systemd 256 introduces run0, a new tool designed as a symbolic link to systemd-run that provides sudo-like functionality without being a SUID binary. Unlike sudo, run0 sends a query to the service manager to execute commands under the user’s UID, allocating a new PTY and transferring data between the original TTY and the newly created PTY.
This modern approach eliminates many security vulnerabilities associated with traditional SUID binaries.
Why run0 is Trending
run0 avoids the use of setuid permissions entirely, addressing the security concerns of SUID processes that inherit execution context from unprivileged code. Authentication takes place via polkit, isolating the authentication prompt from the terminal, and it uses polkit instead of implementing its own configuration language like /etc/sudoers.
Prerequisites
Before configuring run0, ensure you have:
- A Linux distribution with systemd 256 or later
- Root or sudo access (initially, to set up run0)
- Basic understanding of terminal commands
- polkit installed and running
Checking systemd Version
bash
systemctl --version
You should see version 256 or higher. If not, you’ll need to update systemd first.
Step 1: Verify run0 Installation
systemd 256 was released with run0 as one of its prominent new features. Check if run0 is available on your system:
bash
which run0
ls -la /usr/bin/run0
You should see that run0 is a symbolic link to systemd-run:
/usr/bin/run0 -> systemd-run
Step 2: Install and Configure polkit
run0 requires polkit for authentication. Install it if it’s not already present:
For Arch-based Systems
bash
sudo pacman -S polkit
For Debian/Ubuntu Systems
bash
sudo apt install polkit-1
For Fedora/RHEL Systems
bash
sudo dnf install polkit
Installing a Graphical Authentication Agent
polkit requires an authentication agent to make users prove their identity. Install one based on your desktop environment:
For GNOME:
# Already included with GNOME
For KDE Plasma:
# Already included with KDE
For other environments:
bash
# Arch
sudo pacman -S lxqt-policykit
# Debian/Ubuntu
sudo apt install lxqt-policykit
# Fedora
sudo dnf install lxqt-policykit
Ensure the authentication agent starts automatically by adding it to your desktop environment’s autostart configuration.
Step 3: Testing Basic run0 Functionality
Test run0 with a simple command:
bash
run0 whoami
You should be prompted for authentication via polkit. After authenticating, the command should output root.
Visual Feedback
By default, run0 changes the terminal background to a reddish tone when operating with elevated privileges as a reminder. You can customize this:
bash
# Use a different color
run0 --background=blue whoami
# Disable background coloring
run0 --background=switch whoami
Step 4: Understanding polkit Actions for run0
run0 uses the polkit action “org.freedesktop.systemd1.manage-units” for privilege escalation. This action controls whether users can manage systemd units, which run0 leverages for execution.
View the default action policy:
bash
pkaction --action-id org.freedesktop.systemd1.manage-units --verbose
Step 5: Creating polkit Rules for run0
Authorization rules are defined in JavaScript .rules files located in /usr/share/polkit-1/rules.d (for packages) and /etc/polkit-1/rules.d (for local configuration).
Creating a Passwordless Configuration for Wheel Group
To allow members of the wheel group to use run0 without authentication, create a polkit rule:
bash
sudo nano /etc/polkit-1/rules.d/10-run0-nopasswd.rules
Add the following content:
JavaScript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (subject.isInGroup("wheel")) {
return polkit.Result.YES;
}
}
});
Save and exit (Ctrl+O, Enter, Ctrl+X).
Creating a Rule with Password Authentication
For password-based authentication with session persistence:
bash
sudo nano /etc/polkit-1/rules.d/10-run0-auth.rules
Add:
JavaScript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
if (subject.isInGroup("wheel")) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
}
});
AUTH_ADMIN_KEEP is like auth_admin but keeps the authorization for a brief period (approximately five minutes).
Understanding polkit Rule Priority
Functions are called in the order they have been added, so to add a rule that processes before others, put it in a file that sorts earlier, such as 00-early-checks.rules.
Step 6: Ensure User Group Membership
Add your user to the wheel group if not already a member:
bash
sudo usermod -aG wheel $USER
Verify group membership:
bash
groups
You should see wheel in the output. Log out and log back in for the group change to take effect.
