I will use it. I don’t care what others think. People can use su, sudo, doas, run0 by their choice, and I don’t see why we need a common opinion about it.
If you make users sign in too much, they will just make their passwords short and easy to remember, even 24hrs is too much and people bitch about it all the time, especially since we have password managers enforced, meaning every time they need to Auth they need to Auth into their system, Auth into their password manager, copy the password, auth into their phone, look at the 2FA code and type that in.
Doing this every day just to open email is understandably fucking enraging even to me as a security “”“engineer”“”/analyst/${bullshitblueteamemailreaderjob}
Press it harder and they will use simple passwords that will inevitably be passed through to something external (e.g. cockpit which even I can bruteforce) or reused somewhere at some point, and then someone just has to get lucky once and run whatever run0 sudo su <reverse shell bs here>
to bypass all protections.
I agree with you. If i had to add my password everytime I’d just add my personal account to sudo group.
Good security works with people, not against them.
No.
I might try run0 for fun, but I don’t think it’ll replace sudo any time soon.
The biggest issue I see is run0 purposely not copying any environment variables except for TERM
.
You’d have to specify which editor to use, the current directory, stuff like PATH
and HOME
every time you run a command.
I’m not a fan of the idea at all, but come on, it can’t really be that bad. There’s got to be somewhere you can tell it what environment variables to use. Probably something like run0 systemd-edit /usr/system/systemd/systemrun/run0-environment --system-default=system
Wouldn’t it be better to just use containers then? Nix and Guix has the exact thing - you get to control what variables you want to pass in.
Systemd, not linux
systemd/Linux, or as I’ve recently taken to calling it, systemd plus Linux