Systemd Announces 'run0' Sudo Alternative

An anonymous reader quotes a report from Foss Outpost: Systemd lead developer Lennart Poettering has posted on Mastodon about their upcoming v256 release of Systemd, which is expected to include a sudo replacement called "run0". The developer talks about the weaknesses of sudo, and how it has a large possible attack surface. For example, sudo supports network access, LDAP configurations, other types of plugins, and much more. But most importantly, its SUID binary provides a large attack service according to Lennart: "I personally think that the biggest problem with sudo is the fact it's a SUID binary though -- the big attack surface, the plugins, network access and so on that come after it it just make the key problem worse, but are not in themselves the main issue with sudo. SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on."

He's saying that sudo is a Unix concept from many decades ago, and a better privilege escalation system should be in place for 2024 security standards: "So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful manual clean-up is just not how security engineering should be done in 2024 anymore." [...]

He also mentioned that there will be more features in run0 that are not just related to the security backend such as: "The tool is also a lot more fun to use than sudo. For example, by default, it will tint your terminal background in a reddish tone while you are operating with elevated privileges. That is supposed to act as a friendly reminder that you haven't given up the privileges yet, and marks the output of all commands that ran with privileges appropriately. It also inserts a red dot (unicode ftw) in the window title while you operate with privileges, and drops it afterwards."

As long as sudo still works ...

[Alain Williams]

I will continue to use it. I cringe at the thought of the ever expanding attack surface of systemd.

Re:As long as sudo still works ...

[kriston]

I can't disagree.
Systemd already does too much. Kitchen sink and all.

Re:As long as sudo still works ...

[OngelooflijkHaribo]

I run Xorg as root. Many people say this is bad since it can run without root now, but in order to do that, one needs to run logind, or elogind as root. Elogind has had so many more security bugs than Xorg it's not even funny as a comparison, and logind depends on system for dubious “cgroup single writer" reasons that never manifested and systemd has even more.

Certainly, if one already run logind it's probably better to run Xorg as a user and run it through logind, but I don't run logind, and making logind run as root to stop Xorg running as root seems like a security downgrade to me.

I wish there were a very simple little piece of software that could handle seats that wasn't Logind or Consolekit though, both do too much and constantly have security issues, this would be a priority for me if other persons used my computer, but they don't, so right now I'm simply in the audio, video, and input group but this does mean that I can access the audio, screen and input devices even when I not physically be at the computer which at one point shouldn't be possible, but it's also something I sometimes need when I'm away from home and SSH in through a phone.

Re: As long as sudo still works ...

[Z00L00K]

Systemd should be a different OS and not a kludge on Linux.

Re:

[Jeremi]

Systemd should be a different OS and not a kludge on Linux.

It kind of is a different OS, but it's gestating inside of Linux, growing every year, and at some point it will start deprecating Linux out of the nest and eventually we'll all be running SystemD-OS (which used to include Linux, back in the day).

Re: As long as sudo still works ...

[BerkeleyDude]

Iâ(TM)d just like to interject for a moment. What youâ(TM)re refering to as SystemD-OS, is in fact, GNU/SystemD-OS, or as Iâ(TM)ve recently taken to calling it, GNU plus SystemD-OS. SystemD-OS is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.

Re: As long as sudo still works ...

[BerkeleyDude]

(Also, holy shit, it's 2024, and Slashdot still can't handle Unicode...)

Re:

[tlhIngan]

(Also, holy shit, it's 2024, and Slashdot still can't handle Unicode...)

It's supported Unicode for nearly two decades now, actually.

The problem is, Unicode is constantly changing, and codepoints can be defined which have meanings that change.

So the designers made it a whitelist of allowed codepoitns, which basically is the ASCII set. Everything else is disallowed. Of course, since it's the ASCII set, all you have to do to enforce this is fix the high bit to zero.

But for a while there was a lot of abuse of t

Re:

[korgitser]

For those of us old enough to remember...

What we refer to as Linux should maybe rightfully be called GNU/Linux, as the OS is a combination of the Linux kernel with the GNU userland. There used to be an effort to make the longer name stick, but it's a mouthful, so nobody cared.

