Skip to content
Home » Introducing run0: Run Processes as Other Users with systemd

Introducing run0: Run Processes as Other Users with systemd

run0 is a secure replacement for sudo, integrated into systemd, that allows running processes as other users with an isolated context and white list of allowed properties.

Lennart Pottering, the well-known developer and creator of systemd, has recently introduced run0, a new utility that allows users to run processes under the identifiers of other users. Positioned as a more secure replacement for the popular sudo program, run0 is implemented as an add-on to the systemd-run command and is included in the release candidate release of systemd 256.

One of the main advantages of run0 is that it eliminates the need for an executable file with the SUID flag, which is commonly used by sudo. The use of the SUID flag in sudo carries additional risks due to the fact that the SUID process inherits an execution context that includes many properties controlled by an unprivileged user, such as environment variables, file descriptors, scheduler options, and cgroup bindings. These properties can potentially be exploited by attackers, and vulnerabilities continue to be regularly found in complex SUID programs such as sudo.

Instead of using SUID, run0 asks the system manager to launch a shell or process with the specified user ID, create a new pseudo-terminal (PTY), and transfer data between it and the current terminal (TTY). This behaviour is more similar to running it using ssh than running it using classic sudo. The privileged process runs in an isolated context, which is spawned by process PID 1 and not by the user process, i.e. does not inherit the properties of the user’s environment, with the exception of forwarding the $TERM environment variable. Forwarding is regulated through a list of explicitly allowed properties, instead of trying to prohibit dangerous properties (the concept of a white list, instead of a black list).

Polkit is used to authorize and determine user capabilities in run0, and the classic rules language (/etc/sudoers) used by sudo is not supported. Functionality for running programs with other privileges is built into systemd-run, and the run0 command is created as a symbolic link to systemd-run, which when used provides a command line interface similar to sudo.

One of the additional features of run0 is the indication of working with elevated privileges by setting a reddish background in the terminal and adding a red dot to the window title. After terminating execution with other privileges, the dot disappears and the background changes to normal. In addition, run0 supports all “systemd-run” options, for example, the “–property” parameter, through which you can set arbitrary settings for systemd services (for example, “CPUWeight=200 MemoryMax=2G IPAccounting=yes”).

This will be available in the upcoming Systemd 256 release, planned for later this year.

Via Mastodon

Recent articles from DebugPoint.com

Loading...
Tags:
Subscribe
Notify of
guest

2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments