Can you please be more specific about your concerns?
My understanding is that `run0 --empower` is essentially `systemd-run -p
AmbientCapabilities=~`. In other words, run0 has gained a new mode/flag,
but the real functionality has long been available to systemd units, and
transient units launched with systemd-run.
Based on reading the linked mastodon thread, it appears that a primary
concern is that this flag makes this functionality "too easily
accessible." My thoughts are:
(1) run0 is not a sudo drop-in replacement; a user already goes out of their
way to use run0 instead of sudo
(2) --empower is not the default mode of operation; a user has to take the
explicit step of adding the flag to the command line
I think that since the mastodon thread in question began, Daan has
pushed a commit to try and improve the documentation. If you have
further concerns about the documentation/messaging around this feature,
I would recommend opening an upstream issue.
In any case, if you have further concerns, please raise your concerns
with Ubuntu Security now so that we can discuss those in detail.
** Changed in: systemd (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2132177
Title:
Please disable the run0 --empower feature
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/2132177/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
