Run0 integration / replace sudo?

run0 / systemd-run is not a SUID binary and should be more secure than sudo.

https://www.howtogeek.com/will-linux-run0-command-run-sudo-out-of-town/

The security benefits are compelling at first glance, but, without the removal of sudo and SUID binaries from your computer, just adopting run0 isn’t going to make much of a difference to your security stance. That’s like fitting a better door beside your existing, flawed, door.

The “authenticate every time, all the time” requirements are likely to see some pushback from the user base, even if it is a more secure way to work. Ironically, polkit—the authentication module—uses SUID binaries, and has had its own security issues.

Does it make any sense to integrate run0 the same way sudo is currently integrated in Qubes?

I do think having a confirmation prompt in dom0 for run0 would be a measurable security benefit. (Exploits that require root access or at the very least slowing an attacker down / making it more difficult)

1 Like