run0 vs capsudo?

Posted Dec 14, 2025 22:45 UTC (Sun) by nickodell (subscriber, #125165)
In reply to: run0 by mb
Parent article: Conill: Rethinking sudo with object capabilities

One similarity between capsudo and run0 is that rather than using a setsuid binary, both run0 and capsudo have a daemon process. Rather than invoking a setsuid binary and gaining additional privileges, the process makes an RPC call to the privileged daemon asking it to run the command.

Where they differ is in two things:
1) How many daemon processes may run?
2) How is a user allowed or disallowed to run a command?

1) IIUC, systemd runs a single run0 process, as root, and all authorization decisions are made inside this process. In contrast, capsudo runs as many processes as there are delegated permissions. Each capsudo process may run at a different privilege level.

2) systemd uses polkit to determine whether a user is allowed to run a command. In contrast, capsudo allows a user to specify the command when creating the capability object. Which users are permitted to use the object is determined by standard Linux permissions on the unix socket used to perform RPC.

So, they share some attributes, but I would say that run0 is more similar to sudo than capsudo is similar to sudo.

to post comments

run0 vs capsudo?

Posted Dec 15, 2025 4:59 UTC (Mon) by NYKevin (subscriber, #129325) [Link]

The thing about run0, however, is that it's little more than a thin bit of glue code between systemd and polkit. It is highly opinionated and relatively inflexible, not because of any technical limitation, but because systemctl (and the rest of systemd) already exists and supports all the flexibility in the world.

Put another way: Comparing capsudo to run0 is more than a little unfair, because run0 is the tip of the iceberg that is systemd.