The new systemd run0 is supposed to be a good security leap. It uses polkit in the background and works without a setuid binary (like sudo or pkexec are).
It can replace sudo, which means as a start we could begin with removing setuid from the pkexec and sudo binaries and see what happens.
At a user level we could do
cat >> ~/.bashrc <<EOF
alias sudo=run0
alias pkexec=run0
EOF
cat >> ~/.zshrc <<EOF
alias sudo=run0
alias pkexec=run0
EOF
cat >> ~/.config/fish/config.fish <<EOF
alias sudo=run0
alias pkexec=run0
EOF
And possibly get things to work that expect sudo (a lot) or pkexec (probably not much).
Possible would also be to remove sudo altogether, but, test in a VM or a secondary SDD.
When removing sudo a while ago, on KDE shutdown was broken. init 0 could be used instead, but not sure how KDE interacts here.
I see many problems with this approach. run0 has a completely different configuration mechanism — polkit instead of the bespoke sudoers files. So anyone who has local rules cannot just replace one by the other without rewriting them. Also, sudo is integrated with various other tools (ldap?) and run0/polkit don’t necessarily have the same support. Also, run0 doesn’t support the same commandline options, so it’s not a drop-in replacement for sudo. Some simple commands work the same, but anything more complicated is going to fail. Finally, run0 is fairly new, while sudo has had decades of development. So while the design of run0 is pretty good, I think it’s too early to say that it’s a “security leap”. I would prefer to wait for more evaluations and testing.
@boredsquirrel, like pkexec, run0 doesn’t invoke (GUI?) software, as the superuser:
…yet sudo and su are able to:
If someone is able to confirm that it’s a bug, I’ll report it. However, it regardless demonstrates that it’s not sufficiently reliable for common use cases (yet):