0

I am very paranoid about security, trying to push the limits. I am curious about nosuid because I think it is very cool that we can prevent files from executing with elevated permissions by setting it (removing a ton of attack surface). The problem is, now when I log in as root, there is literally nothing I can do to give privileges to user1 (root is user0, user1 is Muimi in this case, for example). I think run0 was DESIGNED to do this (*I might be wrong. It may have been designed to prevent slippery slopes when sudo is typed); however, the manual for run0 says run0 is a newer, safer version of sudo! It should allow us to elevate our privileges without the risks that are inherent with suid groupid (I worry about file execution through suid groupid allowing unwanted or arbitrary code to execute: here is the run0 manpage which says "no suid or groupid is used").

But I digress....

If run0 is not an option, is there any other option? Really, the only methods I could find that suggested solutions were by LLMs (and they usually are wrong with these advanced questions). They asked me to set up some fancy javascript stuff in polkit directories, which I tried seeing no harm, and of course it was a waste of time.

Problem behavior:

Launch terminal as user1. Type run0, and it should flash "AUTHENTICATION ERROR"

System info:

Debian 13 latest-LTS; MATE desktop; fresh install (nothing on the system other than what came with the dvd installer offline install); fully updated with apt update; 64gb ram, NVIDIA 16gb vram, AMD cpu, aurus pro mobo. I am trying to write some FOSS workaround, but I cannot seem to accomplish anything remotely similar to what I am trying to achieve without turning on suid, and I want to avoid that!

Expected behavior:

As root, I want to be able to change some file or permission somewhere that can cause User1 to be allowed to run commands using run0.

Improve this question
New contributor
batotype is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • "They asked me to set up some fancy javascript stuff in polkit directories, which I tried seeing no harm, and of course it was a waste of time." You will have to choose between security-conscious and "trying javascript suggested by LLMs inserted into the security mechanisms of my system"; these options are mutually exclusive.- Commented Dec 7 at 19:43

1 Answer 1

Reset to default
0

All that run0 does is kick off polkit authorization to check whether the process authenticated by you typing in a password is allowed to do the specified action, namely executing the specified command as superuser.

So, yes, configuring polkit is what you need to do if you want to change what polkit allows. In the simplest case, the group membership of user1 (to, say, the wheel group on redhatoids, or to the sudo group on some other distros) is enough to allow them to execute anything.

Here's polkit's manual on what polkit is and how to write a rule. You might have done it incorrectly; it works, and you can write pretty arbitrarily fine-grained rules on who can do what (not only in terms of org.freedesktop.policykit.exec) as what user with which arguments and environments.

Ah, and to cite polkit itself, because you really seem to be going down a security paranoia instead of a security conscious and restrictive path:

DON'T use polkit unless you actually have to. In other words, not every single privileged program providing service to unprivileged programs has to use polkit. For example, if you have a small well-written setuid helper to help deal with some implementation-detail of the OS (such as elevating the priority of the sound server process to real-time for console users) it's not really helpful to define a polkit action for this since, realistically, no-one is going to choose to not grant the privilege. Remember, a secure program is often one with little amount of code and few dependencies.

Yes, suid executables are a security risk. But let's be maybe a bit too frank here: your system has a user with superuser privileges that is human, and makes mistakes. Compared to your system's risk due to sudo vs run0 being exploited, I'd emphasize the risk of you running inadvisable commands through them. Especially since you have just caught yourself pasting javascript code that you don't seem to have the technological means to debug why it's not working into a root context. From an LLM, no less! These things are very well-known for having been trained on bad practices (and poisoning of even the biggest foundation models has been demonstrated in practice). Ask an LLM what to do when your web server can't deliver something, and they'll tell you, with a very high chance to "just set SELinux enforcement to off", giving the web server write access to your home directory and so on.

Advice: Before taking an action to improve the security of your system, you need to have a defined threat model, which explains why that action is a net security benefit. Adding complexity, or integrating code generated by an LLM, are very detrimental to the degree to which you can understand your system, and thus are typically not what you do, unless you have a very good reason to. "I've heard that A is generally better than B …" is not a "very good reasoning".

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.