run0

For run0 you can think of something similar/alternative to sudo. It is ment to be a more robust and safer alternative to sudo and it is also implemented to be an alternative multi-call invocation to systemd-run. There are some main differences where run0 handels/operates different to sudo:

Hardenings do not let you inherit any execution or security context credentials from the caller to the invocked command. The new invoked session if an isolated services fored by service manager.
The authentication is performed usign polkit and any new invoded session has to pass the systemd-run0 PAM stack.
The comand which is getting executed, is running in an independent pseudo-tty whith detechted livecycle and isolation.
No SetUID/SetGID file access bit functionality is used for the implementation.

Parameters

Parameter	Descruption
`--background=<ANSI X3.64 SGR background color code>`	Lets you specify the backgroud color while the lifecycle of the pseudo-tty
`--chdir="</path/././>"`	Defines the working directory, short way of writing would be: `-D "</path/././>"`
`--description=<description>`	Let you set the description for the unit, if unset, the command to execute will become also the description
`--machine=<ContainerCame>`	Connects to the specified container and executes the command in there
`--nice=<nice level>`	Applies nice level to process
`--property=<PropName=<<PropValue>>>`	Gives you the possibility to apply properties to the serivce unit
`--setenv=<NAME<<=Value>>>`	Allows you to either inhereit (without specifing `=<VALUE>`) environment variables from the caller or specifing an overwirte (by adding `=<VALUE>`) from the default content. To set multible ones, specify the paremter multible times.
`--user=<username>`	Switches to the specified user instead of root
`--unit=<unitname>`	Allows you to specify a custom unit name instead of an auto generated one

Some of these paramerts of course have also short opts in place, like -u <username>

Samples

Set name and description

$ run0 --unit=mynewunit --description="This is a new unit" systemctl status mynewunit.service
● mynewunit.service - This is a new unit
     Loaded: loaded (/run/systemd/transient/mynewunit.service; transient)
  Transient: yes
     Active: active (running) since Fri 2024-11-22 09:40:39 CET; 6ms ago
 Invocation: 6269f049c0a04d1bad358e625fd92b7d
   Main PID: 2237929 (systemctl)
      Tasks: 2 (limit: 17884)
     Memory: 1.5M (peak: 1.6M)
        CPU: 8ms
     CGroup: /user.slice/mynewunit.service
             ├─2237929 /usr/bin/systemctl status mynewunit.service
             └─2237930 less

Nov 22 09:40:39 op-nb-0024 systemd[1]: Starting mynewunit.service - This is a new unit...
Nov 22 09:40:39 op-nb-0024 systemd[1]: Started mynewunit.service - This is a new unit.

Specify environment variable

$ run0 --setenv=SECRET=true bash -c 'export | grep -i secret'
declare -x SECRET="true"

Set background colour

$ run0 --background="41" bash -c 'echo $$'

ro filesystem with strict for unit

$ run0 --property=ProtectSystem=strict bash -c 'echo test > /var/log/logfile'
/usr/bin/bash: line 1: /var/log/logfile: Read-only file system

Sharing is caring