Where the SystemD project is going is to replace the GNU userland with a SystemD userland, one piece at a time. The project will be complete when there is no GNU left in the system, and the resulting OS will be rightfully called Syste

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Pot. Kettle. Black.

[chas.williams]

Don't worry—run0 will only be linked to necessary libraries, like xz, in case you want to enter compressed commands.

Re: Pot. Kettle. Black.

[guruevi]

That is the entire sudo ecosystem, which as implied, includes LDIF for LDAP which are not an attack surface, they are a feature. Also, the code style is intended for human readability so every function statement takes 3 lines (the return type, the function name and the open bracket).

Remove some of those function and now everyone with Linux on AD can no longer use groups for sudo rights. Or Solaris, or BSD. They all integrate at some level. Sudo is very powerful, but it is also rather succinct, the primary attack surface is from people not knowing how to configure it, but that is made all the worse with SystemD (seriously, this is from the guy that invented that you have to declare an empty variable with the same name before overriding said variable in an INI-style file that does not follow INI or variable declaration or any other conventions) and that overrides should not go in the configuration but a totally unrelated directory tree generally on a different partition.

The sudo binary is ~1kLOC and is very readable and even that already has a lot of SELinux and other stuff in it that probably can be included instead of inline.

Re:

[kriston]

and even that already has a lot of SELinux

Does it also have AppArmor?

Re: Pot. Kettle. Black.

[psmears]

not an attack surface, they are a feature

Most, if not all, attack surfaces are put in because they're also features. People don't generally go adding attack surfaces purely for the fun of it :)

Re: Pot. Kettle. Black.

[nightflameauto]

not an attack surface, they are a feature

Most, if not all, attack surfaces are put in because they're also features. People don't generally go adding attack surfaces purely for the fun of it :)

Except for the makers of SystemD, who started with the concept of an attack-surface, then started adding features on top of it.

Re:

[sinkskinkshrieks]

sudo codebase is crazy large, but it's been beaten-on, proven, and is ubiquitous. doas also exists so there's absolutely no need for run0.

Re:

[Seven Spirals]

Look at 'doas' in OpenBSD. Much smaller, much easier configuration file format (not that Sudo is bad, though), and no need to weld on 20 other services.

Re:Pot. Kettle. Black.

[CaptQuark]

"run0 make me a sandwich" just doesn't have the same ring

I stopped reading at Lennart Pottering

[He Who Has No Name]

Seriously, can somebody just pay the dude enough to fuck all the way off already?

Re:

[Nermal6693]

I stopped reading at "Systemd Announces". It's not an "AI", and it can't announce anything.

Re:I stopped reading at Lennart Pottering

[Early Six Digit UID]

It's not an AI *yet*. Don't give them ideas.

Re:I stopped reading at Lennart Pottering

[ArchieBunker]

I mean he works for Microsoft. That says it all.

SystemdOS

[markdavis]

> "So, in my ideal world, we'd have an OS entirely without SUID"

In *his* ideal world, he would have an OS with every service, even kernel functions, running under systemd... SystemdOS.

Re:SystemdOS

[hitchhikerjim]

...and let's call it EMACS!

Re: SystemdOS

[zkiwi34]

Come on now, EMacs doesn't deserve to be slandered by being associated with Systemd

Re:

[kriston]

I am a devoted Emacs user.

I also agree that Emacs tries to do too much, an idea exponential larger with systemd (and systemd includes root unlike Emacs).
Kitchen sink and all.

Re: SystemdOS

[hawk]

>Come on now, EMacs doesn't deserve to be slandered by being associated with Systemd

I dunno.

Have *you* ever seen emacs and systemd in the same room?

clearly they're the same, just with two names depending upon the audience . . .

Re:

[sinkskinkshrieks]

Your LISP gave you away.

Re:

[OngelooflijkHaribo]

Personally, I boot with init=/bin/emacs. Emacs/Linux has never failed me.

Re:SystemdOS

[multi io]

It lacks a good editor.

Re:

[gweihir]

Yep. And I will not touch that crap with a 10 foot pole. This guy really thinks he is the second coming of Linus.

