run0 — Elevate privileges
run0 [OPTIONS...] [COMMAND...]
run0 may be used to temporarily and interactively acquire elevated or different privileges. It serves a similar purpose as sudo(8), but operates differently in a couple of key areas:
No execution or security context credentials are inherited from the caller into the invoked commands, as they are invoked from a fresh, isolated service forked off by the service manager.
Authentication takes place via polkit, thus isolating the authentication prompt from the terminal (if possible).
An independent pseudo-tty is allocated for the invoked command, detaching its lifecycle and isolating it for security.
No SetUID/SetGID file access bit functionality is used for the implementation.
Altogether this should provide a safer and more robust alternative to the sudo
mechanism, in particular in OS environments where SetUID/SetGID support is not available (for example by
setting the NoNewPrivileges= variable in
systemd-system.conf(5)).
Any session invoked via run0 will run through the
"systemd-run0" PAM stack.
Note that run0 is implemented as an alternative multi-call invocation of systemd-run(1). That is, run0 is a symbolic link to systemd-run executable file, and it behaves as run0 if it is invoked through the symbolic link, otherwise behaves as systemd-run.
The following options are understood:
--unit=¶Use this unit name instead of an automatically generated one.
--property=¶Sets a property of the service unit that is created. This option takes an assignment in the same format as systemctl(1)'s set-property command.
--description=¶Provide a description for the service unit that is invoked. If not specified,
the command itself will be used as a description. See Description= in
systemd.unit(5).
--slice=¶Make the new .service unit part of the specified slice, instead
of user.slice.
--slice-inherit¶Make the new .service unit part of the slice the
run0 itself has been invoked in. This option may be combined with
--slice=, in which case the slice specified via --slice= is placed
within the slice the run0 command is invoked in.
Example: consider run0 being invoked in the slice
foo.slice, and the --slice= argument is
bar. The unit will then be placed under
foo-bar.slice.
--user=, -u, --group=, -g¶Switches to the specified user/group instead of root.
--nice=¶Runs the invoked session with the specified nice level.
--chdir=, -D¶Runs the invoked session with the specified working directory. If not specified defaults to the client's current working directory if switching to the root user, or the target user's home directory otherwise.
--setenv=NAME[=VALUE]¶Runs the invoked session with the specified environment variable set. This parameter
may be used more than once to set multiple variables. When "=" and
VALUE are omitted, the value of the variable with the same name in the
invoking environment will be used.
--background=COLOR¶Change the terminal background color to the specified ANSI color as long as the
session lasts. If not specified, the background will be tinted in a reddish tone when operating as
root, and in a yellowish tone when operating under another UID, as reminder of the changed
privileges. The color specified should be an ANSI X3.64 SGR background color, i.e. strings such as
"40", "41", …, "47", "48;2;…",
"48;5;…". See ANSI
Escape Code (Wikipedia) for details. Set to an empty string to disable.
Example: "--background=44" for a blue background.
--pty, --pipe¶Request allocation of a pseudo TTY for the run0 session (in case
of --pty), or request passing the caller's STDIO file descriptors directly through
(in case of --pipe). If neither switch is specified, or if both switches are
specified, the mode will be picked automatically: if standard input, standard output and standard
error output are all connected to a TTY then a pseudo TTY is allocated, otherwise the relevant file
descriptors are passed through directly.
--shell-prompt-prefix=STRING¶Set a shell prompt prefix string. This ultimately controls the
$SHELL_PROMPT_PREFIX environment variable for the invoked program, which is
typically imported into the shell prompt. By default – if emojis are supported –, a superhero emoji is
shown (🦸). This default may also be changed (or turned off) by passing the
$SYSTEMD_RUN_SHELL_PROMPT_PREFIX environment variable to run0,
see below. Set to an empty string to disable shell prompt prefixing.
--machine=¶Execute operation in a local container. Specify a container name to connect to.
--no-ask-password¶Do not query the user for authentication for privileged operations.
-h, --help¶--version¶All command line arguments after the first non-option argument become part of the command line of
the launched process. If no command line is specified an interactive shell is invoked. The shell to
invoke may be controlled via --setenv=SHELL=… and currently defaults to the
originating user's shell (i.e. not the target user's!) if operating locally, or
/bin/sh when operating with --machine=.
On success, 0 is returned. If run0 failed to start the session or the specified command fails, a non-zero return value will be returned.
As with systemd-run, the session will inherit the system environment from the service manager. In addition, the following environment variables will be set:
$TERM¶Copied from the $TERM of the caller. Can be overridden with
--setenv=
$SUDO_USER¶Set to the username of the originating user.
$SUDO_UID¶Set to the numeric UNIX user id of the originating user.
$SUDO_GID¶Set to the primary numeric UNIX group id of the originating session.
$SHELL_PROMPT_PREFIX¶By default, set to the superhero emoji (if supported), but may be overridden with the
$SYSTEMD_RUN_SHELL_PROMPT_PREFIX environment variable (see below), or the
--shell-prompt-prefix= switch (see above).
The following variables may be passed to run0:
$SYSTEMD_RUN_SHELL_PROMPT_PREFIX¶If set, overrides the default shell prompt prefix that run0 sets for the invoked shell (the superhero emoji). Set to an empty string to disable shell prompt prefixing.