Systemd lead developer Lennart Poettering has posted on Mastodon about their upcoming v256 release of Systemd, which is expected to include a sudo replacem...
It seems Poettering is convinced doas, while decreasing attack surface, depends on SUID binary implementation which is a concern in its own right. Poettering is trying to eliminate that dependency in his `run0’ implementation to reduce the attack surface even further.
… led various people to revisit the problem and come up with alternatives: most prominently there’s probably OpenBSD’s sudo replacement called “doas”. While it greatly simplifies the tool and removes much of the attack surface, it doesn’t change one key thing: it’s still a SUID binary.
I personally think that the biggest problem with sudo is the fact it’s a SUID binary though – the big attack surface, the plugins, network access and so on that come after it it just make the key problem…
… worse, but are not in themselves the main issue with sudo.
SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on. A few of these settings the kernel is nice…
… enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.
So, in my ideal world, we’d have an OS entirely without SUID. Let’s throw out the concept of SUID on the dump of UNIX’ bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, …
… manual clean-up is just not how security engineering should be done in 2024 anymore.
With systemd v256 we are going one step towards this. There’s a new tool in systemd, called “run0”. Or actually, it’s not a new tool, it’s actually the long existing tool “systemd-run”, but when invoked under the “run0” name (via a symlink) it behaves a lot like a sudo clone. But with one key difference: it’s not in fact SUID. Instead it just asks the service manager to invoke a command or shell under…
… the target user’s UID. It allocates a new PTY for that, and then shovels data back and forth from the originating TTY and this PTY.
Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client (well, admittedly, we do propagate $TERM, but that’s an explicit exception, i.e. allowlist rather than denylist).
One could say, “run0” is closer to behaviour of “ssh” than to “sudo”, in many ways. Except that…
it doesn’t bother with encryption or cryptographic authentication, key management and stuff, but instead relies on the kernel’s local identification mechanisms.
run0 doesn’t implement a configuration language of its own btw (i.e. no equivalent of /etc/sudoers). Instead, it just uses polkit for that, i.e. how we these days usually let unpriv local clients be authorized by priv servers.
By isolating the contexts and the resources of client and target we remove some other classes of attacks…
Not really visudo is only to edit the sudoers file. sudoedit is a better way to edit system files.
Temporary copies are made of the files to be edited with the owner. set to the invoking user.
The editor specified by the policy is run to edit the temporary files. The sudoers policy uses the SUDO_EDITOR, VISUAL and EDITOR environment variables (in that order). If none of SUDO_EDITOR, VISUAL or EDITOR are set, the first program listed in the editor sudoers(5) option is used.
If they have been modified, the temporary files are copied back to their original location and the temporary versions are removed.
Is there something wrong with doas? I thought doas was smaller with less of an attack surface.
It seems Poettering is convinced
doas
, while decreasing attack surface, depends on SUID binary implementation which is a concern in its own right. Poettering is trying to eliminate that dependency in his `run0’ implementation to reduce the attack surface even further.The relevant excerpt from the long chain of posts from Poettering’s mastodon.social account is copied below:
Read the rest where he explains
run0
’s use and functionality beyond the design logic.Thanks for the insight. I think I understand what he is trying to do but is a little too low-level for me to really grasp the technicalities.
The only problem I found was, that it has no real alternative to
sudoedit
Is that similar to
visudo
?Not really
visudo
is only to edit the sudoers file.sudoedit
is a better way to edit system files.The main problem with sudo and doas is that they are not developed by Lennart. Seriously.
I consider that a positive.
it is. arguing attack surface with systemd IMO is a losing battle though.
Why do you say that? It seems that Poettering’s reasoning for avoiding SUID binaries is sound.