Post AhO80FpZADBfSzfRS4 by pid_eins@mastodon.social
(DIR) More posts by pid_eins@mastodon.social
(DIR) Post #AhNI4xXZs8sr5ixXay by pid_eins@mastodon.social
2024-04-29T07:27:59Z
0 likes, 1 repeats
5️⃣ Here's the 5th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.I am pretty sure all of you are well aware of the venerable "sudo" tool that is a key component of most Linux distributions since a long time. At the surface it's a tool that allows an unprivileged user to acquire privileges temporarily, from within their existing login sessions, for just one command, or maybe for a subshell."sudo" is very very useful, as it…
(DIR) Post #AhNI4zOQz6l4pwhGca by pid_eins@mastodon.social
2024-04-29T07:32:14Z
0 likes, 0 repeats
… it allows users to operate at minimum privilege: do most of their work without privileges but temporarily acquire them where needed, all without leaving the shell workflow, integratable with shell scripts, pipelines and so on.sudo has serious problems though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on.
(DIR) Post #AhNI50p3fbeJGoA2l6 by pid_eins@mastodon.social
2024-04-29T07:34:42Z
0 likes, 0 repeats
This has led various people to revisit the problem and come up with alternatives: most prominently there's probably OpenBSD's sudo replacement called "doas". While it greatly simplifies the tool and removes much of the attack surface, it doesn't change one key thing: it's still a SUID binary.I personally think that the biggest problem with sudo is the fact it's a SUID binary though – the big attack surface, the plugins, network access and so on that come after it it just make the key problem…
(DIR) Post #AhNI52IsAF5lrZ7Mrw by pid_eins@mastodon.social
2024-04-29T07:39:51Z
0 likes, 0 repeats
… worse, but are not in themselves the main issue with sudo.SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on. A few of these settings the kernel is nice…
(DIR) Post #AhNI547FQQyvU5h71k by pid_eins@mastodon.social
2024-04-29T07:42:01Z
0 likes, 0 repeats
… enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, …
(DIR) Post #AhNI55cTpnYi9FJZLc by pid_eins@mastodon.social
2024-04-29T07:44:16Z
0 likes, 1 repeats
… manual clean-up is just not how security engineering should be done in 2024 anymore.With systemd v256 we are going one step towards this. There's a new tool in systemd, called "run0". Or actually, it's not a new tool, it's actually the long existing tool "systemd-run", but when invoked under the "run0" name (via a symlink) it behaves a lot like a sudo clone. But with one key difference: it's *not* in fact SUID. Instead it just asks the service manager to invoke a command or shell under…
(DIR) Post #AhNI57P5Ca1xgH3tk8 by pid_eins@mastodon.social
2024-04-29T07:48:33Z
0 likes, 0 repeats
… the target user's UID. It allocates a new PTY for that, and then shovels data back and forth from the originating TTY and this PTY.Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client (well, admittedly, we *do* propagate $TERM, but that's an explicit exception, i.e. allowlist rather than denylist).One could say, "run0" is closer to behaviour of "ssh" than to "sudo", in many ways. Except that…
(DIR) Post #AhNI58uJbwbkLQgM40 by pid_eins@mastodon.social
2024-04-29T07:52:20Z
0 likes, 0 repeats
it doesn't bother with encryption or cryptographic authentication, key management and stuff, but instead relies on the kernel's local identification mechanisms.run0 doesn't implement a configuration language of its own btw (i.e. no equivalent of /etc/sudoers). Instead, it just uses polkit for that, i.e. how we these days usually let unpriv local clients be authorized by priv servers.By isolating the contexts and the resources of client and target we remove some other classes of attacks…
(DIR) Post #AhNI5AEueqg6TbKJo8 by pid_eins@mastodon.social
2024-04-29T07:54:36Z
0 likes, 0 repeats
… entirely, for example this stuff:https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijackingBut enough about all that security blabla. The tool is also a lot more fun to use than sudo. For example, by default it will tint your terminal background in a reddish tone while you are operating with elevated privileges. That is supposed to act as a friendly reminder that you haven't given up the privileges yet, and marks the output of all commands that ran with privileges appropriately. (If you don't like this, …
(DIR) Post #AhNI5BgxG4heyrSE9g by pid_eins@mastodon.social
2024-04-29T07:57:35Z
0 likes, 0 repeats
… you can easily turn it off via the --background= switch). It also inserts a red dot (unicode ftw) in the window title while you operate with privileges, and drops it afterwards.And since it's just systemd-run called under a different name it supports the --property= switch that systemd-run supports, i.e. it allows you to set arbitrary service settings for the invoked privileged command/session if you like. Anyway, that's all for now. Enjoy "run0"!
