While #NixOS should not be affected by #CopyFail as it uses recent kernels, here are additional fixes you can apply:

Disabling setuid does not mitigate it, but reduces the attack surfaces overall significantly.

Instead of #sudo, #su, #pkexec and other #setuid binaries you can use #run0 or a dedicated root account.

I have disabled setuid for a bunch of binaries I don't need, they still work when ran as root, with run0 or #sudo-rs.

```nix
boot.blacklistedKernelModules = [
"algif_aead"
];

security.sudo.enable = false;

security.wrappers = {
su.enable = false;
pkexec.enable = false;

# example setuid binary
chsh = {
source = "${pkgs.shadow}/bin/chsh";
setuid = lib.mkForce false;
owner = "root";
group = "root";
};
};
```

This week's Cockpit release adds a systemd/polkit-based superuser authentication (think `run0`) as a fallback when sudo is not available/broken. It also finally removes the long-deprecated pam_cockpit_cert module.

https://cockpit-project.org/blog/cockpit-355.html

#cockpit #release #run0

Dumb thought (putting it here so that I don't forget :P)

does run0 allow to switch to nobody for non root users?

Using "sudo su - nobody -s /bin/sh" is kinda a bit annoying :p

#sudo #su #nobody #Linux #run0

Am I missing some #environmentVariable when running #dnf with #run0, it throws at me 203 #exitcode

I checked the run0 and dnf #manpage, but found nothing specific :/

Anyway, run0 still is better than #sudo, as i like having #gnome show me #polkit password dialog, and I know then at least I will enter that password into correct application.

#linux #fedora #systemd

engang for hundre år siden, da jeg først begynte med #Linux, så var liksom ikke #sudo en greie. Og så ble det det, og en del av oss himlet litt med øynene av "sudo su" og sånt, men så ble det etter hvert ganske vanlig.

Men mellom det @pid_eins har skravlet om rundt #run0, og @trifectatech sin #sudors, så er det kanskje på tide å gå tilbake til å ikke ha vanilla sudo på maskina igjen?

https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

The one thing that makes systemd run0 annoying to use is that it'll ask you every time for the password. With sudo you have this 10 minutes where it won't ask again.

I know the technical reasons, but still this drives me back to sudo.

#systemd #run0 #sudo #Linux

How to Use #Run0 in #Linux

https://www.maketecheasier.com/how-to-use-run0-in-linux/

Ist es möglich, run0 als eine Alternative zu sudo zu nutzen?

Die Antwort findet ihr unseren Blogbeitrag:
https://www.credativ.de/blog/credativ-inside/run0-als-sudo-alternative/

#credativ #NetApp #run0 #sudo #Debian

Discover run0 for Linux, a passwordless command execution tool. Learn its similarities and differences with sudo, security analysis, installation, and usage for daily tasks and automation.

https://linuxexpert.org/understanding-run0/

#Linux #LinuxTools #run0 #sudo #SystemAdministration #LinuxCommands #LinuxTips #RootAccess #PasswordlessCommands #Automation #Security #LinuxTutorial #TechTips #AdminTools #ITSecurity #OpenSource #LinuxLearning #DevOps #SysAdmin #LinuxCommunity