website/blog/systemd_insecurity.html

<!DOCTYPE html>

<!-- Inferencium - Website - Blog - #1 -->

<!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->

<!-- Version: 4.1.0.18 -->


<html>
<head>
		<title>Inferencium - Blog - systemd Insecurity</title>
		<link rel="stylesheet" href="../inf.css">
		<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<!-- Navigation bar. -->
<div class="sidebar">
		<img src="../asset/img/logo-inferencium-no_text.png"
		width="110px" height="110px">
		<a class="title">Inferencium</a><br>
		<br>
		<br>
		<div><a href="../about.html">About</a></div>
		<div><a href="../contact.html">Contact</a></div>
		<div><a href="../blog.html">Blog</a></div>
		<div><a href="../source.html">Source</a></div>
		<div><a href="../key.html">Key</a></div>
</div>
<body>
		<h1>Blog - #1</h1>
		<h2>systemd Insecurity</h2>
		<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
		<p class="update_date">Updated: 2022-11-14 (UTC+00:00)</p>
		<!-- Table of contents. -->
		<h2 id="toc"><a href="#toc" class="h2"
		>Table of Contents<a/></h2>
		<ul>
				<li><a href="#issue0" class="body-link"
				>Issue #0 - Against CVE Assignment</a></li>
				<li><a href="#issue1" class="body-link"
				>Issue #1 - CVEs Are Not Useful</a></li>
				<li><a href="#issue2" class="body-link"
				>Issue #2 - Security is a Circus</a></li>
				<li><a href="#issue3" class="body-link"
				>Issue #3 - Blaming the User</a></li>
		</ul>
		<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
		developer doesn't care about your security at all.</p>
		<h2 id="issue0"><a href="#issue0" class="h2"
		>Issue #0 - Against CVE Assignment</a></h2>
		<br>
		<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
		<p>- Lennart Poettering, systemd lead developer</p>
		<p>My thoughts:<br>
		Yes, if they're security-related.</p>
		<p>Source:<br>
		<a class="body-link" href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334"
		>systemd GitHub Issue 5998</a></p>
		<h2 id="issue1"><a href="#issue1" class="h2"
		>Issue #1 - CVEs Are Not Useful</a></h2>
		<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
		CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
		inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
		bless..."</blockquote>
		<p>- Lennart Poettering, systemd lead developer</p>
		<p>My thoughts:<br>
		CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
		it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
		same.</p>
		<p>Source:<br>
		<a class="body-link" href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869"
		>systemd GitHub Issue 6225</a></p>
		<h2 id="issue2"><a href="#issue2" class="h2">
		Issue #2 - Security is a Circus</a></h2>
		<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
		issue..."</blockquote>
		<p>- Lennart Poettering, systemd lead developer</p>
		<p>Source:<br>
		<a class="body-link" href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654"
		>systemd GitHub Issue 5144</a></p>
		<h2 id="issue3"><a href="#issue3" class="h2"
		>Issue #3 - Blaming the User</a></h2>
		<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
		it in the first place. Note that not permitting numeric first characters is done on purpose: to
		avoid ambiguities between numeric UID and textual user names.
		<br>
		systemd will validate all configuration data you drop at it, making it hard to generate invalid
		configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
		it a limitation of xinetd that it doesn't refuse an invalid username.<br>
		<br>
		So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
		still: the username is clearly not valid."</blockquote>
		<p>- Lennart Poettering, systemd lead developer</p>
		<p>My thoughts:<br>
		systemd was the thing that allowed root access just because a username started with a number, then
		Poettering blamed the user.</p>
		<p>Source:<br>
		<a class="body-link" href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864"
		>systemd GitHub Issue 6237</a></p>
</body>
</html>
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`<!DOCTYPE html>`

			`<!-- Inferencium - Website - Blog - #1 -->`

Switch license from BSD-3-Clause-Clear to OSI-approved BSD-3-Clause. 2023-05-19 06:04:03 +01:00			`<!-- Copyright 2022 Jake Winters -->`
			`<!-- SPDX-License-Identifier: BSD-3-Clause -->`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00
Remove unnecessary HTML line breaks. 2023-06-22 21:15:02 +01:00			`<!-- Version: 4.1.0.18 -->`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00

