website/blog/systemd_insecurity.xhtml

<!DOCTYPE html>

<!-- Inferencium - Website - Blog - #1 -->
<!-- Version: 9.0.1 -->

<!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause WITH AdditionRef-Inferencium-Personal-exception -->


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
		<meta charset="utf-8"/>
		<meta name="viewport" content="width=device-width, initial-scale=1"/>
		<link rel="stylesheet" href="../main.css"/>
		<link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/>
		<title>Inferencium - Blog - systemd Insecurity</title>
	</head>
	<body>
		<nav class="navbar">
			<div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>
			<div class="title"><a href="../index.xhtml">Inferencium</a></div>
			<div><a href="../about.xhtml">About</a></div>
			<div><a href="../news.xhtml">News</a></div>
			<div><a href="../documentation.xhtml">Documentation</a></div>
			<div><a href="../source.xhtml">Source</a></div>
			<div><a href="../changelog.xhtml">Changelog</a></div>
			<div><a href="../blog.xhtml">Blog</a></div>
			<div><a href="../contact.xhtml">Contact</a></div>
			<div><a href="../directory.xhtml">Directory</a></div>
			<div><a href="../key.xhtml">Key</a></div>
			<div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div>
		</nav>
		<h1>Blog - #1</h1>
			<h2>systemd Insecurity</h2>
				<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
				<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>
				<nav id="toc">
					<h2><a href="#toc">Table of Contents</a></h2>
						<ul>
							<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li>
							<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li>
							<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li>
							<li><a href="#issue-3">Issue #3 - Blaming the User</a></li>
						</ul>
				</nav>
				<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
				developer doesn't care about your security at all.</p>
				<section id="issue-0">
					<h2><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>
						<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
						<p>- Lennart Poettering, systemd lead developer</p>
						<p><b>My thoughts:</b> Yes, if they're security-related.</p>
						<p>Source:
						<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p>
				</section>
				<section id="issue-1">
					<h2><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>
						<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did
						that, and half the CVEs aren't useful anyway, hence I am not sure we should start with that now,
						because it is either inherently incomplete or blesses the nonsensical part of the CVE circus
						which we really shouldn't bless..."</blockquote>
						<p>- Lennart Poettering, systemd lead developer</p>
						<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they were found
						and their severity, so yes, it <em>is</em> the correct way to announce it. It seems as if over
						95 security-concious people think the same.</p>
						<p>Source:
						<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>
				</section>
				<section id="issue-2">
					<h2><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>
						<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
						issue..."</blockquote>
						<p>- Lennart Poettering, systemd lead developer</p>
						<p>Source:
						<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>
				</section>
				<section id="issue-3">
					<h2><a href="#issue-3">Issue #3 - Blaming the User</a></h2>
						<blockquote><p>"Yes, as you found out "0day" is not a valid username. I wonder which tool
						permitted you to create it in the first place. Note that not permitting numeric first characters
						is done on purpose: to avoid ambiguities between numeric UID and textual user names.</p>
						<p>systemd will validate all configuration data you drop at it, making it hard to generate
						invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and
						I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.</p>
						<p>So, yeah, I don't think there's anything to fix in systemd here. I understand this is
						annoying, but still: the username is clearly not valid."</p></blockquote>
						<p>- Lennart Poettering, systemd lead developer</p>
						<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a username
						started with a number, then Poettering blamed the user.</p>
						<p>Source:
						<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>
				</section>
		<div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
	</body>
</html>
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`<!DOCTYPE html>`

			`<!-- Inferencium - Website - Blog - #1 -->`
Update webpage "Blog - #1" from version "9.0.0" to "9.0.1" 2024-03-18 03:56:05 +00:00			`<!-- Version: 9.0.1 -->`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00
Update Blog #1 from version 3.1.0.13 to 4.0.0.14. 2023-05-28 15:37:00 +01:00			`<!-- Copyright 2022 Jake Winters -->`
Update webpage "Blog - #1" from version "9.0.0" to "9.0.1" 2024-03-18 03:56:05 +00:00			`<!-- SPDX-License-Identifier: BSD-3-Clause WITH AdditionRef-Inferencium-Personal-exception -->`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00

