konstruktoid/nosu-project

Testing polkit and removing one SUID at a time.

NoSU - an Ubuntu system without sudo binaries and fewer SUID/SGID files

NoSU is a system that has been stripped of all sudo binaries and will try to remove as many SUID/SGID file permissions as possible.

The system is based on Ubuntu 24.04, and uses run0 and polkit rules instead.

Note This is a concept project, work in progess and not intended for production use.

Requirements

• Vagrant
• systemd v256 or later.
• Ansible community.general 9.0.0 or later.

run0

See this thread from @poettering and the systemd changelog for more information.

Setup

• Start the VM: vagrant up.

• SSH into the VM: vagrant ssh.

• Add a deb-src /etc/apt/sources.list.d/ubuntu.sources: sudo sed -i 's/Types: deb.*/Types: deb deb-src/' /etc/apt/sources.list.d/ubuntu.sources

• Build systemd v256 if it's not already installed: bash /vagrant/scripts/build_systemd.sh.

• Create an initial privileged polkit rule: sudo bash /vagrant/scripts/privileged_polkit_rule.sh.

  This script will create the wheel group and add the vagrant user to it. The polkit rule will allow member vagrant of the wheel group to run any command without authentication.

• Exit and reboot the VM: vagrant reload

• After the reboot, SSH into the VM again and verify that the system is running systemd v256 or later: systemd --version

• Remove the sudo, related packages and set apt preferences so that sudo can't be installed again: run0 bash /vagrant/scripts/remove_sudo.sh. sudo will now only be a symlink to run0.

Usage: Using run0 as a become_method in Ansible

• Install Ansible:

  run0 apt-get install --assume-yes python3-pip python3-venv
  python3 -m venv ansible
  source ansible/bin/activate
  python3 -m pip install ansible

• The run0 module is used as a become_method in the example playbook: become_method: community.general.run0

  And as a test, we'll run an playbook that will start a web server as a Podman quadlet after the system has been additionaly hardened.

   ansible-galaxy install --force -r /vagrant/ansible/requirements.yml
   ansible-playbook -v -i '127.0.0.1,' -c local --skip-tags sudo /vagrant/ansible/playbook.yml

  Verify that the web server is running:

  run0 --user=container-nginx systemctl --user status nginx
  curl -s http://localhost:8080
  run0 --user=container-nginx podman logs nginx

  Reboot the server and perform the same test to verify that the web server is still running and monitor the journal for any issues.