website/blog/systemd_insecurity.html

<!DOCTYPE html>

<!-- Inferencium - Website - Blog - #1 -->
<!-- Version: 5.0.2 -->

<!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause -->


<html lang="en">
		<head>
				<meta charset="utf-8"/>
				<meta name="viewport" content="width=device-width, initial-scale=1"/>
				<link rel="stylesheet" href="../main.css"/>
				<title>Inferencium - Blog - systemd Insecurity</title>
		</head>
		<body>
				<nav class="nav-bar">
						<div><a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"/></a></div>
						<div><a href="../index.html" class="title">Inferencium</a></div>
						<div><a href="../about.html">About</a></div>
						<div><a href="../contact.html">Contact</a></div>
						<div><a href="../blog.html">Blog</a></div>
						<div><a href="../documentation.html">Documentation</a></div>
						<div><a href="../source.html">Source</a></div>
						<div><a href="../key.html">Key</a></div>
						<div><a href="../changelog.html">Changelog</a></div>
				</nav>
				<h1>Blog - #1</h1>
						<h2>systemd Insecurity</h2>
								<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
								<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>
						<nav id="toc">
								<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>
										<ul>
												<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li>
												<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li>
												<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li>
												<li><a href="#issue-3">Issue #3 - Blaming the User</a></li>
										</ul>
						</nav>
								<p>Anyone who cares about security may want to switch from systemd as soon as possible;
								its lead developer doesn't care about your security at all.</p>
						<section id="issue-0">
								<h2 id="issue-0"><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>
										<blockquote>"You don't assign CVEs to every single random bugfix we do, do
										you?"</blockquote>
										<p>- Lennart Poettering, systemd lead developer</p>
										<p><b>My thoughts:</b> Yes, if they're security-related.</p>
										<p>Source:
										<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p>
						</section>
						<section id="issue-1">
								<h2 id="issue-1"><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>
										<blockquote>"Humpf, I am not convinced this is the right way to announce this.
										We never did that, and half the CVEs aren't useful anyway, hence I am not sure
										we should start with that now, because it is either inherently incomplete or
										blesses the nonsensical part of the CVE circus which we really shouldn't
										bless..."</blockquote>
										<p>- Lennart Poettering, systemd lead developer</p>
										<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they
										were found and their severity, so yes, it <em>is</em> the correct way to
										announce it. It seems as if over 95 security-concious people think the same.</p>
										<p>Source:
										<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>
						</section>
						<section id="issue-2">
								<h2 id="issue-2"><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>
										<blockquote>"I am not sure I buy enough into the security circus to do that
										though for any minor issue..."</blockquote>
										<p>- Lennart Poettering, systemd lead developer</p>
										<p>Source:
										<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>
						</section>
						<section id="issue-3">
								<h2 id="issue-3"><a href="#issue-3">Issue #3 - Blaming the User</a></h2>
										<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder
										which tool permitted you to create it in the first place. Note that not
										permitting numeric first characters is done on purpose: to avoid ambiguities
										between numeric UID and textual user names.<br>
										<br>
										systemd will validate all configuration data you drop at it, making it hard to
										generate invalid configuration. Hence, yes, it's a feature that we don't permit
										invalid user names, and I'd consider it a limitation of xinetd that it doesn't
										refuse an invalid username.<br>
										<br>
										So, yeah, I don't think there's anything to fix in systemd here. I understand
										this is annoying, but still: the username is clearly not valid."</blockquote>
										<p>- Lennart Poettering, systemd lead developer</p>
										<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a
										username started with a number, then Poettering blamed the user.</p>
										<p>Source:
										<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>
						</section>
		</body>
</html>
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`<!DOCTYPE html>`

			`<!-- Inferencium - Website - Blog - #1 -->`
Rebase webpage "Blog - #1" from version 5.0.2-alpha.9 onto 5.0.2 2023-11-19 19:37:09 +00:00			`<!-- Version: 5.0.2 -->`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00
Switch license from BSD-3-Clause-Clear to OSI-approved BSD-3-Clause. 2023-05-19 06:04:03 +01:00			`<!-- Copyright 2022 Jake Winters -->`
			`<!-- SPDX-License-Identifier: BSD-3-Clause -->`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00