Update webpage "Blog - #1" from version "5.1.0" to "6.0.0" 2024-01-15 04:21:51 +00:00			`<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">`
Update webpage "Blog - #1" from version "9.0.0" to "9.0.1" 2024-03-18 03:56:05 +00:00			`<head>`
			`<meta charset="utf-8"/>`
			`<meta name="viewport" content="width=device-width, initial-scale=1"/>`
			`<link rel="stylesheet" href="../main.css"/>`
			`<link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/>`
			`<title>Inferencium - Blog - systemd Insecurity</title>`
			`</head>`
			`<body>`
			`<nav class="navbar">`
			`<div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>`
			`<div class="title"><a href="../index.xhtml">Inferencium</a></div>`
			`<div><a href="../about.xhtml">About</a></div>`
			`<div><a href="../news.xhtml">News</a></div>`
			`<div><a href="../documentation.xhtml">Documentation</a></div>`
			`<div><a href="../source.xhtml">Source</a></div>`
			`<div><a href="../changelog.xhtml">Changelog</a></div>`
			`<div><a href="../blog.xhtml">Blog</a></div>`
			`<div><a href="../contact.xhtml">Contact</a></div>`
			`<div><a href="../directory.xhtml">Directory</a></div>`
			`<div><a href="../key.xhtml">Key</a></div>`
			`<div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div>`
			`</nav>`
			`<h1>Blog - #1</h1>`
			`<h2>systemd Insecurity</h2>`
			`<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>`
			`<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>`
			`<nav id="toc">`
			`<h2><a href="#toc">Table of Contents</a></h2>`
			`<ul>`
			`<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li>`
			`<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li>`
			`<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li>`
			`<li><a href="#issue-3">Issue #3 - Blaming the User</a></li>`
			`</ul>`
Update webpage "Blog - #1" from version 5.0.1 to 5.0.2 2023-11-16 21:25:15 +00:00			`</nav>`
Update webpage "Blog - #1" from version "9.0.0" to "9.0.1" 2024-03-18 03:56:05 +00:00			`<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead`
			`developer doesn't care about your security at all.</p>`
			`<section id="issue-0">`
			`<h2><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>`
			`<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>`
			`<p>- Lennart Poettering, systemd lead developer</p>`
			`<p><b>My thoughts:</b> Yes, if they're security-related.</p>`
			`<p>Source:`
			`<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p>`
			`</section>`
			`<section id="issue-1">`
			`<h2><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>`
			`<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did`
			`that, and half the CVEs aren't useful anyway, hence I am not sure we should start with that now,`
			`because it is either inherently incomplete or blesses the nonsensical part of the CVE circus`
			`which we really shouldn't bless..."</blockquote>`
			`<p>- Lennart Poettering, systemd lead developer</p>`
			`<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they were found`
			`and their severity, so yes, it <em>is</em> the correct way to announce it. It seems as if over`
			`95 security-concious people think the same.</p>`
			`<p>Source:`
			`<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>`
			`</section>`
			`<section id="issue-2">`
			`<h2><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>`
			`<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor`
			`issue..."</blockquote>`
			`<p>- Lennart Poettering, systemd lead developer</p>`
			`<p>Source:`
			`<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>`
			`</section>`
			`<section id="issue-3">`
			`<h2><a href="#issue-3">Issue #3 - Blaming the User</a></h2>`
			`<blockquote><p>"Yes, as you found out "0day" is not a valid username. I wonder which tool`
			`permitted you to create it in the first place. Note that not permitting numeric first characters`
			`is done on purpose: to avoid ambiguities between numeric UID and textual user names.</p>`
			`<p>systemd will validate all configuration data you drop at it, making it hard to generate`
			`invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and`
			`I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.</p>`
			`<p>So, yeah, I don't think there's anything to fix in systemd here. I understand this is`
			`annoying, but still: the username is clearly not valid."</p></blockquote>`
			`<p>- Lennart Poettering, systemd lead developer</p>`
			`<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a username`
			`started with a number, then Poettering blamed the user.</p>`
			`<p>Source:`
			`<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>`
			`</section>`
			`<div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>`
			`</body>`
Update filenames to new file naming system. 2022-12-20 02:19:21 +00:00			`</html>`