|
Top-level
@pid_eins I think it's a good take one sudo. I think there were some vulnerabilities found in sudo recently, so it's good to look at other ways to do it. I wonder what the adoption of this tool is gonna be. Just very pragmatically, the name run0 is harder to type than sudo. So you would have to make a shell alias. Would it be possible for a distro to completely replace sudo with this and create an alias by default? Maybe it would need to get a compatibility mode for it to replace sudo 14 comments
 @TheStroyer … which think that things like pluggable client-side modules, LDAP and so on are actually a good thing, even though I would vehemently disagree with that.  @pid_eins Same disagreement here. But also iirc policykit is extensible right? So if someone is brave enough they could probably extend pk with whatever things they want, and then it can apply to all privilege escalation not just run0! Maybe I shouldn't give people ideas... @danderson PK is scriptable with JS, so people kinda can do any kind of shit with it, of course. But I think it's much less problematic than what sudo is doing, because PK runs that stuff in a well defined execution context forked off PK's service which runs unprivileged – and not on the client side, in an icky, undefined, half-inherited mess of an execution context under user control – like sudo does it. @pid_eins 100% yes. N:M dlopen() in unpredictable contexts should really go away as a plugin mechanism, it's so easy to create massive problems. I saw some distros try to fix PAM this way too, they (ab)use the nscd caching protocol in glibc to move all lookups into a system daemon, and hide the .so's from the rest of the system. Same idea, move all the scary plugin stuff to a central location where you can manage it more safely. @pid_eins Looks like there was a short discussion on the glibc ML in 2022 about formalizing this interface and explicitly support the privilege separation use case, but I'm not sure if anything more happened since... @danderson from my perspective as a systemd person I wouldn't ask for that from glibc. We have nss-systemd these days which is an IPC frontend to the generic varlink IPC API described here: https://systemd.io/USER_GROUP_API Anyone can plug in their stuff there. It's generic, extensible and IPC based. Unless you are a systemd hater I see no reason why we'd need to shove that into glibc. @pid_eins Ooh, TIL! I didn't know about this entire subsystem of systemd. My worry was going to be what to do with the cursed legacy modules that some people have, but I see with userdbd there's bidirectional compatibility between varlink and nss clients. Very nice, and yes I agree this is a better way to set up the system. I look forward to the posts for next release, I'm even learning stuff about older releases! @danderson @pid_eins if later systemd is not enough sssd has provided this service with proper caching for almost 15 years. It was built specifically for 3 reasons: consistent caching, remove unwanted libraries from binaries, allow centally controlled private credentials. Because it predates systemd it has its own protcol but also a fast, mmaped shared cache that avoid process context switching when not needed. (full disclosure I am the original author). @pid_eins So the intention for it to be a replacement for sudo right? I.e. sudo does not need to be present on a system.   > the command line of run0 is intentionally kept close to sudo's.
Could we get a -E/--preserve-env switch? (It'd also be nice if users can do per-user configuration to set that, or to set a variety of specific environment variable passthroughs.) There are a variety of environment variables that are useful to pass through, and I'd rather not specify them all every time or do configuration-via-shell-alias. |
Gregory's Server
@TheStroyer the command line of run0 is intentionally kept close to sudo's. But that's were the compatibility really ends, i.e. /etc/sudoers and so on we're never going to add compat for.
From my perspective run0 should be fine already for a distro to replace sudo with. But let's see how this plays out, I am pretty sure there might be a feature or two we still need to add before the first distros decide it's ready to switch over.
And I am pretty sure there are plenty of distributions…