Systemd Wants To Replace Your Sudo!?!
Vložit
- čas přidán 7. 05. 2024
- Sudo has been a key part of Linux for a long time now but what if there was something to replace it, well there is there is doas but what if there was a replacement inside of sudo
==========Support The Channel==========
► Patreon: brodierobertson.xyz/patreon
► Paypal: brodierobertson.xyz/paypal
► Liberapay: brodierobertson.xyz/liberapay
► Amazon USA: brodierobertson.xyz/amazonusa
==========Resources==========
Lennart Post: mastodon.social/@pid_eins/112...
Sudo CVE 1: nvd.nist.gov/vuln/detail/cve-...
Sudo CVE 2: nvd.nist.gov/vuln/detail/CVE-...
Polkit Configuration: wiki.archlinux.org/title/Polkit
Sudo Hack: ruderich.org/simon/notes/su-s...
=========Video Platforms==========
🎥 Odysee: brodierobertson.xyz/odysee
🎥 Podcast: techovertea.xyz/youtube
🎮 Gaming: brodierobertson.xyz/gaming
==========Social Media==========
🎤 Discord: brodierobertson.xyz/discord
🐦 Twitter: brodierobertson.xyz/twitter
🌐 Mastodon: brodierobertson.xyz/mastodon
🖥️ GitHub: brodierobertson.xyz/github
==========Credits==========
🎨 Channel Art:
Profile Picture:
/ supercozman_draws
#systemd #Linux #opensource #foss
🎵 Ending music
Track: Debris & Jonth - Game Time [NCS Release]
Music provided by NoCopyrightSounds.
Watch: • Debris & Jonth - Game ...
Free Download / Stream: ncs.io/GameTime
DISCLOSURE: Wherever possible I use referral links, which means if you click one of the links in this video or description and make a purchase I may receive a small commission or other compensation. - Věda a technologie
2024: GNU/LINUX
2027: SYSTEMD/LINUX
2030: SYSTEMD/SYSTEMD
2035: LENNART/POETERRING
Tbf you should have written 2024: linux, as it refers to how most people forget it's actually GNU/LINUX btw
it will always be gnu/linux did you know it change in the 90s in the early 2000s and of course now... this is just linux being linux :)
@@no_name4796TBF the comment is referring to how it is supposed to be and not how most people say it
@@petertillemans2231 Systemd is now a Microsoft software. Using systemd is using Microsoft software. The developer and maintainer is a Microsoft worker. Systemd had been compromised. Uninstall systemd. You don't use Linux for convenience, find a way.
replacing anything on Unix with anything that relies on JavaScript is an abysmal idea
linus torvalds - I only code in C because i can see how the assembly of it looks.
modern developers - well i mean javascript exists, so might as well use it.
Maybe everything has been JavaScript the whole time... 😮
I agree with JS being not a nice language in system level layers. But what I understand it's really only for those rule files stored behind root permissions, and not the core software components.
The way security is thought out in Polkit and Systemd is far better then sudo and probably other complex SUID binaries.
Security is something you do not want to manage in 1000 different applications separately, but system wide in a well thought out way.
Talking about programming languages, I think that new security critical software should absolutely be written in the Rust language, which is designed to be very safe from the ground up.
Yeah it's not really conventional JS either, it's a trimmed down version. It's actually surprisingly common to see JS dialects used for configuring complex security rules (Firebase is the last one I used)
@@jthoward I would actually HOPE if it's a changed and more limited implementation actually. Especially when it comes to value comparison. One of the huge problems of JS is strange ways of type coercions, due to which things like equality comparisons and other conditional code can dangerously go the wrong way. Not good in security critical code.
"sudo is massive for no reason"
systemd:
Oh boy i bet this will be civil and kind.
i bet people will admire poettering's ability to innovate
@@MacroAcc He is a Microsoft employee
I remain to be civil and kind as I only believe in love and not hate 😇
Civility is overrated
Tell that to the arch linux people
The more you scroll down the comments, the more the comedy of absurdity grows. Such good entertainment
You are not in the sudoers file. This incident will be reported.
You are not using systemd. This incident will be reported.
lol
Not even Covid spreads like Systemd, goddamn
Well said... brutal haha
@@Nunya58294Well said indeed.
ideas man, effective ones spread fast!
@@zyansheep Really-really bad ideas spread even faster. Consider heated seats in a car being a subscription.
@@kensmith5694 If you imply that systemd is a Really-really bad idea, then I have to disappoint you. systemd is a good system. I can report and confirm from first hand longtime experience.
Tbh, Linux and GNU are just small parts of the systemd operating system.
The time has come to update the outro video
I’m ashamed to admit it took me a full minute to get the comment 😂
"run0 doas sudo su -s /bin/sh -c 'rm -rf ....'"
@@Time4Technology It asks me to translate this to English. 🤣
@lightechoes "yeet"
Oh, well, that's Brodie going to be campaigning against this now then, if he has to put work in if convention shifts. 😆
/s
systemDeeznuts
Alright you got me to laugh lol
gottem
+2
@@Nunya58294 it's on the whiteboard behind Brodie dude
Ok, you got me 😂
Systemd's next "innovation": the systemd kernel
You know it is coming, that asshat can't stop himself.
kerneld
systemd-texteditord
KernelD
InitialD was right there, like come on.
I have the totally irrational feeling about systemd of not caring very much one way or the other.
No way me too
You too? I swear, there are dozens of us! Dozens!
I was thinking how it's handy (I do write some units from time to time)... then had this thought that perhaps something that uses yaml could be handier. At any rate, I don't get why so many people have such strong feelings about a bunch of system tools.
$ run0 install sudo
I'm sorry Dave, I'm afraid I can't do that
I think it was Luke Smith who predicted years ago that SystemD would eventually make their own kernel to just replace Linux. It sounded absurd at the time, but now I’m getting worried.
Why be worried though, if it's better then great, if not then no one will use it.
I'm not a fan or a hater of systemD, but who cares if they create their own kernel if at the end it is FOSS?
that's such a smart satiric comment!!1
@@AschKrispeople do not like the creator of systemd, because after creating it, he has gone to work for Microsoft.
