the other day i had to reinstall debian on my home server, as it acted strangely even after i took out the bad ram. i wouldn't be surprised if some operating systems files had become corrupted. the server was running debian 12, and now it would be running debian 13.

well, this upgrade brought with it a new version of systemd that contains the much discussed run0. this is a replacement for sudo that, instead of having a special filesystem flag that makes the kernel unconditionally execute it as root, it has non-privileged processes negotiate with systemd over ipc whether you can have a root shell or not. this eliminates a whole class of theoretical vulnerabilities that might apply to sudo, as that has to run as root before it can even reject access.

(if you didn't understand any of this, the short version is: run0 is sudo 2.)

well, i wanted to give it a shot, so i enthusiastically ran run0 /some/command. it asks for my password. i have to go to my password manager to get it.

a microsecond before i pasted the password in the terminal, the password prompt had timed out and removed itself. i was now staring at my password in plain text in the terminal. had i been quick to hit enter, it would also have worked itself into my shell history. sudo's password prompt, on the other hand, will never time out.

imagine if i were like a streamer showing off my terrible homelabbing skills, and this was a server publicly available on the internet. a hypothetical viewer could have gained access with the password visible on stream, locked me out, and then used my server to mine bitcoin or whatever. doesn't seem too far-fetched to me! but at least they've rooted out a bunch of vulnerabilities that may or may not exist.

i think they've overlooked the forest for the trees here. also i think this is a good lesson about the dangers of changing things that worked fine just to gain some theoretical benefit (in fairness, they aren't the only ones doing that). also, i find my 'run this thing as root' muscle memory is so strong that i would keep prefixing run0 with sudo, so i'd rather run0 have been a drop-in replacement for sudo instead.

so in conclusion, i don't think it's good.

Comments

You must log in or register to comment.

hollyhoppet wrote on November 12, 2025 at 7:37 AM (edited on November 12, 2025 at 7:37 AM)

also 'run0' has a higher net distance of typing from home row which is really a concern for comfort imo

flabberghaster wrote on November 12, 2025 at 4:39 AM

Yeah I installed alpine linux on my raspberry pi and it comes with doas instead of sudo, and I noticed that arch has doas available, and doas is the new hotness (i guess it's not that new on BSD but I don't use BSD much). It's smaller, less features and thus less attack surface, so I was like hey, yeah let me install that.

But arch has some hard dependencies on sudo, so you can't remove it (you can but not if you want certain build related packages to be installed)... so that means I would have both sudo and doas, which means i now would have two setuid programs, increasing rather than decreasing any hypothetical attack surface.

I will say there is a very good reason to do the auth daemon approach rather than a setuid root thing and I had to do a lot of work on a project at work due to the security aspects of it. We were shipping all these giant sudoers files that had the whole kitchen sink in them because we had to have some system setup stuff running, and it was a whole thing, so they ended up creating an auth daemon that sends an RPC request to a privileged server to actually execute commands as root; i don't think run0 existed then. Or we didn't know about it anyway. And it was for daemons, not users.

So like, there is a use case for that that's real but yeah there's a lot of people wanting to write everything from scratch and missing out of decades of minor bug fixes for things like you're talking about that have gone in to the core utils and such.

flabberghaster wrote on November 12, 2025 at 4:42 AM

Fuckin systemd wants to be the entire userspace though it's riddiculous. I like systemd, it's really good at things but they make everything from a boot loader to a DNS resolver. Knock it off, i don't want to sound like one of those init scripts hardliners being all "this violates the unix philosophy" but come on.

Systemd is trying to be too much and everything they add there's a good reason to add it but when you add it all together and step back and look at it it's like... Come on guys.

nitori wrote on November 12, 2025 at 5:41 AM

Is there no way to disable that password time out behavior in run0? I'm not even sure why they even bothered having that behavior by default lol

Back when I daily-drove Devuan (now I'm back to Windows when I got a new laptop) I just used, IIRC the command parameters correctly, plain 'ol su -c -. It's pretty much just a simpler sudo (even more simpler than doas lol), just without the ability remember my password for a while (which is a bit annoying yea but I have fast fingers and I like typing anyway). Since I'm really the only user of that machine I thought I didn't really need something like sudo

emma OP wrote on November 12, 2025 at 3:51 PM

Is there no way to disable that password time out behavior in run0?

i don't see an obvious configuration option. maybe it's in the documentation somewhere. i'll just keep on using sudo for now, which i've configured to not require a password anyway.

I'm not even sure why they even bothered having that behavior by default lol

going to guess this scenario just didn't cross their mind at all. it'd be better if it visually said the session had elapsed, but still required hitting enter to make the prompt go away.

twovests wrote on November 12, 2025 at 2:04 AM

While that is a serious security vulnerability and usability flaw, I do very much like the red tint mentioned. That sounds very cool