What delusion

[OverlordQ]

And how it has a large possible attack surface.

And systemd *doesn't*!?

Really?

[fuzzyfuzzyfungus]

We're taking pious lectures about excessive attack surface and too many features from the systemd guy?

Re:Really?

[gweihir]

Well, I am not. This person is a fuckup with an oversized ego. He neither understands KISS nor "if it is not broken, do not fix it".

Re:Really?

[HBI]

Seems more like a monument to the store of goodwill that Lennart has built up over the years.

Re:

[drinkypoo]

But... how?

What he was known for before this was pulseaudio, which is trash. It was always trash and it's still trash, and now it's been replaced by something much better which has been around a much, much shorter time.

Where did the good will come from in the first place?

Re:

[HBI]

Imagine my lip twisted slightly.

There is little. The main problem with him is that he doesn't seek to build bridges but instead to "win", whatever, winning means. So he got systemd into many distributions, but also the means to remove systemd dependencies were fleshed out due to the lack of consensus. Probably due to animus against him, also. I doubt anyone would want this legacy.

Security eye candy

[Flexagon]

I may not be entirely up on all the issues with sudo, but when someone tries to offer me a better security solution, and then tacks on "is more fun to use than sudo", i.e., "it will tint your terminal background", then I'm done. "It's a dessert topping! No, it's a floor wax!". Specifically, I may have my terminal set up with my own color scheme, and I don't want it messed with by a bunch of system utilities. And anything in there that's not directly related to its security function just adds more code to worry about.

Re:

[multi io]

I've setup a precmd shell hook on my work laptop so it turns the active tmux pane's background red (tmux set -p window-style 'bg=#500000') when I connect (remotely) to the production system. And that's actually much more security sensitive than getting local root on the machine [xkcd.com].

Bad ideas?

[Anonymous Coward]

Let's throw out the concept of SUID on the dump of UNIX' bad ideas.

Bad ideas?
Are you talking about the bad ideas that has made it the most popular operating system in history?
Are you talking about how absolutely horrible it is that over 60% of Azure instances are not-Windows?

Are you just trying enshittify Linux into being as terrible as Windows?

Someone page Microsoft, because they just implemented sudo in Windows. I mean...it's an absolutely atrocious version of sudo that doesn't let you run specific commands with admin privileges, or change to a different user's context...but they thought it was so awesome they finally added it....50 years late.

Re:

[christoban]

You're right. Linux is perfect. Any changes equals Windows. No room for improvement whatsoever.

O_O

Re:

[kriston]

Hold up. RUNAS.EXE has existed since the beginning.

Re:

[christoban]

Sure, but I said the everything as a file thing has to go.

Runas and Sudo are really minor potatoes.

Re:

[troff]

> Sure, but I said the everything as a file thing has to go.

But... why?

Re:

[christoban]

Mainly the complexity it adds by being implemented in the OS. The idea is still a good one, but it is only really useful in scripting, which is where it should have been implemented. In fact, by being a part of the OS, it's fostered both a rigidity and a strong dependency that has locked UNIX in the past.

In fact, Nushell is a scripting language for Linux that does exactly this, but since it isn't an OS intrinsic, it had the freedom to improve the abstraction by elevating it to everything-as-an-object inst

Re:

[troff]

Simpler how? Now you need to know the specific functions and members of every object, unless you're talking about incredibly basic ones at which point you've just reimplemented open read write and close oh look it's files (alright, filehandles) again.

I completely admit I've heard of Nushell but never used it. I HAVE tried some Powershell and if their syntax is an example of how it works, it's a horror. Not to mention having to chain together its bizarreness just to display simple text on screen, it's made t

Re:

[serviscope_minor]

The point is you don't need all that complexity in the OS to get the same benefits.

You need the "complexity" somewhere. By moving it from the OS to one language, you've now got one language only that can do that. On unix, all of my languages work the same way more or less. I can switch from bash to python to C++ to AWK and so on and they all work.

Plus, you don't really understand shell scripting: there's a reason it's called shell scripting on the whole not "bash programming", because the idiom is to tie to

Re:

[christoban]

Love your site, BTW! That's so cool. Cute baby. No, really!

