systemd 256 has already been released and arrives with run0

systemd 256 introduce run0

After 6 months of development, the release of the new version of "systemd 256", which features a large number of significant changes including the introduction of several new tools and concepts.

Among the new features that stand out in the new version, we can find the long-awaited introduction of run0, a tool that aims replace the SUDO command and integrates with systemd-run to provide a more secure method of running processes with other users' identifiers. Instead of using SUID, run0 creates a new pseudoterminal and runs the privileged process in an isolated context generated by process PID 1, not inheriting the properties of the user's environment. Polkit is used to authorize and determine user capabilities.

Another change that systemd 256 presents is the new configuration "ProtectSystem", which has been added to the system administrator, allowing to control the mounting of parts of the file system in read-only mode at the level of the entire system, and not just for individual units. By default, this option is enabled for initrd to prevent writes to the directory /usr during startup.

For units, New settings have been introduced: WantsMountsFor=, which defines partition mounting as an optional dependency, and MemoryZSwapWriteback=, which controls the parameter Memory.zswap.write introduced in the Linux kernel 6.8. The units .mount y .swap now allow the use of fstab style identifiers.

In addition to that, the directory /dev now allows the creation of symbolic links that combine route and label information. This allows you to assign identical partitions on different storage devices, such as after cloning the contents of one disk to another device.

systemd-networkd also implements the configurations IPv6RetransmissionTimeSec y UseRetransmissionTime to control the retransmission time of NS messages used to determine neighboring IPv6 hosts. Added support for obtaining Wireguard VPN keys from the credentials database. The parameter ReceiverPacketSteeringCPUMask has been added to binding files to organize the binding of incoming packet handlers to specific CPUs.

Of the other changes that stand out of this new version:

  • The configuration MaxConnectionsPerSource= has been added to units .socket with the option Accept=yes, allowing you to set a limit on the number of simultaneous connections from an IP address or UID (for UNIX sockets).
  • The process systemd-bsod, which implements the equivalent of the "blue screen of death", now includes the –tty option to select the terminal where a full screen notification will be displayed in case of critical errors (LOG_EMERG).
  • In addition to the directory /etc, several systemd components now seek to load the main configuration file from directories /usr/lib, /usr/local/lib y /run.
  • Added utility «importctl» to upload, import and export disk images using the service systemd-importd.
  • Added the ability to compile systemd from source, disabling all legacy features in OpenSSL 3.0.
  • The vpick protocol has been implemented, allowing versioned access to resources such as disk images from specific directories.
  • Unprivileged users can now access encrypted service credentials. To facilitate this, the options have been added –user and –uid to the utility systemd-creds, allowing you to encrypt and decrypt credentials for specific users.
  • Service has been added systemd-udev-load-credentials.service to load udev rules from the credentials database.
  • Features have been added such as support for keys obtained through userdbctl, a unit generator for activating sshd in relation to specific sockets, and a utility «systemd-ssh-proxy» to connect via sockets AF_VSOCK and AF_UNIX.

finally if you are interested in knowing more about it, you can check the details in the following link

Regarding the availability of the new version of systemd 256 for your distribution, at the time of writing the article, it has not yet been made available in the repositories of the main Linux distributions. It's just a matter of waiting a few hours for the new version to begin deploying.


Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.