......I feel like openssh has a much larger attack surface than a simple binary.
If you're going to this extent already, you may as well jump on the run0 approach systemd is introducing.
oh no, I can hear rumbling
…I feel like openssh has a much larger attack surface than a simple binary.
Right. This is just trading one set of security pitfalls with a second, much worse set of security pitfalls.
alias run0=sudo
(not really; I'd rather not introduce an alias or any sort of symbolic behaviour that would teach me to expect that systemd crap is available on a system. The less you rely on it, the better)
The Systemd init system and its consequences have been a disaster for the human race. It has greatly increased the life-expectancy of those of us who live in “just werks” distros, but it has destabilized GNU/Linux society, has made life unfulfilling, has subjected users to indignities, has led to widespread psychological suffering (in the BSD world to physical suffering as well) and has inflicted severe damage on the Unix world. The continued development of Systemd will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the Unix world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “just werks” distros.
The Systemd system may survive or it may break down. If it survives, it MAY eventually achieve a low level of physical and psychological suffering, but only after passing through a long and very painful period of adjustment and only at the cost of permanently reducing users and many other Unix processes to engineered products and mere cogs in the Systemd machine. Furthermore, if the system survives, the consequences will be inevitable: There is no way of reforming or modifying PID 1 so as to prevent it from depriving users of dignity and autonomy.
If the system breaks down the consequences will still be very painful. But the bigger the system grows the more disastrous the results of its breakdown will be, so if it is to break down it had best break down sooner rather than later.
We therefore advocate a revolution against the Systemd system. This revolution may or may not make use of violence; it may be sudden or it may be a relatively gradual process spanning a few decades. We can’t predict any of that. But we do outline in a very general way the measures that those who hate the Systemd system should take in order to prepare the way for a revolution against that form of society. This is not to be a POLITICAL revolution. Its object will be to overthrow not distros but the init-system basis of the present GNU/Linux ecosystem.
That's a lot of bullshit to post.
obviously a troll. And a stupid one at that
tl;dr; ?
Seems novel. But from a security aspect, if OpenSSH has security vulnerability that allows an unauthenticated user to login, via whatever means, once you are in the system as a non-privileged user, you are now free to use the same vulnerability to get root.
Basically this exercise is like using two locks that have the same key to open them. If the same key opens them, then a weakness in one, is now a weakness in the other so why bother with two identical locks?
A better implementation than run0.
Why?
It has some advantages. It can be configured with simple text files and normal filesystem permissions. The sshd code is mature and has a proven record of good security. It doesn't add yet another thing to systemd that has no business being part of systemd.
I really don’t get why an alias to something that would be in systemd anyway (that’s all run0 is, an alias to systemd-run) would be an issue. Is systemd-run problematic or something?
The problem is that they're trying to frame it as a better replacement for sudo when it's really not.
In some respects, it's safer by not using a setuid binary. In other respects, it massively increases the surface area by relying on the correctness of three separate daemons: systemd, dbus, and polkitd. If any one of those components are misconfigured, you risk an unauthorized user gaining root privileges.
With sudo, the main concern is the sudo process being exploited through memory safety bugs since it runs at root automatically.
Don't get me wrong, sudo has a lot of stupid decisions and problems. There's a ton of code in sudo for features that almost nobody uses, and there's bound to be bugs in there somewhere. It needs to be replaced with something simpler, but run0 is not that.
systemd, dbus, and polkitd. If any one of those components are misconfigured, you risk an unauthorized user gaining root privileges.
Just for my own understanding, if any of those are misconfigured, do you not anyway have a big security problem already, regardless of run0?
Thank you for a non-hand-wavy response! I’m not entirely sure I agree, depending on more libraries doesn’t have to be an issue if they’re well designed and frequently used elsewhere, no? Is the implication here that systemd isn’t well designed?
In any case, would you say sudo is the best we have for temporary root elevation at the moment? I haven’t really heard of an alternative apart from doas.
Sure, the project is already bloated with so much complexity that what's the harm in adding a little more? If you're genuinely confused about it, see the entire rest of the Internet for details.
The Systemd init system and its consequences have been a disaster for the human race. It has greatly increased the life-expectancy of those of us who live in “just werks” distros, but it has destabilized GNU/Linux society, has made life unfulfilling, has subjected users to indignities, has led to widespread psychological suffering (in the BSD world to physical suffering as well) and has inflicted severe damage on the Unix world. The continued development of Systemd will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the Unix world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “just werks” distros.
The Systemd system may survive or it may break down. If it survives, it MAY eventually achieve a low level of physical and psychological suffering, but only after passing through a long and very painful period of adjustment and only at the cost of permanently reducing users and many other Unix processes to engineered products and mere cogs in the Systemd machine. Furthermore, if the system survives, the consequences will be inevitable: There is no way of reforming or modifying PID 1 so as to prevent it from depriving users of dignity and autonomy.
If the system breaks down the consequences will still be very painful. But the bigger the system grows the more disastrous the results of its breakdown will be, so if it is to break down it had best break down sooner rather than later.
We therefore advocate a revolution against the Systemd system. This revolution may or may not make use of violence; it may be sudden or it may be a relatively gradual process spanning a few decades. We can’t predict any of that. But we do outline in a very general way the measures that those who hate the Systemd system should take in order to prepare the way for a revolution against that form of society. This is not to be a POLITICAL revolution. Its object will be to overthrow not distros but the init-system basis of the present GNU/Linux ecosystem.