@@rj7250aLet's be honest, that's not at all why people hate him
If it was anyone other than Pottering, and anything other than SystemD I might be interested. As it stands, I'm not looking forward to the day when Pottering comes out and says, "Linux, or as I like to call it SystemD/Linux."
I already call it SystemD/Linux when I need to distinguish form things like Android/Linux.
Yeah, if run0 will end up like all other systemd components we are here for a nice anarchy with privilege escalation everywhere
Little bit off topic,
but every time I see such reply chain (be it in Twitter or Mastodon), I always think a blog article would have been a better choice. Then a summary could be provided on these platforms with a link to the entire article. But that's me enough ranting for today morning.
Microblogging😣
Or ... a forum thread ... sigh
To this day I still don't get why Mastodon went the twitter way with such constraints regarding posts lengths.
Sounds like nothing more than historical debt which they should have got rid of long ago.
@@maxanimator9547 to be honest why would you write a long blog post on mastodon as opposed to your website or activitypub
His job is to make product for RedHat to sell. The key is realizing that the product is overcomplication.
The downside of the service support model.
disappointed that you didn't redo your outro with `run0 rm -rf --no-preserve-root /`
rm -rf /*
excited for when poettering announces he'll be taking over development of the kernel
LMFAOOOOOOOOO
Wireguard basically succeeded OpenVPN with the same premise. Sudo has tons of features most people don't ever use. So you get more attack surface for no gain. Changing to another default here makes a lot of sense.
I was talking about doas btw. No idea how heavyweight run0 is yet
@@THEMithrandir09 run.c (which is the code for run0 and systemd-run) by itself is ~2400 lines. This doesn't include any lines from libsystemd or polkit tho.
Was about to say, yeah, I wonder how many features does systemd now have that nonody will ever use?
@@THEMithrandir09 As I understand from the posting in the video, it's almost a wrapper for systemd-run so all the weighty stuff is there already. Still not sure that I like the polkit stuff but if you're a real sysadmin - not like me - you probably need to know that stuff anyway.
@@THEMithrandir09the difference is that doas is still an SUID binary. It still has that attack surface.
... On the one hand, I can see where this is coming from. On the other hand, this is, for the most part, reinventing the wheel. also, after seeing how Systemd integration has _increased_ an attack surface recently (SSH backdoor via xz anyone?) and I'm not sure I'm fond of the idea of reinventing this wheel at all.
Note, this is coming from someone who's used some of the weirder cases for SUDO on a two user machine. all this is doing is moving the attack surface from Sudo to... system D.
@@JadeLockpicker I'm disappointed at the lack of flack systemd got for the xz shenanigans. Thankfully, they seem to have gotten the memo for that one specific thing.
Reinventing the wheel lmao
@@Ryan-ct3rv I wonder if the pun was intended.
xz backdoor had nothing to do with systemd
FFS
I actually agree with Lennart here, but I'm pretty sure he'll go completely over the top and start an all out war with existing projects (as always).
That is the Lennart way 😉
I'd expect nothing else.
-It's working
-Most users know how to use it
-Most users know how to configure it
-It's included in each distribution
We have to change this!
^
Main issue holding Linux back.
I wish I could Like this a thousand times
Huh, that’s interesting. Anyway… *continues running OpenRC
I genuinely thank you for doing so.
OpenRC is GOATed
This seems like a very reasonable idea on the surface. My only complaint is that I hate the name "run0"...
before the rc it was still called "uid0", which I personally kinda liked. It was renamed because all the other elevation tools are named after an action and to more associate it with "systemd-run" which it actually is.
Missed opportunity to call it sus
I suggest the name "please-systemd-may-i"
I second this. The name "run0" feels clunky and awkward but the idea seems reasonable.
@@kensmith5694 The fact it's literally what it does (asks the init to run stuff) is pretty funny.
There's one thing that I think every sudo clone should do, add an alias for sudo, and have the same general syntax when using the aliased sudo. there's many decades of linux commands online and muscle memory that probably shouldn't be messed with, especially for the average noob user.
but also I guess adding a line "running with run0" or "running with doas" whenever you invoke the sudo alias, as to not confuse users if there is any difference.
I don't think it's a great idea, because that would cause conflicts with the actual sudo. As it is now, you can have both tools on your system, and use either without issues. If you want a shell alias, you can create one.
Personally I don't think hiding one utility under the name of another is a good idea either, and you identified the issue with this too - it isn't actually the same tool, it can work in a different way than you expect. Something I despise is aliasing rm to trash - this makes you think every time you delete something with rm, it can be recovered, which is untrue on most systems other than your current install!
@@GrzesiekJedenastka Yes annoying when running 'lynx' invokes 'links' instead (with completely different commands and command line syntax).
just keep sudo...
@@GrzesiekJedenastka well yea but there should be an option
vim does it for vi@@GrzesiekJedenastka
This is sounding just like XKCD 927 to me tbh
Yes, yes, and a kitchen sink. Combined with the attitude of "my way or the highway" it really goes far. Reason I moved from Debian on all of my machines, and even my Raspberry Pis run Void.
As a Linux novice I have only one concern:
Please don't make me reach over for the Zero key.
I"d be fine with "runz" or an alias that lets me keep using sudo with something like "realsudo" there in case it's needed.
This man is cooking! Someone should tell Lennart.
It’s your system, you make the aliases
Programmer Dvorak positions the zero key at the right index finger. Just so you know
You can always make your own aliases, symbolic links or scripts with different names...
So many useful tips.
Thanks guys!
Poettering has one key advantage over doas developers: guaranted that all major distro will adopt whatever will fall from his other end as "new better standard". OpenRC solved many systemvinit problems while retaining most of compatibility with well known ways to do stuff.
But yeah, being redhat in linux world is like being apple in mobile world: everyone will copycat you because you're biggest.
They are not copycatting redhat because its biggest.
Gnome is simply the best GUI (for most people) and they took advantage of the fact that everyone and their dog wants to use Gnome to make hard dependency from it into systemd, pulseaudio and other crap they made. Other distro maintainers were just forced to switch because of that.
