Inferencium/website
1
0
Fork 0
Code Issues Activity

Update webpage "Blog - #1" from version "9.0.0-beta.1" to "9.0.1-beta.1"

Browse Source
This commit is contained in:
inference 2024-03-18 02:40:37 +00:00
parent 8b840152d9
commit 6aa565643a
Signed by: inference
SSH Key Fingerprint: SHA256:FtEVfx1CmTKMy40VwZvF4k+3TC+QhCWy+EmPRg50Nnc
1 changed files with 85 additions and 89 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

174
blog/systemd_insecurity.xhtml
View File

@ -1,99 +1,95 @@
<!DOCTYPE html> <!DOCTYPE html>
<!-- Inferencium - Website - Blog - #1 --> <!-- Inferencium - Website - Blog - #1 -->
<!-- Version: 9.0.0-beta.1 --> <!-- Version: 9.0.1-beta.1 -->
<!-- Copyright 2022 Jake Winters --> <!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause WITH AdditionRef-Inferencium-Personal-exception -->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> <head>
<meta charset="utf-8"/> <meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/> <meta name="viewport" content="width=device-width, initial-scale=1"/>
<link rel="stylesheet" href="../main.css"/> <link rel="stylesheet" href="../main.css"/>
<link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/> <link rel="icon shortcut" href="../asset/img/logo/inferencium-notext.png"/>
<title>Inferencium - Blog - systemd Insecurity</title> <title>Inferencium - Blog - systemd Insecurity</title>
</head> </head>
<body> <body>
<nav class="navbar"> <nav class="navbar">
<div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div> <div class="logo"><a href="../index.xhtml"><img src="../asset/img/logo/inferencium-notext.png" alt="Inferencium logo"/></a></div>
<div class="title"><a href="../index.xhtml">Inferencium</a></div> <div class="title"><a href="../index.xhtml">Inferencium</a></div>
<div><a href="../about.xhtml">About</a></div> <div><a href="../about.xhtml">About</a></div>
<div><a href="../news.xhtml">News</a></div> <div><a href="../news.xhtml">News</a></div>
<div><a href="../documentation.xhtml">Documentation</a></div> <div><a href="../documentation.xhtml">Documentation</a></div>
<div><a href="../source.xhtml">Source</a></div> <div><a href="../source.xhtml">Source</a></div>
<div><a href="../changelog.xhtml">Changelog</a></div> <div><a href="../changelog.xhtml">Changelog</a></div>
<div><a href="../blog.xhtml">Blog</a></div> <div><a href="../blog.xhtml">Blog</a></div>
<div><a href="../contact.xhtml">Contact</a></div> <div><a href="../contact.xhtml">Contact</a></div>
<div><a href="../directory.xhtml">Directory</a></div> <div><a href="../directory.xhtml">Directory</a></div>
<div><a href="../key.xhtml">Key</a></div> <div><a href="../key.xhtml">Key</a></div>
<div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div> <div class="sitemap"><a href="../sitemap.xhtml">Sitemap</a></div>
</nav>
<h1>Blog - #1</h1>
<h2>systemd Insecurity</h2>
<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p>
<nav id="toc">
<h2><a href="#toc">Table of Contents</a></h2>
<ul>
<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li>
<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li>
<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li>
<li><a href="#issue-3">Issue #3 - Blaming the User</a></li>
</ul>
</nav> </nav>
<h1>Blog - #1</h1> <p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
<h2>systemd Insecurity</h2> developer doesn't care about your security at all.</p>
<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p> <section id="issue-0">
<p class="update_date">Updated: 2023-10-31 (UTC+00:00)</p> <h2><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2>
<nav id="toc"> <blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
<h2><a href="#toc">Table of Contents</a></h2> <p>- Lennart Poettering, systemd lead developer</p>
<ul> <p><b>My thoughts:</b> Yes, if they're security-related.</p>
<li><a href="#issue-0">Issue #0 - Against CVE Assignment</a></li> <p>Source:
<li><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></li> <a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p>
<li><a href="#issue-2">Issue #2 - Security is a Circus</a></li> </section>
<li><a href="#issue-3">Issue #3 - Blaming the User</a></li> <section id="issue-1">
</ul> <h2><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2>
</nav> <blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did