......I feel like openssh has a much larger attack surface than a simple binary.
If you're going to this extent already, you may as well jump on the run0 approach systemd is introducing.
oh no, I can hear rumbling
Right. This is just trading one set of security pitfalls with a second, much worse set of security pitfalls.
alias run0=sudo
(not really; I'd rather not introduce an alias or any sort of symbolic behaviour that would teach me to expect that systemd crap is available on a system. The less you rely on it, the better)
The Systemd init system and its consequences have been a disaster for the human race. It has greatly increased the life-expectancy of those of us who live in “just werks” distros, but it has destabilized GNU/Linux society, has made life unfulfilling, has subjected users to indignities, has led to widespread psychological suffering (in the BSD world to physical suffering as well) and has inflicted severe damage on the Unix world. The continued development of Systemd will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the Unix world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “just werks” distros.
The Systemd system may survive or it may break down. If it survives, it MAY eventually achieve a low level of physical and psychological suffering, but only after passing through a long and very painful period of adjustment and only at the cost of permanently reducing users and many other Unix processes to engineered products and mere cogs in the Systemd machine. Furthermore, if the system survives, the consequences will be inevitable: There is no way of reforming or modifying PID 1 so as to prevent it from depriving users of dignity and autonomy.
If the system breaks down the consequences will still be very painful. But the bigger the system grows the more disastrous the results of its breakdown will be, so if it is to break down it had best break down sooner rather than later.
We therefore advocate a revolution against the Systemd system. This revolution may or may not make use of violence; it may be sudden or it may be a relatively gradual process spanning a few decades. We can’t predict any of that. But we do outline in a very general way the measures that those who hate the Systemd system should take in order to prepare the way for a revolution against that form of society. This is not to be a POLITICAL revolution. Its object will be to overthrow not distros but the init-system basis of the present GNU/Linux ecosystem.
That's a lot of bullshit to post.
obviously a troll. And a stupid one at that
tl;dr; ?
Seems novel. But from a security aspect, if OpenSSH has security vulnerability that allows an unauthenticated user to login, via whatever means, once you are in the system as a non-privileged user, you are now free to use the same vulnerability to get root.
Basically this exercise is like using two locks that have the same key to open them. If the same key opens them, then a weakness in one, is now a weakness in the other so why bother with two identical locks?
A better implementation than
run0
.Why?
It has some advantages. It can be configured with simple text files and normal filesystem permissions. The sshd code is mature and has a proven record of good security. It doesn't add yet another thing to systemd that has no business being part of systemd.
I really don’t get why an alias to something that would be in systemd anyway (that’s all run0 is, an alias to systemd-run) would be an issue. Is systemd-run problematic or something?
The problem is that they're trying to frame it as a better replacement for sudo when it's really not.
In some respects, it's safer by not using a setuid binary. In other respects, it massively increases the surface area by relying on the correctness of three separate daemons: systemd, dbus, and polkitd. If any one of those components are misconfigured, you risk an unauthorized user gaining root privileges.
With sudo, the main concern is the sudo process being exploited through memory safety bugs since it runs at root automatically.
Don't get me wrong, sudo has a lot of stupid decisions and problems. There's a ton of code in sudo for features that almost nobody uses, and there's bound to be bugs in there somewhere. It needs to be replaced with something simpler, but run0 is not that.
Just for my own understanding, if any of those are misconfigured, do you not anyway have a big security problem already, regardless of run0?
Thank you for a non-hand-wavy response! I’m not entirely sure I agree, depending on more libraries doesn’t have to be an issue if they’re well designed and frequently used elsewhere, no? Is the implication here that systemd isn’t well designed?
In any case, would you say sudo is the best we have for temporary root elevation at the moment? I haven’t really heard of an alternative apart from doas.
Sure, the project is already bloated with so much complexity that what's the harm in adding a little more? If you're genuinely confused about it, see the entire rest of the Internet for details.
The Systemd init system and its consequences have been a disaster for the human race. It has greatly increased the life-expectancy of those of us who live in “just werks” distros, but it has destabilized GNU/Linux society, has made life unfulfilling, has subjected users to indignities, has led to widespread psychological suffering (in the BSD world to physical suffering as well) and has inflicted severe damage on the Unix world. The continued development of Systemd will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the Unix world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “just werks” distros.
The Systemd system may survive or it may break down. If it survives, it MAY eventually achieve a low level of physical and psychological suffering, but only after passing through a long and very painful period of adjustment and only at the cost of permanently reducing users and many other Unix processes to engineered products and mere cogs in the Systemd machine. Furthermore, if the system survives, the consequences will be inevitable: There is no way of reforming or modifying PID 1 so as to prevent it from depriving users of dignity and autonomy.
If the system breaks down the consequences will still be very painful. But the bigger the system grows the more disastrous the results of its breakdown will be, so if it is to break down it had best break down sooner rather than later.
We therefore advocate a revolution against the Systemd system. This revolution may or may not make use of violence; it may be sudden or it may be a relatively gradual process spanning a few decades. We can’t predict any of that. But we do outline in a very general way the measures that those who hate the Systemd system should take in order to prepare the way for a revolution against that form of society. This is not to be a POLITICAL revolution. Its object will be to overthrow not distros but the init-system basis of the present GNU/Linux ecosystem.