Gentoo maintainers used to support both systemd and non-systemd versions but said that its double the work because of how systemd replaces everything and evetually gave up since most people wanted Gnome which forced systemd.
@@hubertnnn it's up to distro maintainer(s) to decide what's dependency of what, so i have strong disbelief that anyone pointed gun to Debian's maintainers' head and forced them to include systemd-enriched gnome. We have TDE, we have Mate which are basically forks of old KDE and Gnome, i might be wrong but if it was possible to create systemd-less Devuan, creatnig systemd-modern_Gnome shouldn't be that of an issue.
As for gen2- latest article on their wiki about openrc is dated 17.03.24, so i am not sure what you're reffering to.
So, the solution to eliminating a rock-sized attack surface is to instead rely on one the size of a dwarf planet?
I hope there are enough people out there who still feel that systemd long ago exceeded any reasonable bounds. The further it infiltrates, it becomes a bigger single point of failure.
A big, powerful and pervasive piece of software becomes so prevalent that it impacts the viability of the less popular alternatives as daily drivers, every developer making their software assuming that everyone uses the big one. And once the big and popular software feels like it's irreplaceable, it starts to feel entitled to making bad decisions and intentionally and/or unintentionally becoming worse for the end user.
Feels like I've seen that before. Maybe a cautionary tale.
By saying "dwarf planet size" do you refer to systemd as a whole, the full(ish) suite of executables ? I don't think it's the case here, at least, clearly, not all.
From what I know, systemd did made efforts in the last years to be less monolithic, to actually embrace somewhat the unix philosophy. I hope that journald at least is replaceable now.
And I don't say that because I'm an apologist or a fan, I still hate systemd and Lennard P. And I use Gentoo with openRC and I'll check sys6 when I'll have a bit more time or on the new laptop.
@@yigitorhan7654 It doesn't have to be that way. Big, powerful, pervasive software can be good. The Linux kernel itself is a powerful, pervasive piece of software that absorbs many smaller pieces of software into one. Before monolithic kernels, micro kernels were the norm. It's just that the Linux kernel is so reliable noone cares.
@@user-cr2xn4rr2s Yes, I know that. But systemd's sheer popularity and power is making the alternatives into obscure choices in an already obscure desktop OS ecosystem.
If the alternatives are snuffed away, I fear a case of "monopoly and ensh*tification" might happen where systemd makes a bad decision for the end user and there is nowhere else to go to. People staying away from systemd are already looked at as a bunch of neckbeards detached from reality.
@@yigitorhan7654 I don't know what reason people have to doubt the systemd maintainers' intentions/competence so much. If we get screwed over in such a way and then meekly accept the poor design choice, it's on us as a community for not having the talent / initiative to fork systemd and maintain it ourselves.
Systemd breaks the Unix phylosophy
Perhaps, but then again the unix philosphy is over 50 years old and written during a time when computers were still large as school gyms and hard drive space was at a premium even for a 5MB drive. I mean, UNIX itself came into being just when the microprocessor was coming into common use, so any diversion from it isnt entirely a bad thing. I'm not saying i like or hate systemd for that matter but theres still a lot about the UNIX philosophy thats outdated.
@@themadoneplays7842Once something gets more popular and mainstream the die hards will switch to another obscure and half assed solution. And the cycle continues.
Hush... Let sleeping dogs lie. ;-).
😂
Are you using UNIX today? Really, straight answer, are you? And I mean, UNIX as in the "phylosophy" from 50 years ago when computing needs and memory and storage were very different from now....please enlighten me
Doas is nice and easy to configure but it's not worth bothering with sudo replacements. There's just a general expectation that you have sudo on Linux and alias/simlink won't always cut it
We aren't getting tripple E'ed by Microsoft we are getting tripple E'ed by Lennart Poeterring 💀 LMFAO
someone is behind this
EA Sports
@@sprinklednights it's in the game
Well, he works for Microsoft after all...
@@unusedengine"if you pay extra for it" should be added I feel
I vote for keeping Sudo so that I can make Sudowoodo jokes
we could just make a script called "sudo" that just runs "please-mr-systemd-may-i"
@@kensmith5694 I suggest SystemDeez. I think that makes for a good line of code on the terminal.
Only a matter of time before poettering/systemd decide they must assimilate gnome.
Windows: We now have sudo
Linux: But we have Poettering
Isn't Poettering a Microsoft employee?
@@bltzcstrnx Pretty sure he is. And as a result we should not trust anything he's punping out.
Ever heard of Embrace, Extend, Extinguish?
@@TheEvilAdministrator my exposure to Linux is mostly managing servers. So in this regards, systemd have been very nice to me. As for Microsoft, I do daily drive Windows 11. Managing servers gives me somewhat jaded looks on Linux. They're great OS, but outside of my work time, I want an OS that just works. Especially for gaming and watching Netflix without any tinkering.
@@bltzcstrnxFor just normal watching Netflix and answering personal emails, Linux is totally fine out of the box for a lot of distros, gaming is hit or miss tho.
@@fatrat600284 Netflix is limited to 720p on Linux. Also, video acceleration in the browser is kind of hit or miss. Some streaming sites such as Disney+ often have troubles.
Well, I heard from some Fedora devs that they are experimenting with replacing sudo too.
One person for example is experimenting by replacing sudo with ssh (configured to use a unix domain socket).
And other dumb ideas because people just affraid of one SUID flag on the file. That can be set only by the user, in this case only by root himself. And file can't be changed by anyone except the root (if you are doing 755, which is the only right way to do /bin/*). And that's why we need to change kernel security check to Lennart security check, yeah.
Doas
That is actually a very interesting idea. Reducing from two security critical tools to just one might not be a bad idea.
The only thing I would worry about is performance of such local ssh connections in scripts that use a lot of sudos.
From the perspective of systemd, i suppose everything would be a problem.
OK but will their replacement have the feature where it calls you names if you fail to type the password?
How long until SystemD replaces the display server and kernel?