(DIR) Post #AhO80F3M3Scf3T6wIy by TheStroyer@mastodon.social
2024-04-29T08:12:10Z
0 likes, 0 repeats
@pid_eins I think it's a good take one sudo. I think there were some vulnerabilities found in sudo recently, so it's good to look at other ways to do it.I wonder what the adoption of this tool is gonna be. Just very pragmatically, the name run0 is harder to type than sudo. So you would have to make a shell alias. Would it be possible for a distro to completely replace sudo with this and create an alias by default? Maybe it would need to get a compatibility mode for it to replace sudo
(DIR) Post #AhO80FpZADBfSzfRS4 by pid_eins@mastodon.social
2024-04-29T08:17:35Z
0 likes, 0 repeats
@TheStroyer the command line of run0 is intentionally kept close to sudo's. But that's were the compatibility really ends, i.e. /etc/sudoers and so on we're never going to add compat for.From my perspective run0 should be fine already for a distro to replace sudo with. But let's see how this plays out, I am pretty sure there might be a feature or two we still need to add before the first distros decide it's ready to switch over. And I am pretty sure there are plenty of distributions…
(DIR) Post #AhO80GbmGxkfsWDwbA by josh@social.joshtriplett.org
2024-04-29T17:27:58.064251Z
1 likes, 0 repeats
> the command line of run0 is intentionally kept close to sudo's.Could we get a -E/--preserve-env switch? (It'd also be nice if users can do per-user configuration to set that, or to set a variety of specific environment variable passthroughs.) There are a variety of environment variables that are useful to pass through, and I'd rather not specify them all every time or do configuration-via-shell-alias.
(DIR) Post #AhO80HkK2gBHPJEHYW by pid_eins@mastodon.social
2024-04-29T08:18:10Z
0 likes, 0 repeats
@TheStroyer … which think that things like pluggable client-side modules, LDAP and so on are actually a good thing, even though I would vehemently disagree with that.
(DIR) Post #AhPkyvyDbrAyx32HKa by Suiseiseki@freesoftwareextremist.com
2024-04-30T12:57:10.953169Z
0 likes, 1 repeats
@pid_eins Lennart does it again making things less secure.suid binaries are very secure provided you program the software correctly.Here's an example of secure suid software I found, free from vulnerabilities;#include <stdio.h>#include <stdlib.h>#include <fcntl.h>#include <sys/types.h>#include <grp.h>#include <unistd.h>int main(void){/* get gid of power-tools group */struct group *power = getgrnam("power-tools");if (!power){fprintf(stderr,"power-tools group does not exist.\n"), exit(1);}/* check if the current user has the gid of power */if (!group_member(power->gr_gid)){fprintf(stderr, "User is not in power-tools group.\n"), exit(1);}/* change to root user */if (setuid(0) != 0){fprintf(stderr,"Suspend binary is not setuid.\n"), exit(1);}/* open mem_sleep and state */int mem_sleep = open("/sys/power/mem_sleep", O_WRONLY);int state = open("/sys/power/state", O_WRONLY);if (!mem_sleep || !state){perror("Linux doesn't support Suspend-to-RAM"), exit(1);}/* write deep to /sys/power/mem_sleep then mem to /sys/power/state to Suspend-to-RAM */if (write(mem_sleep, "deep\n", 5) != 5){perror("Writing deep failed"), exit(1);}if (write(state, "mem\n", 4) != 4){perror("Writing mem failed"), exit(1);}/* close the fd's */close(mem_sleep);close(state);return 0;}
(DIR) Post #AhQDZINqYI0xbg9MHI by sszuecs@hachyderm.io
2024-04-29T08:10:43Z
0 likes, 0 repeats
@pid_eins wow the auto coloring and title changes would be really annoying. The config to disable it seems to be not user friendly, too:--background=switch Whatever background means in this case and why it’s correct to set to switch seems like arbitrary to me.The tool itself seems to be indeed great!
(DIR) Post #AhQDZIu6cLopDjF7Ym by amanzer@techhub.social
2024-04-29T10:57:40Z
0 likes, 0 repeats
@sszuecs @pid_eins I think it's the switch that is called `--background=`. I don't think the thread described the different settings you can give to --background.
(DIR) Post #AhQDZJJd5SEeUtBVLM by pid_eins@mastodon.social
2024-04-29T11:31:15Z
0 likes, 0 repeats
@amanzer @sszuecs oh. i didn't grok @sszuecs's comment, I was sure there was some misunderstanding but I couldn't figure out how! But your explanation explains the misunderstanding perfectly! So yes, the switch is called "--background=" and you can override the background color with that, or you can assign an empty string to disable the tinting altogether.