Re:

[christoban]

I can't believe it's 2024 and Windows still doesn't allow PowerShell scripts to launch from startup.

You can use Scheduler to start them at startup, right? I know there are login scripts, but are Powershell scripts excluded from that?

improvement?

[internet-redstar]

So what exactly is the improvement run0 brings?

To attack one of the most popular tools in Linux and enforce millions of people to change their behavior, there must be extraordinary justifications. I fail to see those.

Re:

[dskoll]

I posted in another comment, but there's a good technical discussion at LWN [lwn.net].

Re:

[gweihir]

Poettering wants to make all Linux into Poetterix. For him that is reason enough. For anybody else that should be reason enough to stay away from his crap.

Re:improvement?

[OngelooflijkHaribo]

This is honestly something in general that people at Freedesktop don't understand. Lennart seems to be a very passionate programmer and one can't say his output isn't high, but such persons often miss that for many people cost of switch is a heavy price. This is a common issue with programmers who are passionate rather than corporate. Python3's fiasco also showed how much Guido didn't seem to realize that obviously, people weren't all that interested in simply rewriting already existing code or maintaining two versions of libraries at the same time. The same is going on with Wayland right now.

They feel they have a new and better product, and then wonder why people aren't switching. Even assuming that the new product be better, which is often debatable, it needs to be substantially better to justify the cost of switching. I've seen it so many times that people assume everyone will simply switch, and then it doesn't happen, and then more fragmentation happens and everyone else is now burdened with maintaining two different backends.

Re:

[HiThere]

If you want to talk about a conversion fiasco, don't talk about Python. They handled it pretty well. Talk about Perl, which still hadn't recovered.

Re:

[OngelooflijkHaribo]

I strongly disagree. They handled it terribly and the original e.o.l. was 5 years and they actually thought people would switch by then which was sorrily optimistic. Breaking backwards compatibility over something this small simply shouldn't have happened to begin with.

Look at Rust where they actually do it well. Libraries written in old editions can be called from new editions and they will continue to support the old editions until they have proof that almost no one is still using them. On top of that old

Re:

[diffract]

i used to hate Lennart after Pulseaudio, then I realized he had great ideas but distro maintainers just shipped Pulseaudio by default before the implementation was ironed out. So it wasn't his fault. Since then, all the tools he developed landed in mainstream distros. The guy is really dedicated despite the infinite unwarranted backlash against him.

Re:

[Wyzard]

To attack one of the most popular tools in Linux and enforce millions of people to change their behavior, there must be extraordinary justifications. I fail to see those.

Attack? Enforce? They wrote a program and made it available. You can use it if you want. You can also continue using sudo if you prefer, or OpenBSD's doas (which also works on Linux; funny how nobody called that an "attack" on sudo).

The stated justification is that the privileged process doesn't inherit lots of state from an unprivileg

Re:

[hawk]

and just as I'd grudgingly even accepted sudo itself!

Re:improvement?

[OngelooflijkHaribo]

All the same issues that sudo has will also be in whatever part of systemd checks whether it can execute the command or not and the former has a better track record with security

Also:

But the bellyaching greybeard retards here will continue to get pwned because they refused to ever learn anything new after their brain got old and now they're hopelessly behind.

This is such a silly argument. Almost all of the people who rejected systemd use other things that were developed around the same time or even later in many cases. They're generally using OpenRC, Runit, Dinit, or S6, all of which being about as new as systemd.

Re:

[Wyzard]

All the same issues that sudo has will also be in whatever part of systemd checks whether it can execute the command or not and the former has a better track record with security

That's not the hard part. Sudo also needs to sanitize the inherited environment (environment variables, open files, etc.) before doing anything else, and this is a known historical source of vulnerabilities. Run0 does not need to do that, because the privileged processes are not children of the unprivileged one and thus inherit n

Re:

[OngelooflijkHaribo]

How many vulnerabilities were actually caused by that? This seems rather trivial compared to letting a dæmon running as root with so much going on in it interface and obey commands at all.

