Conversation

Notices

1. Embed this notice
   Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:16 JST Lennart Poettering

   in reply to

   … entirely, for example this stuff:

   https://ruderich.org/simon/notes/su-sudo-from-root-tty-hijacking

   But enough about all that security blabla. The tool is also a lot more fun to use than sudo. For example, by default it will tint your terminal background in a reddish tone while you are operating with elevated privileges. That is supposed to act as a friendly reminder that you haven't given up the privileges yet, and marks the output of all commands that ran with privileges appropriately. (If you don't like this, …

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:16 JST Lennart Poettering

     in reply to

     … you can easily turn it off via the --background= switch). It also inserts a red dot (unicode ftw) in the window title while you operate with privileges, and drops it afterwards.

     And since it's just systemd-run called under a different name it supports the --property= switch that systemd-run supports, i.e. it allows you to set arbitrary service settings for the invoked privileged command/session if you like.

     Anyway, that's all for now. Enjoy "run0"!

   • Embed this notice
     翠星石 (suiseiseki@freesoftwareextremist.com)'s status on Tuesday, 30-Apr-2024 21:57:16 JST 翠星石

     in reply to
     @pid_eins Lennart does it again making things less secure.
     
     suid binaries are very secure provided you program the software correctly.
     
     Here's an example of secure suid software I found, free from vulnerabilities;
     #include <stdio.h>
     #include <stdlib.h>
     #include <fcntl.h>
     #include <sys/types.h>
     #include <grp.h>
     #include <unistd.h>
     
     int main(void)
     {
     /* get gid of power-tools group */
     struct group *power = getgrnam("power-tools");
     if (!power){fprintf(stderr,"power-tools group does not exist.\n"), exit(1);}
     
     /* check if the current user has the gid of power */
     if (!group_member(power->gr_gid)){fprintf(stderr, "User is not in power-tools group.\n"), exit(1);}
     
     
     /* change to root user */
     if (setuid(0) != 0){fprintf(stderr,"Suspend binary is not setuid.\n"), exit(1);}
     
     /* open mem_sleep and state */
     int mem_sleep = open("/sys/power/mem_sleep", O_WRONLY);
     int state = open("/sys/power/state", O_WRONLY);
     if (!mem_sleep || !state){perror("Linux doesn't support Suspend-to-RAM"), exit(1);}
     
     /* write deep to /sys/power/mem_sleep then mem to /sys/power/state to Suspend-to-RAM */
     if (write(mem_sleep, "deep\n", 5) != 5){perror("Writing deep failed"), exit(1);}
     if (write(state, "mem\n", 4) != 4){perror("Writing mem failed"), exit(1);}
     
     /* close the fd's */
     close(mem_sleep);
     close(state);
     
     return 0;
     }
   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:17 JST Lennart Poettering

     in reply to

     … the target user's UID. It allocates a new PTY for that, and then shovels data back and forth from the originating TTY and this PTY.

     Or in other words: the target command is invoked in an isolated exec context, freshly forked off PID 1, without inheriting any context from the client (well, admittedly, we *do* propagate $TERM, but that's an explicit exception, i.e. allowlist rather than denylist).

     One could say, "run0" is closer to behaviour of "ssh" than to "sudo", in many ways. Except that…

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:17 JST Lennart Poettering

     in reply to

     it doesn't bother with encryption or cryptographic authentication, key management and stuff, but instead relies on the kernel's local identification mechanisms.

     run0 doesn't implement a configuration language of its own btw (i.e. no equivalent of /etc/sudoers). Instead, it just uses polkit for that, i.e. how we these days usually let unpriv local clients be authorized by priv servers.

     By isolating the contexts and the resources of client and target we remove some other classes of attacks…

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:18 JST Lennart Poettering

     in reply to

     … worse, but are not in themselves the main issue with sudo.

     SUID processes are weird concepts: they are invoked by unprivileged code and inherit the execution context intended for and controlled by unprivileged code. By execution context I mean the myriad of properties that a process has on Linux these days, from environment variables, process scheduling properties, cgroup assignments, security contexts, file descriptors passed, and so on and so on. A few of these settings the kernel is nice…

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:18 JST Lennart Poettering

     in reply to

     … enough to clean up automatically when a SUID binary is invoked, but much of it has to be cleaned up by the invoked suid binary. This has to be done very very carefully, and history has shown that SUID binaries are generally pretty shit at that.

     So, in my ideal world, we'd have an OS entirely without SUID. Let's throw out the concept of SUID on the dump of UNIX' bad ideas. An execution context for privileged code that is half under the control of unprivileged code and that needs careful, …

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:18 JST Lennart Poettering

     in reply to

     … manual clean-up is just not how security engineering should be done in 2024 anymore.

     With systemd v256 we are going one step towards this. There's a new tool in systemd, called "run0". Or actually, it's not a new tool, it's actually the long existing tool "systemd-run", but when invoked under the "run0" name (via a symlink) it behaves a lot like a sudo clone. But with one key difference: it's *not* in fact SUID. Instead it just asks the service manager to invoke a command or shell under…

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:19 JST Lennart Poettering

     in reply to

     … allows users to operate at minimum privilege: do most of their work without privileges but temporarily acquire them where needed, all without leaving the shell workflow, integratable with shell scripts, pipelines and so on.

     sudo has serious problems though. It's a relatively large SUID binary, i.e. privileged code that unprivileged users can invoke from their own context. It has a complicating configuration language, loadable plugins (ldap!), hostname matches and so on and so on.

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:19 JST Lennart Poettering

     in reply to

     This has led various people to revisit the problem and come up with alternatives: most prominently there's probably OpenBSD's sudo replacement called "doas". While it greatly simplifies the tool and removes much of the attack surface, it doesn't change one key thing: it's still a SUID binary.

     I personally think that the biggest problem with sudo is the fact it's a SUID binary though – the big attack surface, the plugins, network access and so on that come after it it just make the key problem…

   • Embed this notice
     Lennart Poettering (pid_eins@mastodon.social)'s status on Tuesday, 30-Apr-2024 21:57:20 JST Lennart Poettering

     5️⃣ Here's the 5th installment of my series of posts highlighting key new features of the upcoming v256 release of systemd.

     I am pretty sure all of you are well aware of the venerable "sudo" tool that is a key component of most Linux distributions since a long time. At the surface it's a tool that allows an unprivileged user to acquire privileges temporarily, from within their existing login sessions, for just one command, or maybe for a subshell.

     "sudo" is very very useful, as it…