One day systemd will be so powerful, that even microsoft will drop their shitty kernel and use systemd kernel instead lol
Not soon enough 😢
@@no_name4796I sadly don't see that happening....
Still a long way to catch up to Emacs.
Honestly if systemd comes out with a complete display server that works on Nvidia I'd switch instantly.
Because Wayland on Nvidia is still painful.
And now I can see Artix as a real, viable, option over Arch. Systemd is fingering too many fucking pies. My next Linux distro will be systemd free, thank you very much
i'd let poettering finger my pie
Serious question: why?
@@Mooooov0815 the tinfoil hat is not blocking the 5g waves anymore, and systemd is at fault.
@@Mooooov0815 Lennart writes too much code that the only purpose of is "the other thing was dumb; there is mine (also dumb)". I respect when software rewritten to be with less stuff to be broken in future and to do specific things it wanted to do. That's why doas is obvious replacement for sudo. That's why if you really care about all this you should just ditch privilege escalation concept out of the window and just log in through already runing logind, maybe even running second Xorg server if you need graphics. Lennart just does things that are dumb in a first place. run0 basically just connects to pid 1 and asks it to create a new TTY that will read input from unprivileged process, running terminal window. This is just security theater. No, its a security circus. Because there is clowns on the arena who debate over "how insecure it is to escalate process straight away and how it'd be better to read input from the same unescalated process".
@@Mooooov0815it's design decisions of a few with which we have to put up with. some decisions are bad but its the systemd way so they must be good and accepted without question.
a big blob of things where either you accept and everything works, or reject and nothing does, seems like proprietary software thinking to me. especially when its based on the whim of a few on the design team
I've never had any issues with systemd and frankly as someone who's been using linux for too long I remember what things were like before, and things are so much better now with some actual standardization lol. Every new feature has improved my experience, literally
I know I'll never miss editing /etc/init.d scripts.
Back in the day we had init scripts. And before that we had rc scripts.
They all had one thing in common: as a rule of thumb, they each did one thing, and, as a rule of thumb, did it well. Something that cannot be said for systemd, a monolithic monster that runs as PID 1 in your Linux box. One large attack surface just ripe for the picking...
@@damouze Init scripts, rc scripts. Compare these to unit files, they generally do one thing and do it well.
The "problem" is there's also a bootloader, dns, sudo, and whatever else all under the same banner. The trap people fall into is that they think all these things are installed on every distro and running as PID1. This is very much not the case.
I am, however, on board with the idea that so much low level infrastructure in Linux should not be under the control of one project. Especially when that project is controlled by somebody who works at Microsoft. I trust MS a lot more than say 10+ years ago, but I don't trust them *that* much.
Mint 18 use unstable as anything. I blame that on systemd because 17 was ok. Using 21 now so things seem a lot better.
@@damouzeI'd agree if systemd was a monolith and not a bunch of separate binaries all managed in one repository. But systemd isn't a monolith so I disagree.
I am having UAC flashbacks
I'd much rather use sudo-rs. It is at least a Prossimo project that has quite a few big name sponsors, with a serious focus on developing memory safe critical infrastructure.
I think I'm going back to Gentoo or Void Linux...
:) Using Gentoo. I don't have systemd or polkit. This is irrelevant.
@@user-qd9pg8xt2k Honestly, now that they started providing binary packages, it seems tempting.
@@user-qd9pg8xt2k Thank you for doing so. Genuinely.
Not sure about Gentoo, but do make sure to contribute to Void Linux. Some packages have been hopelessly outdated.
Void Linux is such an example of failure at staff administration. 700mb of installed size is still a lot. I won't help them if they don't go into 350mb like Gentoo's Stage 3. better yet, it's still bloatware, so that they have to cut that to 150mb, such a Termux achievement.
Sudo has one security advantage, which I have not seen mentioned here: It has been tested extensively for over 40 years now. A replacement for sudo, no matter if by systemd or something else, would start from scratch.
Did you watch the video? This is not starting from scratch.
i dunno the details but being old would often also mean a lot of bloat and a mess to work with. At least the case with X11.
Possible it is not the case for Sudo but just not always the case being old is an advantage.
This.. is also a bit of a misnomer. Yes, it has been tested over 40 years, but security holes have also been found over the past 40 years.. that's just the nature of open source.
If the thought was for 'stability', then that'd make sense, but not so much for security. That also only lasts for a few years though (more if it was GUI/desktop based). The counter to the counter is that it's based on polkit, which has also been around for 17 years.
For security, the general rule of thumb is the more surface area (attact vector) that exists, the more that can (and will) be exploited. Not using the sticky bit is a pretty massive surface area minification.
It has also been compromised many times during those 40 years. You only have to look back to 2021 (CVE-2021-3156) for an example, so this means nothing. Old code does not automatically mean extra secure code. The fact that sudo is that old and how computing has evolved since then is a great argument for replacing it.
You already have systemd-run, so there is no new attack surface, just a new symlink to call the existing binary
Intriguing. Also, vaguely terrifying as I am essentially a neophyte and have no _real_ comprehension of the depths of my Linux systems. The complexity of computer science rivals that of genetics, in the sheer volume of data. I'm generally un-offended by the occult depths of Systemd, only because I don't grok how things could be done better, safer and more efficiently while interacting with other software outside of the Linux ecosystem.
please dont use chatgpt to write your youtube comments
@@jadesprite In what way is my comment reflective of chatgpt? Honest question to your pretentious accusation.
Sorry about the previous response, I hope this is more helpful.
One of the biggest strengths of Unix-like OS's such as Linux and BSD is their _modular_ design, usually summarized as the quote "one program for one task" or something similar. Individual applications are (usually) given just the functionality they need and made to depend on each other as little as possible, which not only improves system security by giving fewer places to find exploits in a program ("attack surface") but also prevents problems from one program affecting another. One example is that, on Void Linux (my OS of choice so consider my bias) system services each have their own dedicated folder and are activated/deactivated by creating a symlink to each folder in a dedicated location, enabling them to be managed fully independently of each other. In contrast, proprietary OS's like Windows tend to follow a "binary blob" model where the entire system is managed as one thing. Yes, technically they are built from many individual files (like DLL's) but they depend on each other extensively and a problem in one file can greatly affect the entire system. An infamous example is the extensive dependence of Windows on Internet Explorer, such that it had to be kept in as a system component even after it was replaced with Edge since it was required for Windows Update.