I think it's far, far more likely that someone will find some way to hijack pid1 itself and make it do things it's not supposed to do by say sending some kind of malformed packet over the socket than these issues with sudo. How Lennart describes it that it's actually executed by something forking of pid1 in it's own

Non-computer equivalant

[fahrbot-bot]

Lennart is the Linux version of someone building and hawking either 10-blade or straight razors, but I can't figure out which ...
Either way, I'm sure we'd all be better off, happier, and safer w/o him.

Uh, what?

[msauve]

>by default, it will tint your terminal background in a reddish tone while you are operating with elevated privileges.

I use an ADM-3A, you insensitive clod.

Re: Uh, what?

[Z00L00K]

You mistyped ASR33.

Re:

[OrangeTide]

Lear Siegler was like 1/10th the price and didn't chew through reams of paper every day. Also it wasn't 85 decibels or whatever an ASR33 was when it was going at full tilt.

The real dream terminal for me was a Tektronix 4010. Kind of horrible for watching systemd's boot spam scroll by, but pretty awesome for so many other things.

Ask Jia Tan

[AcidFnTonic]

Well didnt linux just brush off a HUGE supply chain attack caused SPECIFICALLY by secure sshd code getting linked against xz due to systemd?

He literally has no standing here.

Re:

[gweihir]

Yep, pretty much. Of course there were also utterly stupid distro maintainers in the picture that thought patching systemd into sshd was a good idea, and for some convenience feature, no less. Crappy people handling critical system functionality. Sometimes Linux begins to feel like Windows.

Another crappy thing I do not want

[gweihir]

Well, I do not use sudo, so I am not tempted to even look at the latest mess from Poettering.

Talking out of both sides of his mouth

[93 Escort Wagon]

"... [sudo] has a large possible attack surface"

Yes, as does systemd - as recent history has shown us.

"The tool is also a lot more fun to use than sudo. For example, by default, it will tint your terminal background in a reddish tone while you are operating with elevated privileges. That is supposed to act as a friendly reminder that you haven't given up the privileges yet, and marks the output of all commands that ran with privileges appropriately. It also inserts a red dot (unicode ftw) in the window title while you operate with privileges, and drops it afterwards."

Hmm... those "bonus features" sound like exactly the sort of thing that needlessly increases the attack surface of a piece of software.

Re:

[Wyzard]

Hmm... those "bonus features" sound like exactly the sort of thing that needlessly increases the attack surface of a piece of software.

From Lennart's description it sounds like the background tint stuff is done by the unprivileged, untrusted run0 program, which has no control over the decision-making of whether the user is allowed to do privileged things. That part is done by systemd and polkit in separate processes, the privileged command runs in another separate process, and run0 is basically just a cli

Ignoring the personal issues...

[dskoll]

Ignoring the usual systemd hate / anti-Poettering rants... there's a lot of technical merit in this proposal.

Writing secure SUID programs is really, really hard.. And sudo is a very complicated piece of software with a huge attack surface.

Having privileged programs started from a daemon with a controlled environment that an attacker cannot manipulate is a very good idea. There's a good technical discussion of the merits over at LWN [lwn.net].

Re:

[troff]

> Writing secure SUID programs is really, really hard.

I never thought I'd need the balls to say this, but I've just seen the justification for the phrase "git gud". Why in the name of mercy would you trust to an author of SUID programs unless they were good?

Re:

[Brain-Fu]

It took a lot of scrolling to find a post that was not full of vitriol. I understand that a lot of people take philosophical exception to systemd but the ferocity of the hatred has a religious flavor to it.

It's not like systemd doesn't work. It's not like it's a propriety, closed-source trap. There are reasons why all the major Linux distros adopted it. And there are still distros that don't use it, so people still have choice. Why must there be such rage?

I wonder if its another situation where the hat

Re:

[dskoll]

Run0 doesn't help with most of that

It does. It ensures the program starts with a safe environment. It ensures that no other process context can be manipulated by the person who invoked run0. Environment variables are obviously the most important ones, but I wouldn't be surprised if certain prctl calls could be abused as well. And as Linux evolves, it's possible that more process context could end up impacting security.

This is a red herring. Compared to what? Systemd?

