Run0, a systemd based alternative to sudo, announced

Architecture & Purpose of run0

  • run0 is essentially a systemd-run symlink with sudo‑like UX, but no setuid bit.
  • It asks PID 1 (systemd) to start a fresh process under the target UID in a new PTY, then forwards I/O between the user’s TTY and that PTY.
  • Authorization is intended to go through polkit; configuration is via polkit rules rather than sudoers.

Security & Setuid Debate

  • Pro‑run0 view: setuid binaries are inherently dangerous because they run large, complex code as root in an attacker-controlled environment, and are hard to secure as the kernel evolves.
  • The goal is to move privilege changes behind a well-defined IPC boundary handled by a privileged service manager, ideally eliminating setuid binaries over time.
  • Skeptics argue this only shifts, not removes, attack surface—now into systemd, polkit, D‑Bus, and their dependencies.

Comparison to sudo / doas / pkexec

  • Sudo is praised for features: LDAP, rich logging, MAC integration (SELinux/AppArmor), audit hooks, multi-user policies, and relatively simple config syntax.
  • Critics of run0 worry about losing these, or about having to express complex policy in polkit’s JavaScript-based rules.
  • Some prefer simpler tools (doas, sudo-rs) that still use setuid but reduce complexity.

Systemd Scope & Ecosystem Tensions

  • Supporters see run0 as a natural extension: the service manager already starts processes with specific permissions; exposing that via a user tool is logical and reduces duplication.
  • Opponents see it as yet more “tentacles” from PID 1, increasing lock‑in and making Linux less modular and portable.
  • Ongoing culture clash appears: some want stability and minimal change; others welcome aggressive refactoring of legacy Unix subsystems.

XZ/liblzma Backdoor & Blame

  • One faction points to the xz/liblzma backdoor path through libsystemd into sshd as evidence that systemd’s sprawl worsens supply‑chain risk.
  • Others counter that xz was already widely used (kernel, package tools, libxml, etc.), that distros chose to patch OpenSSH to link libsystemd, and that systemd was already moving to lazy‑load xz, which would have blunted the attack.

Compatibility & Behavioral Concerns

  • Questions raised about how run0 handles: environment variables, chroots/containers, job control and signals, logging, and sudo‑style “sudoedit” workflows.
  • There is concern that nontrivial sudo setups (fine-grained user restrictions, complex multi-user policies) and existing scripts may not map cleanly.
  • Many expect sudo to remain necessary for “exotic” or multi-user setups even if run0 becomes common on systemd-based desktops/servers.

Polkit & Policy Complexity

  • Using polkit centralizes policy but drags in a JavaScript interpreter and complex rule language, raising both security and maintainability worries.
  • Others argue that polkit is already deployed widely and is less ad‑hoc than per‑tool config languages.

UX Details (e.g., Terminal Tinting)

  • run0’s default behavior of tinting the terminal background while elevated is divisive: some like the safety cue; others dislike visual side effects and want it off by default.