yeah ik, i posted a comment saying he works for microsoft now but because red hat directly contributes to and funds systemd its still a project they oversee to some extent but it is really funny to think of microsoft backdooring linux by pushing run0
@@RealWaffles missed that comment :) yes, it’s really bizarre. And rather remarkable watching the Linux community shift from hating MS, to gorging themselves with MS software and loving it. At any rate, I’m more content over here in the BSD and Illumos family. But I still do run some Linux stuff
I like the uniformity that comes with systemD. However, I wouldn't be surprised if the coming years we experience like 100 supply chain attacks via systemD.
@@Lestibournes Yea it is kind of a balance act, thats hard to get right. You can argue, oh, it should only manage processes/services, thats what an init system is supposed to do. But naturally, things a very interconnected, processes also naturally need logging, networking, encryption related things and so on. So, you have two options: you leave the init system very small and make it only do one thing: init the system. Thats good, as in you have small codebase/attack surface and separation or concerns. On the other hand, you things tend to be more "ductaped together", and interoperability between components become harder, and less consistent. You don't have uniformity. Its a battle u can't win, no matter how you do it.
@@kyu9649 Yes, it seduces with comprehensiveness, yet it introduces as many problems as it solves. Text logging that you can view with simple, existing, well-tested programs, replaced with special-purpose tools, that require developing new skills (and bugs) that were previously unnecessary, for what? What benefit do binary logs provide? When anyone serious is exporting them to an external system _anyway._ This is just one example of the many wrong-headed decisions that permeates the SystemD ecosystem. The Linux/Unix way is different from the Windows or Mac way. I'm not one of these puritanical fuddy-duddies that says "everything is fine the way it was", because that's clearly wrong... But the way SystemD has gone about it is absolutely the wrong direction - Linux/Unix is attractive because it's _not_ Windows, _not_ Mac, so aping those systems is just not the way forward. Learn from them and re-interpret what they do in the Unix way, if their solutions are useful, this is what we should do.
still usable on gentoo, too. that's what i use. doas removes a lot of the attack surface of sudo but poettering really doesn't like the SUID binary existing at all
I think the reason behind is to move from SUID to something more modern. I don't really know reasoning behind it, but I would guess one of the reason might be to prepare for getting rid of SUID from linux in future, and utilize stuff that allow better rights management like policykit.
I containerization worked how distro maintainers whanted it to we wouldnt even have a sudo alternative. They would just have you run anything you needed to run as root in its own container
Linux would have more than 3% desktop computer market share if people would stop competing over dumb things like this. Is SUDO really the hill we want to die on?
Every time systemd comes up in an article the discussion erupts into ludicrous rants about how systemd works. It's bloated (it isn't), you can't log as text (you can), binary logs offer no benefits (they do), it does things for the sake of it (it doesn't), it is less safe than the alternatives (it isn't), that scripts are better (they aren't) and so on. I haven't looked at run0 but I suspect it will be in the same vein. Sudo is basically a PowerOfGod command so I could see how it could be abused and if a more granular command elevates some but not all privileges then this should be seen as a good thing. But as this is systemd reasonableness will fly out of the window. That is not to say that sudo isn't a very useful command and I doubt it will go anywhere, but maybe if a particular command needs particular privileges, then forcing people to execute it with PowerOfGod is not good either.
i have good news, its even worse than i thought it would be. the skinny is since its a wrapper for systemd-run, it ships information between a user PTY and a root command, and runs every root command as a service that is kinda exploitable because you are now susceptible to root hijacking via that PTY. services are also on the system slice and can be easily read. this means you can query dbus and get sensitive information like API keys. a tool like reptyr which was used as an exploit tool on unix systems in the 90s can be used on systemd-run. and that's just 1 example. so kinda like i thought, it tries to fix 1 problem which was mostly fixed by doas and more issues in the process that were solved 20 years ago
Meanwhile i am using doas and i like it. Up until recently i was using systemd as well and i didnt mind it till i discovered some firewall deny logs triggered by a server trying to communicate with openDNS when it shouldnt. Made me wonder, what else is hard-coded in systemd that we dont know about. Now all my servers run freebsd and my arch desktop will either turn to freebsd as well or void/artix.
i ended up using doas on gentoo and it's been good. i forget what other distro i used recently that had doas. but i noticed it wouldn't ask for password in that terminal session so i guess its just in how its configured
When I was a lad, we used su and liked it!
I still use su.
I find the obsession with sudo in the debian based distro's a little weird.
We su’d up and down the hill both ways!
@@Toleich just easy isn't it
Info is slightly outdated: Lennart is a Microsoft employee now
yeah ik, i posted a comment saying he works for microsoft now but because red hat directly contributes to and funds systemd its still a project they oversee to some extent
but it is really funny to think of microsoft backdooring linux by pushing run0
@@RealWaffles missed that comment :) yes, it’s really bizarre. And rather remarkable watching the Linux community shift from hating MS, to gorging themselves with MS software and loving it. At any rate, I’m more content over here in the BSD and Illumos family. But I still do run some Linux stuff
I wanna get off Mr. corpo Linux's wild ride
THE RIDE NEVER ENDS
I like the uniformity that comes with systemD. However, I wouldn't be surprised if the coming years we experience like 100 supply chain attacks via systemD.
