Inferencium/website
1
0
Fork 0
Code Issues Activity

Update Blog #1 webpage from version 4.0.2.16 to 4.1.0.24.

Browse Source
This commit is contained in:
inference 2023-06-23 18:31:45 +01:00
parent b80bcfa7f0
commit 355f6d4df5
Signed by: inference
SSH Key Fingerprint: SHA256:9Pl0nZ2UJacgm+IeEtLSZ4FOESgP1eKCtRflfPfdX9M
1 changed files with 87 additions and 135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

222
blog/systemd_insecurity.html
View File

@ -5,142 +5,94 @@
<!-- Copyright 2022 Jake Winters --> <!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 4.0.2.16 --> <!-- Version: 4.1.0.24 -->
<html> <html>
<head>
<head> <title>Inferencium - Blog - systemd Insecurity</title>
<title>Inferencium - Blog - systemd Insecurity</title> <link rel="stylesheet" href="../inf.css">
<link rel="stylesheet" href="../inf.css"> <meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="viewport" content="width=device-width, initial-scale=1"> </head>
</head> <!-- Navigation bar -->
<div class="sidebar">
<!-- Navigation bar. --> <a href="../index.html"><img src="../asset/img/logo-inferencium-no_text.png" width="110px" height="110px"></a>
<div class="sidebar"> <a href="../index.html" class="title">Inferencium</a><br>
<img src="../asset/img/logo-inferencium-no_text.png" <br>
width="110px" height="110px"> <br>
<a class="title">Inferencium</a><br> <div><a href="../about.html">About</a></div>
<br> <div><a href="../contact.html">Contact</a></div>
<br> <div><a href="../blog.html">Blog</a></div>
<div><a href="../about.html">About</a></div> <div><a href="../source.html">Source</a></div>
<div><a href="../contact.html">Contact</a></div> <div><a href="../key.html">Key</a></div>
<div><a href="../blog.html">Blog</a></div> </div>
<div><a href="../source.html">Source</a></div> <body>
<div><a href="../key.html">Key</a></div> <h1>Blog - #1</h1>
</div> <h2>systemd Insecurity</h2>
<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
<body> <p class="update_date">Updated: 2022-11-14 (UTC+00:00)</p>
<h1>Blog - #1</h1> <!-- Table of contents -->
<br> <section id="toc">
<br> <h2 id="toc"><a href="#toc" class="h2">Table of Contents<a/></h2>
<br> <ul>
<li><a href="#issue0" class="body-link">Issue #0 - Against CVE Assignment</a></li>
<h2>systemd Insecurity</h2> <li><a href="#issue1" class="body-link">Issue #1 - CVEs Are Not Useful</a></li>
<br> <li><a href="#issue2" class="body-link">Issue #2 - Security is a Circus</a></li>
<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p> <li><a href="#issue3" class="body-link">Issue #3 - Blaming the User</a></li>
<p class="update_date">Updated: 2022-11-14 (UTC+00:00)</p> </ul>
<br> </section>
<br> <p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
developer doesn't care about your security at all.</p>
<!-- Table of contents. --> <section id="issue0">
<h2 id="toc"><a href="#toc" class="h2" <h2 id="issue0"><a href="#issue0" class="h2">Issue #0 - Against CVE Assignment</a></h2>
>Table of Contents<a/></h2> <br>
<ul> <blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
<li><a href="#issue0" class="body-link" <p>- Lennart Poettering, systemd lead developer</p>
>Issue #0 - Against CVE Assignment</a></li> <p>My thoughts:<br>
<li><a href="#issue1" class="body-link" Yes, if they're security-related.</p>
>Issue #1 - CVEs Are Not Useful</a></li> <p>Source:<br>
<li><a href="#issue2" class="body-link" <a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334" class="body-link">systemd GitHub Issue 5998</a></p>
>Issue #2 - Security is a Circus</a></li> </section>
<li><a href="#issue3" class="body-link" <section id="issue1">
>Issue #3 - Blaming the User</a></li> <h2 id="issue1"><a href="#issue1" class="h2">Issue #1 - CVEs Are Not Useful</a></h2>
</ul> <blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
<br> CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
<br> inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
<br> bless..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead <p>My thoughts:<br>
developer doesn't care about your security at all.</p> CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
<br> it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
<br> same.</p>
<br> <p>Source:<br>
<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869" class="body-link">systemd GitHub Issue 6225</a></p>
<h2 id="issue0"><a href="#issue0" class="h2" </section>
>Issue #0 - Against CVE Assignment</a></h2> <section id="issue2">
<br> <h2 id="issue2"><a href="#issue2" class="h2">Issue #2 - Security is a Circus</a></h2>
<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote> <blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
<p>- Lennart Poettering, systemd lead developer</p> issue..."</blockquote>
<br> <p>- Lennart Poettering, systemd lead developer</p>
<p>My thoughts:<br> <p>Source:<br>
Yes, if they're security-related.</p> <a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654" class="body-link">systemd GitHub Issue 5144</a></p>
<br> </section>
<p>Source:<br> <section id="issue3">
<a class="body-link" href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334" <h2 id="issue3"><a href="#issue3" class="h2">Issue #3 - Blaming the User</a></h2>
>systemd GitHub Issue 5998</a></p> <blockquote>"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
<br> it in the first place. Note that not permitting numeric first characters is done on purpose: to
<br> avoid ambiguities between numeric UID and textual user names.
<br> <br>
systemd will validate all configuration data you drop at it, making it hard to generate invalid
<h2 id="issue1"><a href="#issue1" class="h2" configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
>Issue #1 - CVEs Are Not Useful</a></h2> it a limitation of xinetd that it doesn't refuse an invalid username.<br>
<br> <br>
<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either still: the username is clearly not valid."</blockquote>
inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't <p>- Lennart Poettering, systemd lead developer</p>
bless..."</blockquote> <p>My thoughts:<br>
<p>- Lennart Poettering, systemd lead developer</p> systemd was the thing that allowed root access just because a username started with a number, then
<br> Poettering blamed the user.</p>
<p>My thoughts:<br> <p>Source:<br>
CVEs are supposed to be for security, and a log of when they were found and their severity, so yes, <a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864" class="body-link">systemd GitHub Issue 6237</a></p>
it *is* the correct way to announce it. It seems as if over 95 security-concious people think the </section>
same.</p> </body>
<br>
<p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869"
>systemd GitHub Issue 6225</a></p>
<br>
<br>
<br>
<h2 id="issue2"><a href="#issue2" class="h2">
Issue #2 - Security is a Circus</a></h2>
<br>
<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
issue..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<br>
<p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654"
>systemd GitHub Issue 5144</a></p>
<br>
<br>
<br>
<h2 id="issue3"><a href="#issue3" class="h2"
>Issue #3 - Blaming the User</a></h2>
<br>
<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
it in the first place. Note that not permitting numeric first characters is done on purpose: to
avoid ambiguities between numeric UID and textual user names.
<br>
systemd will validate all configuration data you drop at it, making it hard to generate invalid
configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
it a limitation of xinetd that it doesn't refuse an invalid username.<br>
<br>
So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
still: the username is clearly not valid."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<br>
<p>My thoughts:<br>
systemd was the thing that allowed root access just because a username started with a number, then
Poettering blamed the user.</p>
<br>
<p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864"
>systemd GitHub Issue 6237</a></p>
<br>
<br>
</body>
</html> </html>