The development of the next version of systemd 256 is in progress and is currently close to 80% complete and one of the candidate changes to be presented In this release comes the hand of the same creator of systemd "Lennart Pottering" who, through a publication on mastodon, announced the introduction a new utility called “run0”.
This tool It is presented as a more secure replacement for sudo and works as a complement to the systemd-run command. The key advantage is that it eliminates the need to use an executable file with the SUID flag, which can be risky. It is mentioned that run0 is designed to run processes with other users' identifiers more securely.
Poettering argues that the introduction of a sudo substitute is because the central problem of sudo lies in its SUID nature, potentially compromising security. In response to this, starting with systemd 256 we seek to operate with privileges independently of the intervention of non-privileged codes. Using the SUID flag in sudo to change the identifier carries additional risks because the SUID process inherits an execution context that includes many properties controlled by an unprivileged user.
SUID processes are foreign concepts: they are invoked by unprivileged code and inherit the execution context intended and controlled by unprivileged code. By execution context I mean the large number of properties that a process has in Linux today, from environment variables, process scheduling properties, cgroup assignments, security contexts, passed file descriptors, etc., etc. .
These properties can include environment variables, file descriptors, programmer options, and group bindings. Even though some of these properties are automatically removed by the kernel for SUID processes, and others are removed by the application itself, vulnerabilities are still found in complex SUID programs like sudo due to careless handling of external data influenced by unprivileged users. .
In contrast, run0 does not use SUID and instead requests the system administrator to start a shell or process with the specific user ID, After that, it creates a new pseudoterminal (PTY) and handles the data transfer between it and the current terminal (TTY). This behavior is more reminiscent of running via ssh than traditional sudo. The privileged process runs in an isolated context generated by the PID 1 process, rather than the user process, which means that it does not inherit the properties of the user's environment, except for the $TERM environment variable that is forwarded. Additionally, forwarding is controlled through a list of explicitly allowed properties, following a whitelist approach rather than a blacklist.
Polkit is responsible for authorizing and determining user capabilities in run0, while the classic rules language (/etc/sudoers) used by sudo is not supported by this tool. The functionality to run programs with other privileges is built into systemd-run, and the run0 command is created as a symbolic link to systemd-run, providing a sudo-like command line interface when used.
But enough of all that safety talk. The tool is also much more fun to use than sudo. For example, by default it will tint the background of your terminal in a reddish tone while you are operating with elevated privileges. This is supposed to act as a friendly reminder that you haven't relinquished privileges yet and marks the exit of all commands that were run with the proper privileges
An additional feature of run0 is the visual indication that you are working with elevated privileges. This is achieved by setting a reddish background in the terminal and adding a red dot to the window title. After finishing the run with elevated privileges, the dot disappears and the background returns to normal. Additionally, run0 supports all run options. "systemd-run", as the parameter "--property", which allows setting arbitrary configurations for systemd services, such as "CPUWeight=200 MemoryMax=2G IPAccounting=yes«.
If you are interested in knowing more about it, you can consult the details In the following link.