Yep.
SystemD was a mistake.
@@edwardcullen1739 Wouldn't say that. It definitely does some things right. But it does a bit to much I feel like.
Smaller attack surface. 😇
Single point of failure. 😱
@@Lestibournes Yea it is kind of a balance act, thats hard to get right. You can argue, oh, it should only manage processes/services, thats what an init system is supposed to do. But naturally, things a very interconnected, processes also naturally need logging, networking, encryption related things and so on. So, you have two options: you leave the init system very small and make it only do one thing: init the system. Thats good, as in you have small codebase/attack surface and separation or concerns. On the other hand, you things tend to be more "ductaped together", and interoperability between components become harder, and less consistent. You don't have uniformity. Its a battle u can't win, no matter how you do it.
@@kyu9649 Yes, it seduces with comprehensiveness, yet it introduces as many problems as it solves.
Text logging that you can view with simple, existing, well-tested programs, replaced with special-purpose tools, that require developing new skills (and bugs) that were previously unnecessary, for what? What benefit do binary logs provide?
When anyone serious is exporting them to an external system _anyway._
This is just one example of the many wrong-headed decisions that permeates the SystemD ecosystem.
The Linux/Unix way is different from the Windows or Mac way.
I'm not one of these puritanical fuddy-duddies that says "everything is fine the way it was", because that's clearly wrong... But the way SystemD has gone about it is absolutely the wrong direction - Linux/Unix is attractive because it's _not_ Windows, _not_ Mac, so aping those systems is just not the way forward.
Learn from them and re-interpret what they do in the Unix way, if their solutions are useful, this is what we should do.
wtf happened to doas
doas is default in openbsd. if you use openbsd its still there as normal
still usable on gentoo, too. that's what i use. doas removes a lot of the attack surface of sudo but poettering really doesn't like the SUID binary existing at all
I think the reason behind is to move from SUID to something more modern. I don't really know reasoning behind it, but I would guess one of the reason might be to prepare for getting rid of SUID from linux in future, and utilize stuff that allow better rights management like policykit.
I'm an average user; I don't look for trouble. Trouble is good at finding me.
I containerization worked how distro maintainers whanted it to we wouldnt even have a sudo alternative. They would just have you run anything you needed to run as root in its own container
to be fair, sudo is a walking talking security vulnerability
Linux would have more than 3% desktop computer market share if people would stop competing over dumb things like this. Is SUDO really the hill we want to die on?
Every time systemd comes up in an article the discussion erupts into ludicrous rants about how systemd works. It's bloated (it isn't), you can't log as text (you can), binary logs offer no benefits (they do), it does things for the sake of it (it doesn't), it is less safe than the alternatives (it isn't), that scripts are better (they aren't) and so on. I haven't looked at run0 but I suspect it will be in the same vein. Sudo is basically a PowerOfGod command so I could see how it could be abused and if a more granular command elevates some but not all privileges then this should be seen as a good thing. But as this is systemd reasonableness will fly out of the window. That is not to say that sudo isn't a very useful command and I doubt it will go anywhere, but maybe if a particular command needs particular privileges, then forcing people to execute it with PowerOfGod is not good either.
i have good news, its even worse than i thought it would be.
the skinny is since its a wrapper for systemd-run, it ships information between a user PTY and a root command, and runs every root command as a service
that is kinda exploitable because you are now susceptible to root hijacking via that PTY. services are also on the system slice and can be easily read. this means you can query dbus and get sensitive information like API keys. a tool like reptyr which was used as an exploit tool on unix systems in the 90s can be used on systemd-run. and that's just 1 example.
so kinda like i thought, it tries to fix 1 problem which was mostly fixed by doas and more issues in the process that were solved 20 years ago
Meanwhile i am using doas and i like it. Up until recently i was using systemd as well and i didnt mind it till i discovered some firewall deny logs triggered by a server trying to communicate with openDNS when it shouldnt. Made me wonder, what else is hard-coded in systemd that we dont know about. Now all my servers run freebsd and my arch desktop will either turn to freebsd as well or void/artix.
i ended up using doas on gentoo and it's been good. i forget what other distro i used recently that had doas. but i noticed it wouldn't ask for password in that terminal session so i guess its just in how its configured
@@RealWaffles Doas works just fine for my needs.
oh yeah i forgot poettering works for microsoft now, so i guess you're protesting microsoft too lol
SystemD coming to windows 11 soon???
bsd got doas
some distros like gentoo support it too, its very nice
Only OpenBSD does. The others have the same OpenDoas fork that Linux has
dystopia is sweet
I like Sudo
app-admin/sudo cels seething at app-admin/doas chads