Yes [lwn.net]. systemd-run (the client

Missing the meme

[skogs]

run0 first made me think of dividing by zero or running null...but I know the real answer is that it is 'run' and 'world emoji'.

See, this way, all the world, and all the bad code in it, will run with global superuser without that pesky 'sudo' command.

run zero is far superior you see - you only need your index fingers. It makes it easier for hunt and peck folks to type. sudo requires four whole fingers and is clearly too big an ask for administrative use.

Attack surface? No. The amusement surface.

[AlanObject]

Arguably the greatest impact that systemd has had on the Linux community as a whole is the endless fount of ranting and raving about systemd. It has been going on for years now with no sign of abating. And where would /. be without it.

Seriously, people. You don't have to be a member of a cult, an activist group, robe yourself as a disciple, a contrarian, purist or the dirty wino blocking your way into the grocery store. Use it or not as you see fit.

Re:

[HiThere]

There probably are use cases where some people get some advantage from it. (Just not me.)

Re:

[slack_justyb]

Use it or not as you see fit

Thank goodness. Holy shit the tribalism here it something else. LWN and phoronix have much more level headed discussions. Slashdot has just turned into a massive knee-jerk of "BACK IN MY DAY!"

If you don't like systemd, there's literally a distro for that. [devuan.org] Just go use that. The "let's all go kill Lennart Poettering" gets old.

If I had mod points I'd mod you up. There's so few people left that think we should all just use what we think is the best tool for a given situation.

Microsoft

[awwshit]

Dude works on systemd for Microsoft. What more do you need to know?

We are past Embrace and into Extend. Extinguish is coming is due time.

Setuid is broken, eh?

[RightwingNutjob]

Explain to the class how you can have a mechanism that allows unprivileged processes to do things like manipulate hardware without having a privilege escalation mechanism, and how any such mechanism to enable user software to manipulate computer hardware could possibly be general enough to be useful for people writing computer software that interacts with arbitrary hardware interfaces without introducing having the exact same attack surface as sudo?

For extra credit, explain how your proposed solution won't

Re:

[Wyzard]

Explain to the class how you can have a mechanism that allows unprivileged processes to do things like manipulate hardware without having a privilege escalation mechanism, and how any such mechanism to enable user software to manipulate computer hardware could possibly be general enough to be useful for people writing computer software that interacts with arbitrary hardware interfaces without introducing having the exact same attack surface as sudo?

A client/server architecture where an untrusted client sub

There are already operating systems without SUID..

[ctilsie242]

There are already operating systems without SUID. Solaris comes to mind, where root ships as default as a role, but can be converted to a user. On that platform, su and sudo just add privs to the existing user. AIX also can run in a rootless mode.

The thing about run0 that worries me is a concern I had about systemd in general. A ton of new code that is unproven. Yes, sudo has had issues, and yes, it has had show-stopper bugs, but at least people have hammered on it, and it has been battle-tested in the field for decades.

run0 doesn't have that. Will there be a dedicated security team going through the new code, line-by-line and running tons of tests to make sure run0 isn't a free sally port into full privileged processes, even when RAM pressure is insane and things can get really glitchy. I think systemd has been audited, but not recently, and something as fundamental as a PAM gateway needs to be closely studied, preferably by multiple nations' security organizations.

Of course, how does run0 interact with SELinux and AppArmor? That is a big thing.

Overall, it might be a useful tool... but the entire philosophy behind systemd goes fundamentally against the Unix Way. Things need to be small, easily auditable, modular, and be configured via text config files. This way, as little stuff is running as possible, and it is easier to put barriers in place to detect issues. With systemd, you have this large process that runs as close to kernel space as a userland process can get, and all it takes is one weakness in one part of systemd to make it into a vector for remote attackers, with little to no mitigations possible because it runs the OS (which should belong to a leaner, meaner task like upstart or init.)

Sudo

[ArchieBunker]

The joke is on him. I'm a greybeard so I just su like a real man.

Re:

[JamesTRexx]

I use sudo for simple commands, and su if I have to do more work with root priviliges.

For instance, I only use su after I log in to my servers because it's all admin work anyway.

Re:

[znrt]

sudo bash. por qué no los dos?