			`<html>`
			`<head>`
			`<title>Inferencium - Blog - systemd Insecurity</title>`
			`<link rel="stylesheet" href="../inf.css">`
Add responsive view for better cross-device support. 2022-12-20 04:53:45 +00:00			`<meta name="viewport" content="width=device-width, initial-scale=1">`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`</head>`
			`<!-- Navigation bar. -->`
			`<div class="sidebar">`
Update image link to new asset directory. 2022-12-26 07:40:16 +00:00			`<img src="../asset/img/logo-inferencium-no_text.png"`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`width="110px" height="110px">`
			`<a class="title">Inferencium</a><br>`
			`<br>`
			`<br>`
			`<div><a href="../about.html">About</a></div>`
			`<div><a href="../contact.html">Contact</a></div>`
			`<div><a href="../blog.html">Blog</a></div>`
			`<div><a href="../source.html">Source</a></div>`
Add Key page link. 2023-01-13 22:01:33 +00:00			`<div><a href="../key.html">Key</a></div>`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`</div>`
			`<body>`
Improve spacing between webpage title and first section of webpage. 2023-03-13 14:32:41 +00:00			`<h1>Blog - #1</h1>`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`<h2>systemd Insecurity</h2>`
			`<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>`
			`<p class="update_date">Updated: 2022-11-14 (UTC+00:00)</p>`
			`<!-- Table of contents. -->`
			`<h2 id="toc"><a href="#toc" class="h2"`
			`>Table of Contents<a/></h2>`
			`<ul>`
			`<li><a href="#issue0" class="body-link"`
			`>Issue #0 - Against CVE Assignment</a></li>`
			`<li><a href="#issue1" class="body-link"`
			`>Issue #1 - CVEs Are Not Useful</a></li>`
			`<li><a href="#issue2" class="body-link"`
			`>Issue #2 - Security is a Circus</a></li>`
			`<li><a href="#issue3" class="body-link"`
			`>Issue #3 - Blaming the User</a></li>`
			`</ul>`
			`<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead`
			`developer doesn't care about your security at all.</p>`
			`<h2 id="issue0"><a href="#issue0" class="h2"`
			`>Issue #0 - Against CVE Assignment</a></h2>`
			`<br>`
Add quotation marks in blockquotes. 2023-06-05 00:18:11 +01:00			`<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>`
Switch to blockquote formatting for quotes. 2023-06-05 00:07:29 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`<p>My thoughts:<br>`
			`Yes, if they're security-related.</p>`
			`<p>Source:<br>`
			`<a class="body-link" href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334"`
			`>systemd GitHub Issue 5998</a></p>`
			`<h2 id="issue1"><a href="#issue1" class="h2"`
			`>Issue #1 - CVEs Are Not Useful</a></h2>`
Add quotation marks in blockquotes. 2023-06-05 00:18:11 +01:00			`<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either`
			`inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't`
Add quotation marks in blockquotes. 2023-06-05 00:18:11 +01:00			`bless..."</blockquote>`
Switch to blockquote formatting for quotes. 2023-06-05 00:07:29 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`<p>My thoughts:<br>`
			`CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,`
			`it is the correct way to announce it. It seems as if over 95 security-concious people think the`
			`same.</p>`
			`<p>Source:<br>`
			`<a class="body-link" href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869"`
			`>systemd GitHub Issue 6225</a></p>`
			`<h2 id="issue2"><a href="#issue2" class="h2">`
			`Issue #2 - Security is a Circus</a></h2>`
Add quotation marks in blockquotes. 2023-06-05 00:18:11 +01:00			`<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor`
			`issue..."</blockquote>`
Switch to blockquote formatting for quotes. 2023-06-05 00:07:29 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`<p>Source:<br>`
			`<a class="body-link" href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654"`
			`>systemd GitHub Issue 5144</a></p>`
			`<h2 id="issue3"><a href="#issue3" class="h2"`
			`>Issue #3 - Blaming the User</a></h2>`
Add quotation marks in blockquotes. 2023-06-05 00:18:11 +01:00			`<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`it in the first place. Note that not permitting numeric first characters is done on purpose: to`
Switch to blockquote formatting for quotes. 2023-06-05 00:07:29 +01:00			`avoid ambiguities between numeric UID and textual user names.`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`<br>`
			`systemd will validate all configuration data you drop at it, making it hard to generate invalid`
			`configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider`
			`it a limitation of xinetd that it doesn't refuse an invalid username.<br>`
			`<br>`
			`So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but`
Add quotation marks in blockquotes. 2023-06-05 00:18:11 +01:00			`still: the username is clearly not valid."</blockquote>`
Switch to blockquote formatting for quotes. 2023-06-05 00:07:29 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Add table of contents. Indent code to match coding style. 2023-03-13 14:47:54 +00:00			`<p>My thoughts:<br>`
			`systemd was the thing that allowed root access just because a username started with a number, then`
			`Poettering blamed the user.</p>`
			`<p>Source:<br>`
			`<a class="body-link" href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864"`
			`>systemd GitHub Issue 6237</a></p>`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`</body>`
			`</html>`