This is not meant to be a detailed comparison, just a back-of-the-envelope guide explaining why you should or shouldn’t use a particular program in particular circumstances.
sudo
Link to heading
This program is sadly, considered the default on most GNU+Linux
distributions. It is a rather complex beast, despite the fact that it
is, for lack of a better term, the original systemd, an ugly piece
of code that almost everyone hates, but still runs for some reason.
Not to say that systemd is bad, these days it’s perhaps what it was
meant to be all along, but sudo is something that you likely need to
know about, but also something that you should avoid if possible on
your own machines.
Contrary too popular belief, this program is not built-in. It is, in fact, not even installed, unless explicitly specified on newbiew-friendly advanced distributions such as ArchLinux.
So what do you need to know about sudo. Well, it’s an SUID binary.
99% of the codebase is completely inert, in that you don’t actually
use most of it, all you use if for is privelege escalation for the
root user.
Is this a bad thing? Yes. The program, by sheer size is a huge attack surface. If you can avoid it, please do.
One thing I should mention is that sudo comes with sudoedit, which
is a program that would have been nice when editors couldn’t privelege
escalate on their own. Most editos are either used as sudo vim or
can do privelege escalation internally, such as kate and emacs.
sudo -E is an important case where the environment must be
preserved, for example, when you’re doing something that the original
sudo is ill-equipped to do, that is running a graphical application.
The implementation is considered sub-par, to the point, where both KDE
and Gnome had their own replacements, kdesudo and gsudo. Both
deprecated by the way. The consensus, is that if you have the
technical budget to create a graphical program, you surely also have
the technical budget to do privelege escalation properly.
This program is configured via the sudoers file. The trouble with
that file, is that it has an obtuse syntax, and must be edited with a
special program: visudo. Don’t you feel like you’re safe already?
Doas Link to heading
Doas is what sudo should have been. It’s a TUI-only alternative to
sudo, that uses the same mechanism, but by virtue of being much
smaller, and better maintained, seems to have fewer unknown
vulnerabilities.
The entire man page for doas fits into half a screen. Its usage is
small-enough so that people undestand what it actually does.
The configuration file is both straightforward, and can be specified
via the -c flag, which usually means that the user can easily change
it. The greatest improvement that doas offers over sudo is that
it actually explains much of the stuff that is buried deep in the
abstractions.
I found it much easier to try and set up particular rules for
particular programs. If you ask me, just use doas if you have the
ability to do so.
Polkit Link to heading
This is what I use. This program is likely to come pre-installed. It
is what systemd falls back on, if you try to perform an action that
needs root priveleges, but you forgot to use sudo. Its main
advantage is that it lives in the modern day and age. It is a program
that integrates with your desktop environment, and you can make WMs
work just as well. You can make rules in …. ewww… JavaScript.
But other than that, the program is fairly straightforward.
Ideally, it doesn’t require any input. Any operation that must
require privelege escalation, must be performed in an isolated process
and the privelege must be de-escalated as quickly as possible. That
is not something that you can do, while keeping the UX of sudo,
where sudo make has different abilities to just regular make.
One reason I choose to use it as the SUID binary with paru, is
because I often use it to compile emacs-git, and that takes a while.
I often put it in the background and do other stuff. On more than one
occasion, I had to re-run the compilation several times with sudo,
because I missed the time when the terminal prompted me for input.
Sure, I now know that konsole has a way to monitor for silence, but
that is neither here nor there. Add pkexec as a drop-in replacement
for sudo and you’re golden.
As an added bonus, you have the option to do this:
WRAPPER USAGE
To avoid modifying existing software to prefix their command-line invocations with pkexec, it's possible to use pkexec in a she-bang wrapper[1]
like this:
#!/usr/bin/pkexec /usr/bin/python
import os
import sys
print "Hello, I'm running as uid %d"%(os.getuid())
for n in range(len(sys.argv)):
print "arg[%d]=‘%s'"%(n, sys.argv[n])
If this script is installed into /usr/bin/my-pk-test, then the following annotations
[...]
<annotate key="org.freedesktop.policykit.exec.path">/usr/bin/python</annotate>
<annotate key="org.freedesktop.policykit.exec.argv1">/usr/bin/my-pk-test</annotate>
[...]
can be used to select the appropriate polkit action. Be careful to get the latter annotation right, otherwise it will match any pkexec invocation
of /usr/bin/python scripts.
So the user experience can be improved at the source, and packaged up.
For obvious reasons, the rules need to be edited in some way, and the
mornonic choice of using XML is a pain, but the work in making the
system be standard, be reliable, and be supported by multiple
applications is already done. I think that the suckless crowd would
find it far easier to patch in a different file type, rather than try
and implement their own, inferior design.
Systemd run0 Link to heading
This program is quite an interesting beast. I tried to hate it, and
almost managed to do so, but at some point I realised that it is
actually a very good substitute for sudo. It is not an SUID
program, and as a consequence, the security of it, in places where
SUID style privelege escalation would be problematic, and re-writing
programs to use something like polkit would be difficult, run0
finds a nice niche.
I can see myself using run0 and polkit exclusively. But the
program hasn’t been well-tested, so feel free to experiment with it,
but don’t blame me if it breaks. It’s all very early days.