “super” paradigm and once you’ve got access to that user all bets are off.

                • Kata1yst
                  link
                  fedilink
                  47 months ago

                  I strongly disagree with your premise. Separating authentication and privilege escalation adds layers of security that are non-trivial and greatly enhance resilience. Many attacks are detected and stopped at privilege escalation, because it happens locally before a user can stop or delete the flow of logs.

                  If I get into your non-privileged account I can set up a program that acts like sudo

                  No you cannot. A non privileged user doesn’t have the access necessary to run a program that can accomplish this.

                  And even if they do it’s too late anyway because I’ve just compromised root and locked everybody out and I’m in there shitting on the filesystems or whatever. Because root can do anything.

                  Once again, you didn’t privilege escalate, because once you have a foothold (authentication) you don’t have the necessary privileges, so you must perform reconnaissance to identify an exploitable vector to privilage escalate with. This can be any number of things, but it’s always noisy and slow, usually easy to detect in logs. There is a reason the most sophisticated attacks against well protected targets are “low and slow”.

                  And if I can’t break into your non-privileged account then I can’t break into a privileged account either.

                  You’re ignoring my points given regarding the risks of compromised keys. If there are no admin keys, there are no remote admin sessions.

                  These artificial distinctions between “non-privileged” and “superuser” accounts need to stop. This is not good security, this is not zero trust. Either you don’t trust anybody and enforce explicit privilege escalation for specific things, or just accept that you’re using a “super” paradigm and once you’ve got access to that user all bets are off.

                  Spoken like someone who has never red teamed or purple teamed. Even admin accounts are untrusted, given only privileges specific to their role, and closely monitored. That doesn’t mean they should have valid security measures thrown away.

                  • lemmyvore
                    link
                    fedilink
                    English
                    27 months ago

                    A non privileged user doesn’t have the access necessary to run a program that can accomplish this.

                    It would be a script called “sudo” somewhere in your PATH. You type sudo, you give it your password, done.

        • TimeSquirrel
          link
          fedilink
          4
          edit-2
          7 months ago

          We used to do that a lot, in the 90s and early 2000s. We determined that that’s not a good idea. People even ran DEs under root.

          • lemmyvore
            link
            fedilink
            English
            17 months ago

            I’m not saying to run everything as root but most of the reasons given for sudo are bull. This blog post makes a good job of debunking them.

        • @atzanteol@sh.itjust.works
          link
          fedilink
          English
          37 months ago

          sudo and friends allow you to gain root access while not enabling the root account. If the root account has no credentials then nobody is guessing your password and logging in as an admin.

          On a multi-user system it allows for multiple admins without sharing a password. It also allows providing admin access for “some” things but not others.

          • lemmyvore
            link
            fedilink
            English
            17 months ago

            If the root account has no credentials then nobody is guessing your password and logging in as an admin.

            They just need to log in as you and trick you into entering your password in a seemingly legit prompt.

            On a multi-user system it allows for multiple admins without sharing a password.

            Multiple distinct ssh keys do the same. As long as everybody ends up doing things as the same user it’s all moot anyway.

            It also allows providing admin access for “some” things but not others.

            Can I provide selective access to just some files? Just some network interfaces? Just some ports? Just some parts of RAM or CPU? Without being able to change those limits?

              • lemmyvore
                link
                fedilink
                English
                27 months ago

                The point I’m trying to make is that having just one “super” account for everything is a very poor idea. A lot of work has gone into filtering access to the root account and very little into getting rid of the root account. Ideally nothing should run as root, it should run as individual accounts with varying levels of access on a need-to-have basis.

                • @atzanteol@sh.itjust.works
                  link
                  fedilink
                  English
                  37 months ago

                  "That’s* what you meant when you said this???

                  I’ve always wondered why we even bother with SUID commands. Why not just log in as root?

    • huf [he/him]
      link
      fedilink
      English
      87 months ago

      it took less than a day for someone to break run0 totally open, so basically, you have a choice between a well tested/debugged sudo and this new thing which may eventually mature