(DIR) Post #AhQDZJgfhmfPeLxuG8 by amanzer@techhub.social
2024-04-29T11:44:00Z
0 likes, 0 repeats
@pid_eins @sszuecs Next up, adding "--background=magenta" to my run0.rc. 😂
(DIR) Post #AhQDZK0AXIGMcp5TeK by pid_eins@mastodon.social
2024-04-29T12:51:12Z
0 likes, 0 repeats
@amanzer @sszuecs note quite. we expect ANSI color specifications, hence you probably want --background=35
(DIR) Post #AhQDZKTEnDW04yggxU by rokejulianlockhart@mastodon.social
2024-04-30T14:52:28Z
0 likes, 0 repeats
@pid_eins, like https://gist.github.com/JBlond/2fea43a3049b38287e5e9cefc87b2124/da3a76d981e3ee95d00f14db07975e088a02a311#regular-colors? Why is that preferable to hex codes with alpha channels and all that goodness?
(DIR) Post #AhQDZKtpCMmZPR7vOq by pid_eins@mastodon.social
2024-04-30T16:20:51Z
0 likes, 0 repeats
@rokejulianlockhart because this is about terminal output, and terminals eat ansi sequences and have no concept of alpha channels?
(DIR) Post #AhQDZLL7YscIm5tiwi by reto@pleroma.labrat.space
2024-04-30T18:17:34.068712Z
0 likes, 0 repeats
@pid_eins @rokejulianlockhart well, modern terminals have true color support at least... would've been nice over the plain ansi number but I get it that querying the cap might be annoying.
(DIR) Post #AhQsNYU1sriUWqRtY0 by pid_eins@mastodon.social
2024-04-30T19:50:40Z
1 likes, 0 repeats
@reto @rokejulianlockhart the switch accepts 256 and full rgb ansi colors too. But still, there is no alpha channel concept in ansi sequences.
(DIR) Post #AhRhMogHGu608ZaCyu by swick@fosstodon.org
2024-04-30T20:48:07Z
0 likes, 0 repeats
@pid_eins suid programs executing in the environment of the parent process means that I might become root in a user namespace and get the filesystem view of the current mount ns. This won't work with your approach, will it?
(DIR) Post #AhRhMpKKry8e8oKCQ4 by pid_eins@mastodon.social
2024-04-30T20:57:15Z
1 likes, 0 repeats
@swick yes, and that's a *feature* not a bug. If you acquire privs you want the guarantee that noone fucks around with your mounts and overmounts/replaces stuff that they shouldn't be able to.That's *precisely* what I mean with clean context: if you use run0 you get a guaranteed clean execution context, with all such inherited namespace or whatnot shenanigans gone for good.
(DIR) Post #AhaNQTcxTHugBucY4G by Tadano@amala.schwartzwelt.xyz
2024-05-01T22:44:42.401920Z
0 likes, 1 repeats
@pid_eins I'd just like to interject for a moment. What you're refering to as Linux, is in fact, systemd/Linux, or as I've recently taken to calling it, systemd plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning systemd system made useful by the systemd units, shell utilities and vital system components comprising a full OS as defined by POSIX.Many computer users run a modified version of the systemd system every day, without realizing it. Through a peculiar turn of events, the version of systemd which is widely used today is often called Linux, and many of its users are not aware that it is basically the systemd system, developed by Lennart Poettering-kun.There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the systemd operating system: the whole system is basically systemd with Linux added, or systemd/Linux. All the so-called Linux distributions are really distributions of systemd/Linux!
(DIR) Post #AhaNST0GlKe0ppTOym by PurpCat@clubcyberia.co
2024-05-05T15:54:50.559769Z
0 likes, 0 repeats
@pid_eins too bad bsd and illumos don't run on 9/10 computers
(DIR) Post #AhrHpbVM1Ytxp9ytAe by UnixMan1230@social.linux.pizza
2024-05-05T11:18:52Z
0 likes, 0 repeats
@pid_eins will this be a separate binary, or is it built into one of the existng components? Just wondering about the modularity factor, here
(DIR) Post #AhvomF454a2gTl4J8K by pid_eins@mastodon.social
2024-05-06T07:53:57Z
0 likes, 0 repeats
@UnixMan1230 just read the posting in full? it's answered there.
(DIR) Post #AmOMVE93Pvi1z4UlDk by nanook@friendica.eskimo.com
2024-09-26T10:08:32Z
0 likes, 0 repeats
Linux, please don't take this the wrong way but I wish you would quit trying to take over every aspect of Linux operation. I really preferred to a tool should do one thing and one thing well along with all the ways Linux/Unix provided you to put them together over monolithic monstrosities.