Step 7: Reload polkit Configuration
After creating or modifying polkit rules, reload the polkit daemon:
bash
sudo systemctl restart polkit
Alternatively, you can use:
bash
sudo pkill -HUP polkitd
Step 8: Testing run0 with New Configuration
Test that run0 works with your new polkit rules:
bash
run0 whoami
If you configured passwordless access, it should execute immediately. If you configured AUTH_ADMIN_KEEP, you’ll be prompted once, and subsequent commands within 5 minutes won’t require authentication.
Testing Different Commands
bash
# List root directory
run0 ls /root
# Edit system file
run0 nano /etc/hosts
# Install a package (Arch example)
run0 pacman -Syu
# View system logs
run0 journalctl -xe
Step 9: Advanced Configuration Options
Running Commands as Different Users
bash
# Run as specific user
run0 --user=username command
# Run as specific UID
run0 --uid=1000 command
Setting Environment Variables
bash
# Set environment variable
run0 --setenv=MYVAR=value command
Customizing the Shell Prompt
run0 sets a shell prompt prefix with a superhero emoji by default, which can be overridden with the SYSTEMD_RUN_SHELL_PROMPT_PREFIX environment variable or the –shell-prompt-prefix option:
bash
# Custom prompt prefix
run0 --shell-prompt-prefix="[ADMIN] " bash
# Disable prompt prefix
run0 --shell-prompt-prefix="" bash
Working with PTY Options
bash
# Allocate a pseudo TTY
run0 --pty command
# Start TTY processing after unit startup
run0 --pty-late command
# Pass file descriptors directly
run0 --pipe command
Step 10: Creating Aliases for Convenience
Since run0 is longer to type than sudo, create an alias:
For Bash
Edit ~/.bashrc:
bash
nano ~/.bashrc
Add:
bash
alias sudo='run0'
For Zsh
Edit ~/.zshrc:
bash
nano ~/.zshrc
Add:
bash
alias sudo='run0'
Reload your shell configuration:
bash
source ~/.bashrc # or source ~/.zshrc
Important Note: The command line of run0 is intentionally kept close to sudo’s, so most sudo commands should work with run0.
Step 11: Modifying Existing Scripts
Users report that custom scripts were modified to use run0 and continued to work without issues.
Example script conversion:
Before (using sudo):
bash
#!/bin/bash
sudo systemctl restart nginx
sudo journalctl -u nginx
After (using run0):
bash
#!/bin/bash
run0 systemctl restart nginx
run0 journalctl -u nginx
Step 12: Advanced polkit Rules
Restricting to Specific Commands
Create more granular rules:
bash
sudo nano /etc/polkit-1/rules.d/20-run0-specific.rules
JavaScript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
// Allow only specific users
if (subject.user == "admin" || subject.user == "deploy") {
return polkit.Result.YES;
}
// Allow only during active sessions
if (subject.isInGroup("operators") && subject.active) {
return polkit.Result.AUTH_ADMIN_KEEP;
}
}
// Deny by default for this action
return polkit.Result.NO;
});
Time-Based Access Control
JavaScript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
var now = new Date();
var hour = now.getHours();
// Allow only during business hours (9 AM - 5 PM)
if (subject.isInGroup("contractors") && hour >= 9 && hour < 17) {
return polkit.Result.YES;
}
}
});
Step 13: Handling PAM Integration
Any session invoked via run0 will run through the “systemd-run0” PAM stack. Check the PAM configuration:
bash
cat /etc/pam.d/systemd-run0
If you need to customize authentication, edit this file:
bash
sudo nano /etc/pam.d/systemd-run0
Example PAM configuration:
PAM Configuration
#%PAM-1.0
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
session required pam_env.so
Step 14: Troubleshooting Common Issues
Issue 1: “Authentication Required” Loop
Problem: run0 keeps asking for authentication repeatedly.
