Was there any discussion about why they didn't just go with run0? Since systemd-run and run0 are already present, it doesn't expand the attack surface, and removing sudo entirely would reduce it.
I know that it has some differences, such as that privilege escalation from within containers works differently. But, it is also considered a more secure solution than sudo.
Making systemd (and the suite of software around it) memory-safe seems like a better goal.
I suppose the real answer is that a drop-in memory-safe replacement for an existing package is potentially an incremental improvement.
But, a heavily peer-reviewed and battle-tested package like sudo is also less likely to have bugs than a rewrite.
Did they use formal verification or any other approaches to provide guarantees?
theamk · 4h ago
run0 uses polkit for configuration instead of sudoers files, so using it will mean _a lot_ of changes. It's not a drop-in replacement at all, so it's not really an option.
(The best you can hope for is a massive education campaign to switch from sudo (any version) to run0, followed by removing "sudo" from default packages... but I don't think anyone is interested in this)
I know that it has some differences, such as that privilege escalation from within containers works differently. But, it is also considered a more secure solution than sudo.
Making systemd (and the suite of software around it) memory-safe seems like a better goal.
I suppose the real answer is that a drop-in memory-safe replacement for an existing package is potentially an incremental improvement.
But, a heavily peer-reviewed and battle-tested package like sudo is also less likely to have bugs than a rewrite.
Did they use formal verification or any other approaches to provide guarantees?
(The best you can hope for is a massive education campaign to switch from sudo (any version) to run0, followed by removing "sudo" from default packages... but I don't think anyone is interested in this)