I don’t really think we should go with run0:
- We won’t be able to migrate to run0 until the release of Trixie, at least. run0 was added in systemd 256, Bookworm is using systemd 252.
- It doesn’t appear possible to configure run0 to run commands without requiring a password. That’s a dealbreaker, we have too much stuff that needs to be run as root without a password. (I mean, I guess we could try to migrate everything that needs to run as root passwordless to systemd, but that sounds difficult or potentially impossible.)
- It’s unclear how to configure it at all - it’s configured “by polkit”, but polkit is a generic authorization framework, it doesn’t allow you to specify specific commands and arguments the way sudoers or doas config does. pkexec works by using an “annotation” in polkit whereby you basically tack on extra info to a polkit action so that pkexec knows how to authenticate what, but run0 doesn’t use that. How would one configure certain environment variables to be allowed to pass through while denying others? No idea, it might not even be possible.
- It’s larger than doas. Way larger. run0 (really systemd-run) is 2642 lines long (including newlines and whatnot), and is heavily tied into the systemd codebase, which is about 1.3 million lines of C code. It’s unclear how much of that could be used to exploit run0, but some of it quite possibly can. doas on the other hand is relatively isolated (the only library it uses beyond the C standard library is PAM), and is only 1,850 lines long. Ergo, less attack surface.
There’s a few other issues or at least concerns (for instance you can pass through arbitrary environment variables using the --setenv argment, the only reason this isn’t a security vulnerability that I can see is that you can’t configure run0 to run a command without a password), but I don’t think it’s practical or advisable for Kicksecure or Whonix to use run0. I think we’ll be in much better shape if we stick with doas. Thanks to doas’s isolation, we can probably audit it easier too if we choose to do that.