The gripe users have with SystemD being so big is that it follows a "blobby" model like Windows and forgoes many of the benefits of the Unix modular design. It depends on a lot, and a lot depends on it. And I acknowledge that "a lot" is pretty vague, but therein lies the problem - SystemD is so large, and its dependencies so complicated, that it's not immediately clear exactly _how_ big it is. I just know at my level of experience that is depends on numerous system libraries such as the compression algorithms and essentially any program that runs as a background service in turn depends on it. Back in late March, there was a serious security scare in Linux, where the xz compression algorithm was intentionally tampered with by one of its developers to open a backdoor which could allow any remote user to log in to an SSH server undetected. It worked by exploiting a dependence between liblzma (the tempered library), SystemD and ssh (the service to manage remote logins). It affected very few systems because it wasn't yet rolled out on most stable OS's, but could have been catastrophic if it wasn't detected early. Having a program with extensive functionality to manage multiple parts of the system isn't inherently bad, but does increase the chance of problems like this to happen and goes against the Unix philosophy that most users want. It's darkly ironic that we're still reeling from the xz scare and trying to determine how badly systems were or could have been affected, and Poettering is suggesting to make SystemD do _even more._
Now, for your question on how to do it better. It has, in my opinion, already been done in non-SystemD systems such as Gentoo and Void. Gentoo actually offers two different instructions for installing with SystemD and with an alternative OpenRC. With OpenRC, facilities to manage things like the host name, system time zone, network time synchronization, kemap and bootloader are all separate programs or files, and are added to a list with OpenRC as needed. OpenRC is very minimal and only controls the starting/stopping of services, so it's easier to choose alternatives that might better suit your needs (for example, network time synchronization can be done with the fast and accurate chronyd, or the clean and full-featured ntpd) and prevents issues in services from affecting others. With the SystemD installation, many or all of these things are controlled by SystemD instead and are not separate programs, leaving only one option for users who aren't willing to take the risk of creating conflicts with alternatives. And, of course, if there is an issue in SystemD it is likely to affect all of these services. Void also uses a system manager called runit which is similar to OpenRC in many ways, with the key difference that the list of services is just a dedicated folder with symbolic links to the desired surfaces, making the activation and deactivation of individual services even easier.
TL;DR SystemD makes managing individual parts of the system more difficult and any security issue affecting it will probably affect the whole systems. A better choice, which already exists, is to separate the system into individual programs and components which can be activated and deactivated on their own. And "better" is an opinion, but by my observations, a pretty widespread one.
@@Kyoobur9000 Holy Guacamole, can you _write!_ Most illuminating! I really enjoyed sinking my teeth into that. I reiterate the term _neophyte;_ my knowledge-base is pretty thin, albeit slightly more expanded now. I immediately groked the basic _why_ of the controversy surrounding Systemd, when I became aware of it, and have actually messed around a bit with MXLinux, (installed on another old Acer Potato laptop) which uses InitV, but I always found Debian a bit of a cludge to work with. Arch _feels_ easier, but no-less vexing in it's complexities, the magic spells required to properly utilize it. Arch Wiki can be quite obtuse. I am an aging GenXer, just another post-modern Industrial Drone with limited mental resources and time. I barely grok concepts like symlinks and my hardware (and wet-ware) is a little too old to brutalize with Gentoo. (My next system will probably be a DIY Framework 16, and that'll open up more possibilities. But base price is $1900 Canadian Pesos, so imma wait a little while on that).
My main concern with distros like VoidLinux is how much back-engineering/study would be required to get it to work on my old laptops and use a program like, say, Reaper (a DAW), or set up a security camera system (either way, not an easy task on Linux), or, more superficially, get this-or-that-desktop with this-or-that icon-set. I did the standard 'Linux-Twist:" beginning in 2017 with Mint and slowly edged-into things with a small platoon of old (mostly Acer) laptops, before feeling comfortable-enough to purge Win7, since it was going to be losing support anyway (and I've always been offended by Microsoft with their closed-source bloat). But I'm no coder, never took Computer Science, never like computers much until I jumped into Linux. Currently nipples-deep in ArcoLinux (I still need someone to tie my shoes for me) and Vanilla Arch, blundering-along but slowly learning. I despise the corporate tyranny of Microsoft and Apple, never going back. I'm not a gamer and never became addicted to any proprietary software, so it's not that much of a sacrifice for me to swim with the penguin.
I'll start researching on Void and runit though. It does sound interesting. Peace/Out.
@@Kyoobur9000 You put it better than I could by far. Thanks - and great work! You might want to consider posting this (in modified, standalone form) in other places too!
The explanation makes sense. While I'm not comfortable with how systemd is taking over literally everything (they really put the 'system' in systemd, don't they?), this seems like a good idea.
If it's implemented well and works as expected, I'm fine with it.
11:00 the way i currently have things set up to remind me im in root with sudo, is i have my zsh set up so the background for the bit before the prompt is in shades of red if im the root user, and blue otherwise. this works really well :)
I honestly just use su -c "command". Doesn't depend on PAM, Polkit, and is on every Linux system as it's provided by Shadow, which also provides passwd, adduser, usermod, etc. It's simple and doesn't require me to go out of my way to add another binary. It's just on my system, simple, why not use it as it does exactly what I want! I can see the appeal of run0 though, although I have had nothing but issues with Polkit and I don't think SUID is a bad Unix idea. It sounds a lot more simple than the idea this guy laid out. Everyone will still be able to use su, sudo, and doas too anyway, so it's not that big of a deal, just another thing Systemd is doing.
'su -c' doesn't work on my Debian 12 system where the root user is locked and has no password. This type of configuration is becoming more common. As I understand it, the run0 functionality is already in systemd-run and run0 is more like a wrapper than an additional thing. It actually sounds depressingly rational to me.