SystemD is a virus

[darkain]

SystemD is a virus, and not for the reasons others usually mention.

SystemD is absolutely destroying the Free/Open-Source Operating System ecosystem.

SystemD is designed for and only for Linux. It is entirely built around the concept of "not invented here syndrome"

For every single utility that is changed to have a hard dependency on SystemD, they're literally saying "FUCK YOU" to every other OS out there, including the BSDs, Illumos/SmartOS, MacOS, Windows and more! For a period of time, one of these was literally the Gnome desktop. The Linux community fought hard against the mono-culture of Windows, only to create a new mono-culture of its own.

Gentoo has a non-complete list of some of the major utilities with hard SystemD dependencies. But it doesn't stop there, dependencies are a chain, and quite a few things have hard dependencies on these utilities too. https://wiki.gentoo.org/wiki/H... [gentoo.org]

there is a predator among us

[Big Hairy Gorilla]

There's no reason to believe any of that. It's about gaining market share. Lennart was either a willing fool or the knowing pawn of IBM. Systemd is about market capture with proprietary technology. Once there's a critical mass, no one can get out.. that's clear from most of the previous comments.

Red hat isn't open anymore. Ubuntu isn't open. They are what? Enterprise? So that means there's lots of consultants to hire and fire. Very handy if you want to get government work. There is a lot of hate on systemd, which it deserves, but the acid test is ...all the programs still run exactly the same... you don't need it, so then why run it in the first place?

The argument that would make most sense to use sysd is that it offers certain advantages... there would be a lot to talk and arguing, but in the end it's not adding value just changing *how* you get stuff done.. text logs vs binary logs.... ugh.... here we go... the real bullshit starts when Joebuntu claims that some, usually horrifying, piece of software won't run.... The dependency and likely bloated size of said software is because programmers are LAZY. They can also be like sheep so guys like Lennart who captured market share don't know that they will soon be told what to do. So the blindness to the control issue and the idea that an agent some middle layer of software will make it easier for you ... .often isn't true. The deeper your system knowledge goes, the more all that stuff gets in the way of any control or efficiency... So the parting shot is this: whatever fairy dust that sysd supposedly has, any competent system programmer would write himself.

Now get out of my jello tree. Sorry, but Linux is broken into these market blocks now, it's not about purity, its about controlling the market share. Never a kind word has been said about Snaps, eh? But you're still using them. Ubuntu, the Microsoft of Linuxes. Would you like a 5 seat license for only whatever?

run0 surface and inheritance

[troff]

Okay, hold up, I admit upfront I'm not a system programmer, so please pardon and correct my ignorance.

But a) wasn't the previous systemd philosophy about things like sudo for services to convert them to user services and not needing privileges?
b) he says sudo has too great an attack surface and then starts talking about all its extra features including "fun"?
c) hold up if it modifies output and you're piping text, isn't that going to screw workflows?
d) if it's "half under the control of unprivileged processes", isn't the other half under the control of the enforcing kernel with veto rights?
e) how is suid "a weird idea" if it's been in use since the early 1970s and currently in the public domain?
f) What, er, what privileges will run0 run with?
g) So, we're not supposed to trust a system in place and openly published since the 1970s, but let's all trust to the great Algorithm that is systemd?
h) Wasn't there a thing once upon a time where systemd was supposed to allow mobile home directories and trusts of those home directories? But SUDO has a big attack surface...?

Not to mention "fun to use", is this a workflow tool or a video game? He really does work for Microsoft, doesn't he?

Re:

[Wyzard]

a) wasn't the previous systemd philosophy about things like sudo for services to convert them to user services and not needing privileges?

User services are for things that don't need elevated privileges, like components of your GUI desktop environment. Tools like sudo and run0 are for administrative tasks that genuinely do need privilege. They're unrelated things, and I've never seen anything saying to replace sudo with unprivileged user services; that doesn't even make sense to me.

b) he says sudo has to

Access control with... polkit?

[Cbs228]

run0 doesn't implement a configuration language of its own btw (i.e. no equivalent of /etc/sudoers). Instead, it just uses polkit for that, i.e. how we these days usually let unpriv local clients be authorized by priv servers.