Add HTML lang attribute 2023-11-16 16:01:42 +00:00			`<html lang="en">`
Properly indent code. 2023-06-23 00:35:16 +01:00			`<head>`
Set head element meta charset attribute to UTF-8 2023-11-16 16:17:34 +00:00			`<meta charset="utf-8"/>`
Close tags without an end tag Closing tags which don't have an end tag provides more correctness for XML and XHTML tools, and is not against HTML standards despite closing such tags not being mandatory in HTML. 2023-11-16 16:42:54 +00:00			`<meta name="viewport" content="width=device-width, initial-scale=1"/>`
Reorder head element child elements 2023-11-16 16:52:21 +00:00			`<link rel="stylesheet" href="../main.css"/>`
			`<title>Inferencium - Blog - systemd Insecurity</title>`
Properly indent code. 2023-06-23 00:35:16 +01:00			`</head>`
			`<body>`
Add custom CSS class "nav-bar" for main navigation bar 2023-11-16 17:39:35 +00:00			`<nav class="nav-bar">`
Close tags without an end tag Closing tags which don't have an end tag provides more correctness for XML and XHTML tools, and is not against HTML standards despite closing such tags not being mandatory in HTML. 2023-11-16 16:42:54 +00:00			`<div><a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"/></a></div>`
Switch navigation bar from custom sidebar element to proper nav 2023-11-16 15:02:24 +00:00			`<div><a href="../index.html" class="title">Inferencium</a></div>`
Move navigation bar to HTML body 2023-10-30 23:11:20 +00:00			`<div><a href="../about.html">About</a></div>`
			`<div><a href="../contact.html">Contact</a></div>`
			`<div><a href="../blog.html">Blog</a></div>`
			`<div><a href="../documentation.html">Documentation</a></div>`
			`<div><a href="../source.html">Source</a></div>`
			`<div><a href="../key.html">Key</a></div>`
			`<div><a href="../changelog.html">Changelog</a></div>`
Fix nav element 2023-11-16 15:19:34 +00:00			`</nav>`
Properly indent code. 2023-06-23 00:35:16 +01:00			`<h1>Blog - #1</h1>`
			`<h2>systemd Insecurity</h2>`
			`<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>`
Rebase webpage "Blog - #1" from version 5.0.1-alpha.1 onto 5.0.1 2023-11-14 19:25:20 +00:00			`<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>`
Switch table of contents from section element to nav 2023-11-16 15:52:59 +00:00			`<nav id="toc">`
Remove redundant CSS classes 2023-09-02 14:22:13 +01:00			`<h2 id="toc"><a href="#toc">Table of Contents<a/></h2>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`<ul>`
Fix issue anchors to conform to code style 2023-10-31 02:28:35 +00:00			`<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li>`
			`<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li>`
			`<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li>`
			`<li><a href="#issue-3">Issue #3 - Blaming the User</a></li>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`</ul>`
Switch table of contents from section element to nav 2023-11-16 15:52:59 +00:00			`</nav>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<p>Anyone who cares about security may want to switch from systemd as soon as possible;`
			`its lead developer doesn't care about your security at all.</p>`
Fix issue anchors to conform to code style 2023-10-31 02:28:35 +00:00			`<section id="issue-0">`
			`<h2 id="issue-0"><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<blockquote>"You don't assign CVEs to every single random bugfix we do, do`
			`you?"</blockquote>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Improve readability 2023-10-31 02:57:38 +00:00			`<p><b>My thoughts:</b> Yes, if they're security-related.</p>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<p>Source:`
Remove redundant CSS classes 2023-09-02 14:22:13 +01:00			`<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`</section>`
Fix issue anchors to conform to code style 2023-10-31 02:28:35 +00:00			`<section id="issue-1">`
			`<h2 id="issue-1"><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<blockquote>"Humpf, I am not convinced this is the right way to announce this.`
			`We never did that, and half the CVEs aren't useful anyway, hence I am not sure`
			`we should start with that now, because it is either inherently incomplete or`
			`blesses the nonsensical part of the CVE circus which we really shouldn't`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`bless..."</blockquote>`
			`<p>- Lennart Poettering, systemd lead developer</p>`
Improve readability 2023-10-31 02:57:38 +00:00			`<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they`
Switch to proper emphasis code 2023-10-31 02:54:52 +00:00			`were found and their severity, so yes, it <em>is</em> the correct way to`
			`announce it. It seems as if over 95 security-concious people think the same.</p>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<p>Source:`
Remove redundant CSS classes 2023-09-02 14:22:13 +01:00			`<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`</section>`
Fix issue anchors to conform to code style 2023-10-31 02:28:35 +00:00			`<section id="issue-2">`
			`<h2 id="issue-2"><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<blockquote>"I am not sure I buy enough into the security circus to do that`
			`though for any minor issue..."</blockquote>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<p>Source:`
Remove redundant CSS classes 2023-09-02 14:22:13 +01:00			`<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`</section>`
Fix issue anchors to conform to code style 2023-10-31 02:28:35 +00:00			`<section id="issue-3">`
			`<h2 id="issue-3"><a href="#issue-3">Issue #3 - Blaming the User</a></h2>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder`
			`which tool permitted you to create it in the first place. Note that not`
			`permitting numeric first characters is done on purpose: to avoid ambiguities`
			`between numeric UID and textual user names.<br>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`<br>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`systemd will validate all configuration data you drop at it, making it hard to`
			`generate invalid configuration. Hence, yes, it's a feature that we don't permit`
			`invalid user names, and I'd consider it a limitation of xinetd that it doesn't`
			`refuse an invalid username.<br>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`<br>`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`So, yeah, I don't think there's anything to fix in systemd here. I understand`
			`this is annoying, but still: the username is clearly not valid."</blockquote>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`<p>- Lennart Poettering, systemd lead developer</p>`
Improve readability 2023-10-31 02:57:38 +00:00			`<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a`
Fix code to conform to code style 2023-10-31 02:51:29 +00:00			`username started with a number, then Poettering blamed the user.</p>`
			`<p>Source:`
Remove redundant CSS classes 2023-09-02 14:22:13 +01:00			`<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>`
Add HTML sections. 2023-06-23 18:29:16 +01:00			`</section>`
Properly indent code. 2023-06-23 00:35:16 +01:00			`</body>`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`</html>`