@@dingokidneys Then I heavily disagree with that approach, mostly because I'm the only user of the system. I recall switching to root on Mint and Debian just so I can follow LFS and going through the process just introduces more hurdles than necessary - I just want to do my task instead of deal with artificial barriers. If major distros adopt this approach like Arch, then I'll have to roll my own LiveCDs to overcome those hurdles.
@@zeckma It's still possible, with sudo privileges, to unlock root and set a password. It's just not the standard configuration and so 'su -c' won't work on systems using the standard configuration where you don't have authority to make changes to root functionality on.
@@dingokidneys I know, but it is troubling that I had to figure that out just to access root privileges. I just find it unnecessary and even clunky.
@@zeckma comes with the territory of making Linux more friendly to the normies. Linux nerds are fine with navigating through a maze of pitfalls, because we're used to it, and if you know the right pitfall to jump into allows you to navigate faster; but normies just walk into open pitfalls, break their legs and say "never again" and go back to Windows or MacOS.
I am a developer on a cross platform open source project that requires manual setting up on all platforms, because it has to be compiled and set up in a way that's specific to the target system.. either way we have lots of windows users who want to set up our software on Linux systems, and one of the most common problems they encountered when setting up our software was that they themselves kept running every single command in our setup guide as sudo, even without being instructed to, because they intrinsically associate running commands on Linux with sudo. That in the end causes permissions to be horribly messed up. And our project not working, leading to support requests. In the meantime we've put a huge banner in our install guide that tells users to absolutely, under no circumstances use `sudo` unless explicitly instructed to by our install guide... It has improved the problem significantly, but there are of course still people who read only what they want to read😂
I actually like just using su for admin tasks, so sudo gets gutted out if it exists
As for init systems, I just like what makes sense
The spaghetti and traffic jams that define the systemd we know and love aren't bad if I'm perfectly honest; but they don't make sense for a process, and an OS configuration, that aren't fundamentally designed as an organic melting pot (i.e. Nix)
That's why even though it's very friendly to work with from the back end, I always look for s6 first, then runnit, then openrc in distant third
Systemd is on the bottom of my list, and something I only use if it's necessary
How is sudo 230'000 loc??? That is massive 🤯
The 'man' page is 571 lines long. It does *a lot* that a single person on a single laptop/desktop does not need, as Brodie said. It allows for fine grained control over user access to privileged resources which is great on a multi-user supercomputer on a research or educational campus but kinda overkill for a dude on his lappy.
@@dingokidneys To me, many things in Linux seem overkill for even professional desktop users. I wonder how much simpler it could be 🤔
I don't think you should focus on the LoC that much. Maybe splitting the functionality might create headache for other people. SLOC depends on the functionality of the program. The only way to make it less to cut down features. But which features to cut down? Why?@@dovonun
@@glidersuzuki5572 I think it is easier to understand computers/operation systems if you can read the code. Therefore, less code and simpler concepts could allow more people to understand their systems better. Maybe this is not possible anymore. But not long ago, every game was an operation system; nowadays, it seems impossible to even understand one.
@@dovonun It can get pretty simple when you strip things down or build out a minimal system to suit just what you want to do. This is why so many IoT devices use Linux too. A full operating system in under a gigabyte of binaries and scripts. My Alpine system that I use as a wifi scanning appliance occupies 168Mb of disk space and runs in 36Mb of RAM at idle.
You can either pick a distro that suits or build a system scaling from what I have running on a 32bit eeePC to massive multiuser system.
It's up to you to choose what you want.
yooo the face value description of run0 actually sounds pretty good. makes scripting with it much simpler. don't have to spawn ethereal tmux sessions
I think that's what the systemd-run command is designed to do, and you probably already have it on your system today! They just wrapped it with something that behaves more like sudo.
@@arthurmoore9488 appreciate!
If I can do without systemd, I will. I use of on my desktop because Steam isn't a pain with it. But I use Artix on my laptop.
Steam works no prob with conty on my pure 64bit Slackware 15.0 (sys V init) I use as my daily. I run Devuan XFCE on my low end Celeron N4020 laptop, native (AFAIR) steam also works no prob and the laptop is much more responsive without systemd.
@@_sneer_ The only way I've been able to get it to work is enabling arch repos which potentially defeats its own purpose. So, I just cut out the middle man. I don't play games on my laptop so I have no problems with artix there.
@@TheSolidSnakeOil Eh? You don't need to enable the Arch repos to use Steam on Artix.
XML has its place. I’m not sure configuration files are often the right place for it.
Once I used BSD doas I never went back to using sudo, even on Linux
not going to be that guy, but doas is not as secure as sudo ON LINUX.(its pretty much the same on bsd) because of something something persist thing
Changes basically nothing lol.
Sure few less MB on HD used, and maybe less options making a little easier.
But literally 99% of times everyone just sudo _do stuff_ so what's even the point lol?
Doas on Linux is way more limited than on OpenBSD. There's not even a secure way to have it remember your password. I like doas on OpenBSD, but prefer sudo everywhere else.
@@no_name4796have you ever tried to configure sudo? Doas is so much better in that regard.
@@no_name4796 its actually faster when cancelling a password prompt
Sudo-rs gang
This would be ok, if systemd devs didn't name fucking everything systemd-shitd (interacted with using shitctl, of course). Like seriously, is it that hard to make it standalone, like elogind or such?
It is easy to make it standalone, but if you do that people might only use the good parts instead of the entire system.
isn’t it essentially standalone considering it’s linked to run0 ?
the actual issue with such a thing, whats the point of it if it's locked to the systemd monolith, with other things that not everyone can or wants to have on their system, systemd desktop enviroment that you can't swap when
@@CptJistuce LoL, nice one!
The distro I've chosen uses sysVinit, so it's not entirely because of irrationality that I'm not using systemd, but I kind of am glad I'm not using it - satisfies something hipster/rebellious/edgy in me.
We all need a good contrarian, don't we?