Polkit .rules files are quite readable, for the most part, but they're also written in ECMA-262 edition 5 JavaScript! I'm not really thrilled with config files that are executable and might have odd exploitable language features I don't really need. But, whatever you do, don't run it w

Re:

[OrangeTide]

Ooof. This kind of stuff becomes a bear to audit.

Typical systemd thinking

[stevenm86]

Cool, let's write a teardown for why sudo "sucks", and follow that up not by explaining how the new tool solves these problems in better ways, but by explaining that it'll tint your terminal and put unicode into your window title.

Why not just “fix” Sudo

[Mirnotoriety]

To answer my own question: Because 'run0' is part of Poetterings strategy to own it all. Run0, continuing the proud SystemD tradition of introducing bugs and security vulnerabilities and poorly re-implementing things that already work.

Thanks systemd!

[OrangeTide]

But I never asked for this. I already have sudo and sudoers. I even have it configured correctly on a cluster with LDAP so that machines imaged for engineers to use for testing grant only the person who reserved the machine root access. I'd be dollars to donuts that systemd is not going to handle all the use cases we need on day one.

I'd like to see more effort put into configuration of cgroups configs. And the much harder problem of TAP/TUN/VDE-2 network configuration so it's not a nightmare of filenames wi

So, exactly what ...

[PPH]

... system functions does run0 use to accomplish the execution permission shifts that SETUID (and SETGID) currently provide? I don't really see anything explaining the advantages of run0 or even exactly how it will work.

Hint: sudo is only one very small case of a SETUID program that just happens to temporarily grant root permissions. There are other programs. Not all involve root permissions and administrative maintenance tasks. Is Poettering suggesting throwing out SETUID/SETGID just because he can't un

Enough already

[TwistedGreen]

What production-ready distros don't use systemd? Seems like everyone's gargling the systemd kool-aid but I can't stand it.

Is Alpine Linux the only contender?

Re:

[gweihir]

You are on the wrong OS for that. Please move to Windows.

Re:

[narcc]

If you think that's a bad idea, you don't understand the first thing about UNIX and should probably find a different profession.

Re:Speaking of bad UNIX ideas

[narcc]

it's also greatly and unnecessarily increased the difficulty and complexity of the system.

Nonsense. It dramatically simplifies systems, as anyone can see from systems like Plan9, which take the 'everything is a file' concept to an extreme. The benefits of being able to treat different kinds of resources identically are innumerable, but the single most obvious benefit is the simplicity it brings.

That shared abstraction also brings with it a lot of power and flexibility you wouldn't have otherwise. Existing tools can work with resources that the authors never imaged and even interoperate with other tools without the slightest consideration given between them. It singularly defines the UNIX philosophy.

There's a talk on YouTube where one guy discussed the nightmare of implementing a USB driver on Linux versus Windows ~10 years ago

Yeah, we've all seen it. [youtube.com] It wasn't even close 10 years ago. He's an idiot. Here's one very simple fact that you and the other people who thoughtlessly repeated his stupidity haven't discovered: There is nothing stopping you from implementing a higher-level API. You're welcome. You might also want to take a look at why Plan9 doesn't need ioctl. (After reading the rest of your post, it occurs to me that you might be more that a little out of your depth here.)

Anyway, everything-is-a-file's main use and convenience has always been in scripting.

No. The "main use and convenience" has always been, and always will be, that it provides a uniform interface. What do you think "everything is a file" means?

But in the last 15 years that use case was entirely superseded by scripting languages that implement a newer concept, everything-as-an-object

So much wrong here... That's not even remotely the same concept. I know they sound similar, but they are completely unrelated. We're talking about operating systems, after all, not programming languages.

and prove that OS support is unnecessary for such abstractions.

I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a statement. Do you know what operating systems do?

but likely never will.

Fortunately, operating systems are, for the most part, developed by intelligent people who are loath to throw away good ideas just because some moron on Youtube doesn't understand their purpose or value.

Re:

[troff]

> I know Lennart is a smart dude and will defend what he is doing

Using any methods other than flaming the questioner or closing the issue as RESOLVED WONTFIX?