Solution: Ensure polkit rules are correctly formatted and the service is restarted:
bash
# Check rule syntax
sudo cat /etc/polkit-1/rules.d/*.rules
# Restart polkit
sudo systemctl restart polkit
# Check for errors
sudo journalctl -u polkit -n 50
Issue 2: run0 Not Found
Problem: Command not found error.
Solution: Verify systemd version and create a manual symlink if needed:
bash
systemctl --version
sudo ln -s /usr/bin/systemd-run /usr/bin/run0
Issue 3: Permission Denied Even with Correct Rules
Problem: polkit rules not taking effect.
Solution: Verify user is in the correct group and has logged out/in:
bash
# Check current groups
groups
# Check effective groups
id
# If needed, add to wheel group
sudo usermod -aG wheel $USER
Then log out completely and log back in.
Issue 4: Graphical Authentication Not Appearing
Problem: No password prompt appears.
Solution: Ensure a polkit authentication agent is running:
bash
# Check for running agent
ps aux | grep polkit
# Start appropriate agent
/usr/lib/polkit-gnome/polkit-gnome-authentication-agent-1 &
Step 15: Monitoring and Logging
View run0 activity in system logs:
bash
# View recent run0 executions
sudo journalctl -u "systemd-run@*" -n 50
# Follow run0 activity in real-time
sudo journalctl -u "systemd-run@*" -f
# Check polkit decisions
sudo journalctl -u polkit -f
Step 16: Security Best Practices
1. Limit Passwordless Access
Only grant passwordless access to trusted users and groups:
JavaScript
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units") {
// Very restrictive - only specific user without password
if (subject.user == "admin") {
return polkit.Result.YES;
}
// Others must authenticate
return polkit.Result.AUTH_ADMIN;
}
});
2. Regular Audit of Rules
Periodically review your polkit rules:
bash
sudo ls -la /etc/polkit-1/rules.d/
sudo cat /etc/polkit-1/rules.d/*.rules
3. Use Session-Based Authentication
Prefer AUTH_ADMIN_KEEP over YES to maintain some security:
JavaScript
return polkit.Result.AUTH_ADMIN_KEEP; // Better
// vs
return polkit.Result.YES; // Less secure
4. Monitor Failed Authentication Attempts
bash
sudo journalctl -u polkit | grep -i denied
Step 17: Migrating from sudo Completely
If you want to fully replace sudo with run0:
1. Verify All Scripts Work
Test all administrative scripts with run0:
bash
# Create test directory
mkdir ~/run0-test
# Copy and test scripts
cp /path/to/scripts/* ~/run0-test/
# Modify and test each one
2. Update System Tools
Some tools like makepkg can be configured to use run0 instead of sudo by setting the PACMAN_AUTH environment variable:
bash
export PACMAN_AUTH=/usr/bin/run0
Add to ~/.bashrc or ~/.zshrc for persistence.
3. Backup sudo Configuration
Before removing sudo, backup its configuration:
bash
sudo cp -r /etc/sudoers.d /etc/sudoers.d.backup
sudo cp /etc/sudoers /etc/sudoers.backup
4. Remove sudo (Optional)
Warning: Only do this after thorough testing!
On Arch Linux, base-devel depends on sudo, so removing it requires careful consideration.
bash
# Check what depends on sudo
sudo pacman -Qi sudo
# Remove sudo (be very careful!)
run0 pacman -Rcns sudo
Conclusion
run0 represents systemd’s fresh take on secure privilege escalation, designed to phase out traditional SUID binaries. By following this guide, you’ve successfully configured run0 as a secure sudo replacement with proper polkit integration.
Key Advantages of run0
- No SUID vulnerabilities: Commands execute in isolated environments
- Better isolation: Fresh service forked from PID 1 without inherited context
- Flexible authentication: Leverages polkit’s robust policy framework
- Modern design: Built on systemd’s service management infrastructure
Next Steps
- Monitor system logs for any authentication issues
- Fine-tune polkit rules based on your security requirements
- Update documentation for other administrators
- Consider contributing feedback to the systemd project
Additional Resources
Thank you for visiting our website, TechsBucket. If you liked the article, then share it with others.