@@yigitorhan7654 it is not contrarian to actively deny an usurper
In my opinion doas is the better replacement.. I litterally removed the sudo binary and symlinked doas instead! Also doas syntax is easy to use: permit persist harriet
That does exactly like sudo you can remove persist to require authentication every time if you want
If you are already using systemd and polkit anyway then this makes a lot of sense, why have two separate tools for the same thing?
The interesting thing is this seem slike just a light wrapper around a pre-existing application. While I haven't looked, probably one designed to allow a process to start service workers and communicate with them. I'd put decent ods that you could hack together a command which would act like run0 using said process right now.
Oh I wish everybody on Linux knew how to use sudo.
Yet I still see people using combination of sudo su
Blame Ubuntu that popularized it...
I guess someone at Canonical figured it was easier to remember than `sudo -i` or something
`su -` spawns new login process with empty environment. "Things that Lennart does not want you to know".
@@bountyjedi ubuntu? don't remember, so won't argue. "in my ye-olde days' we we simply doing su - :) or just log in to root directly :) Good, old, innocent days when we didn't know any better :)
I only do this when I'm really desparate and forgot what my root password is, but yea, `sudo su` is extremely cursed 😂
Is this a hobby of yours or something? Standing behind people and watching what they type in at the bash prompt? Have you not just considered a better hobby?
Re the special coloring and unicode, I have already set up a root shell prompt with ANSI coloring to make it obvious that the shell is running as root. Works everywhere, has done for years.
Everything will be made by systemd and you will be happy
systemd/linux is becoming closer to reality every day 😭
What's wrong with that?
I like Systemd/Linux reality. Using it every day since many years.
Honey, I gave him the systemd! 😂
This sounds like a cool concept! I think I might check it out some time, and depending on how the fallout looks maybe start using it. SUID always felt weird to me but I do wonder how run0 ensures nobody else can talk to systemd to do the same thing. I guess another cool thing to look at as it sounds useful to know for some other projects im working on.
Sudo currently is a go-to in corporate environments, where root privileges are controlled by LDAP/AD. Unless they have a way to implement is, corporations that they really like won't adopt it, nuh-uh.
You know what this reminds me of.. SUDO being the last remnants of Windows 9x/ME kernel as critical changes & security updates moved to the NT kernel, along with the very real loss dos programs (as that was a fight all its own)
The security model of a server/client carries less built in risk than one of a client only design, that has to manage permissions all itself.
Seriously, why is a supremely overpowered and basically server designed piece of software that dates back to the days where there was only one 'system', and all the terminals were what would be dumb clients that only played connect for you. That in itself provides more security holes from design principles that have shifted so far, it's insane.
I am not sure what the solution will be, but I do know sudo has to go, and be replaced with something that maches the current design & use case that it ends up in. Maybe not putting super computer / server cluster level software into a system that is at most 5 end users, with only a mythically tiny % of them being more than 1 end user at any given time.
Wayland, Pipewire, Doas.
It does make sense to have a dedicated virtual super user that handles privileged execution so that the unprivileged user doesn't need privilege escalation, but it's not a valid paradigm for all use cases, and I am not sure logging in as that privileged user for the edge cases is a viable solution, that just makes things worse. So in this. I don't think sudo is going anywhere, it will just be heavily discouraged.
@@rich1051414 The problem with sudo is sudo, itself. There's too much going on with it as an authentication method on system with only a single user, and a single seat, connected to a network but isolated from other system interactions.
It's more suited for sysadmins which manage multiple machines, where the Linux instance users are using is what we'd refer to these days as a "Thin client". The average end-user would be better suited with something lighter.
I think everything should be left alone as it is unless there really is a bug to be fixed. We are wasting a lot of programming hours on no gain it real use.
As for what scripting language to use: Linux typically comes with a perfectly good copy of bash.
I got my back up when I read the title, but... I'm for this change.
I imagine he kept counting after the video ended, and it's been 2 days. Brodie's like "run23356, run23357, run23358..." sending SOS signals with his blinking
Microsoft announces their version of sudo, and the Linux community responds "sudo is insecure, we're going to make a better sudo than you"
Now that Microsoft has implemented it cannot be secure anymore, I like that flawed logic.
I use doas its so much better. no freezing up my whole term when I type my password wrong
You mean that delay when entering a password only to get notified that you typed your password wrong?
Unless run0 provides a simple way to allow unprivileged users to run specific commands, it's not gonna replace anything. No one's gonna write an xml object and some javascript to achieve something that can be defined in one line even with a convoluted syntax of sudoers file.
I'm pretty sure they can allow multiple parsers.
Nice! I heard this news on Reddit and the comments were locked
I have long since replaced SUDO with DOAS. It's so simple to configure and you can easily feel the speed difference between them. But this systemd thing may not be such a bad idea. SUID should never have existed in Linux to begin with. Having an unprivileged user run code with elevated privileged based on a single file flag is a decision you make when you are drunk and should not touch a computer or maybe when you are working on something in the 80's. This will be very similar to how SU works on unlocked Android devices these days.
Opendoas on Linux is not the same. It's a poor port that's abandoned.
@@No-mq5lw it just does some text parsing with stuff like strcmp and then uses systemcalls to drop you into requested user. Go "update" memcpy if you have nothing to do.
@@No-mq5lw how is it abandoned? it hadn't had commits for two years but for software which is supposed to do one thing and well that doesn't matter that much
also there is alternative port by slicer69 which seems to be very alive, but iirc it had security issues
@@netkv *3 years. And it's on v1.49 while OBSD is on 1.99 of doas. Being abandoned for a long while matters when it allows root access (and ports over libs from OBSD). If it was a toy like Neofetch, being abandoned honestly doesn't really matter all too much.
Gee, sudo is too large! Let's embed it on the largest jack of all trades piece of software on linux...... Systemd
Except that systemd isn’t a piece of software, it’s a family of software
I think I can hear the same groaning from people who maintain documentation as we all did when systemd became de-facto mayor of Linuxland.
TIL
- Poettering actually thinks about security. That's encouraging I guess but not the whole story
- sudo is ~200k lines of code?!?! WTF? (TBF 90% of it probably never gets executed by 99% of systems though)
The thing about sudo is that, despite the past fuckups, it has been battle hardened over time, certainly more than what systemd is about to introduce. There will almost certainly be CVEs for this new tool.
Also I can't help but feel that the model of using an existing running privileged daemon to do the same thing as sudo, instead of a standalone SUID binary, just replaces one delicate security problem with a different one. I still have to think about the security implications of an all-powerful daemon process (a rather large one mind you) granting root to whoever passes the test, and how that could potentially be exploited.
Conceptually, Pottering makes a lot of sense. Yeah I will probably get a lot of hate for saying so. But at the same time, the type of attacks that he wants to prevent seem way too infrequent to force a massive change like this.
I wouldn't call it massive. All it does was already possible, it's just using the existing systemd APIs. I also wouldn't call it forcing, it's just a tool - you can use it, you can stick to sudo or doas.
@@GrzesiekJedenastka I was under the impression that the goal would be to phase sudo out completely as a systemd wide change, which would be a massive adjustment. well referring more to get adoption of the new tool rather then changes to the codebase.
@@schemage2210 sudo isn't going anywhere. It's up to distros if they want to continue shipping it by default, and up to the user if they want to install it even if the distros don't.
The goal of systemd devs is to replace sudo, yes, but if it does or does not is not up to them. Only time will tell.
@@schemage2210systemd has nothing to do with sudo. run0 is just an additional option you much chose instead of sudo
@@schemage2210 sudo is just another program right? They can't "phase sudo out completely" because you can just install it on any Linux system as I'm aware
\*internally screaming at systemd\*
Remember when the function of the process with PID 1 was: (1) reap orphaned processes; (2) start getty on login terminals whose sessions had terminted?
It sounds like LP just wants to write his own OS. Like, if he really hates the UNIX/Linux design philosophy so much, he should just go make his own thing where big strong daddy Lennart can tell all us stupid users how to run his -- I mean -- our systems.
Given the track record, this is going to go down like a lead balloon. SUDO is large, complex SUID binary with many dependencies and network access *strictly because* authentication is a complex topic that often requires reaching out to other systems on the network and taking policy decisions based on inputs that can come from many distinct places.
In the end, it will be another `resolvectl`, something that nobody will ever voluntarily interact with and every distribution will have some wrapper around it to make it useable.
And just like resolvectl it will solve exactly nobody's problems but it will make everybody's lives just a little bit more painful, in the name of "flexibility".
Question though. How is that different than the configuration done for SSH? If that's already using polkit, then wouldn't the configuration already be done?
Oh dear. I mean, yeah, I agree that sudo is.... problematic, and perhaps needs a more modern alternative/replacement, but increasing the systemd monolith is never the solution imo. Thanks for mentioning doas; never heard of it, and certainly never heard that it is/was "probably on my system" already. Looking forward to finding out🙂.
especially when doas is already right there!
I think he says it's "probably on your system already" because this audience leans more on the modern, cutting edge side of Linux
All this is is a new symlink to the systemd-run binary you already have.
@@Max24871 speak for yourself!
runit my beloved
@@Max24871 Well not one that *I* already have; my computers run Void, Artix, and (in the near future) possibly Nitrux and/or AntiX. Just sayin'.
Lennart: It's bad that sudo is extensible because it's bad
Also Lennart: PoolKit is extensible yeah, it uses JS for that, but that's fine because I like they way it runs more.
He makes some good points and then proceeds to argue asinine shit right afterwards. That's a skill for sure
Another episode of Brodie reading from his bible... "and Poettering said, Let there be run0..."
Well of course we'll never catch YOU running it. systemd will be running it for you. quietly. softly. gently. systemd cares about you. systemd wants to look after you. trust systemd.
I just ran it (well, the current version of systemd-run) three times to test it btw, pretty nifty.
Wait so the spawned process doesn't inherit any context right? Not even namespaces? I worry I'd end up unintentionally escaping docker containers. Not that they're a security boundary (VMs are the tool for that), but what if I run "run0 rm -rf /" inside a container expecting it to kill the container itself, and it kills my whole system instead.
Maybe inside the container there's no socket to talk with the real systemd on the host? Then for privilege escalation inside a container I'll still have to rely on the SUID method instead right?
I'm partial to sudo myself, doas is usable, systemd is too damn complicated. I also prefer straight text config files as opposed to sgml, that's what turned me off OS X. You need to balance security and serviceability. I'm beyond tired of needing to learn how to do something that worked just fine when I did it yesterday.
In the past I would have been angry about this, but I am slowly reaching a place of acceptance.
As long as I can keep using the command 'sudo', I don't mind nor care what they do behind the curtains!
I somewhat agree but I worry that new bugs will be created by a needless change.
@@kensmith5694 No need to worry about it. New bugs are guaranteed.
Systemd had privilege escalation tools since forever. I'm wondering why Lennart brought it up just now. Also, knowing how slow things move in the world of GNU/Linux security, don't expect sudo phased out yet. In fact, there is little reason to do anything about it, really... Tbh, I like Lennart's security blogposts, he's always thoughtful about such things and even if you disagree, you have something interesting to learn from him.
From the posting in the video, it looks like a wrapper around systemd-run which as you say is functionality that has been there a long time. My first reaction was "Oh, no!" but as the explanation went on I thought "This sounds pretty reasonable actually." Lennart seems to be one of those people who is (painfully for me) right about what he says. Sadly, I'll probably have to learn some new stuff; more about systemd and a bit about polkit.
The concept is neat and there is a good basis for it, wondering what will happen when people start trying to adopt this though
The "exploit" is basically just stealing the PTY that systemd creates and communicating with the root shell. Well you could do the exact same thing with sudo if you just steal the whole parent shell pty instead? The solution here is to correctly set ptrace_scope (or just.. don't change the default) so that processes can't just steal each others' PTYs
system of a d
Excuse me sir, would you have a moment to talk about our lord and savior OpenRC and doas? 🥺
I actually think this is a good idea. It's sudo, but with way more protection around it. You can become root, but only in parts of the filesystem that can be managed.
I'm just to comfortable with sudo I can't see myself using something else, unless I have no other choice