<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead that, and half the CVEs aren't useful anyway, hence I am not sure we should start with that now,
developer doesn't care about your security at all.</p> because it is either inherently incomplete or blesses the nonsensical part of the CVE circus
<section id="issue-0"> which we really shouldn't bless..."</blockquote>
<h2><a href="#issue-0">Issue #0 - Against CVE Assignment</a></h2> <p>- Lennart Poettering, systemd lead developer</p>
<blockquote>"You don't assign CVEs to every single random bugfix we do, do <p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they were found
you?"</blockquote> and their severity, so yes, it <em>is</em> the correct way to announce it. It seems as if over
<p>- Lennart Poettering, systemd lead developer</p> 95 security-concious people think the same.</p>
<p><b>My thoughts:</b> Yes, if they're security-related.</p> <p>Source:
<p>Source: <a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p>
<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334">systemd GitHub Issue 5998</a></p> </section>
</section> <section id="issue-2">
<section id="issue-1"> <h2><a href="#issue-2">Issue #2 - Security is a Circus</a></h2>
<h2><a href="#issue-1">Issue #1 - CVEs Are Not Useful</a></h2> <blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
<blockquote>"Humpf, I am not convinced this is the right way to announce this. issue..."</blockquote>
We never did that, and half the CVEs aren't useful anyway, hence I am not sure <p>- Lennart Poettering, systemd lead developer</p>
we should start with that now, because it is either inherently incomplete or <p>Source:
blesses the nonsensical part of the CVE circus which we really shouldn't <a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p>
bless..."</blockquote> </section>
<p>- Lennart Poettering, systemd lead developer</p> <section id="issue-3">
<p><b>My thoughts:</b> CVEs are supposed to be for security, and a log of when they <h2><a href="#issue-3">Issue #3 - Blaming the User</a></h2>
were found and their severity, so yes, it <em>is</em> the correct way to <blockquote><p>"Yes, as you found out "0day" is not a valid username. I wonder which tool
announce it. It seems as if over 95 security-concious people think the same.</p> permitted you to create it in the first place. Note that not permitting numeric first characters
<p>Source: is done on purpose: to avoid ambiguities between numeric UID and textual user names.</p>
<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869">systemd GitHub Issue 6225</a></p> <p>systemd will validate all configuration data you drop at it, making it hard to generate
</section> invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and
<section id="issue-2"> I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.</p>
<h2><a href="#issue-2">Issue #2 - Security is a Circus</a></h2> <p>So, yeah, I don't think there's anything to fix in systemd here. I understand this is
<blockquote>"I am not sure I buy enough into the security circus to do that annoying, but still: the username is clearly not valid."</p></blockquote>
though for any minor issue..."</blockquote> <p>- Lennart Poettering, systemd lead developer</p>
<p>- Lennart Poettering, systemd lead developer</p> <p><b>My thoughts:</b> systemd was the thing that allowed root access just because a username
<p>Source: started with a number, then Poettering blamed the user.</p>
<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654">systemd GitHub Issue 5144</a></p> <p>Source:
</section> <a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>
<section id="issue-3"> </section>
<h2><a href="#issue-3">Issue #3 - Blaming the User</a></h2> <div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
<blockquote><p>"Yes, as you found out "0day" is not a valid username. I wonder </body>
which tool permitted you to create it in the first place. Note that not
permitting numeric first characters is done on purpose: to avoid ambiguities
between numeric UID and textual user names.</p>
<p>systemd will validate all configuration data you drop at it, making it hard to
generate invalid configuration. Hence, yes, it's a feature that we don't permit
invalid user names, and I'd consider it a limitation of xinetd that it doesn't
refuse an invalid username.</p>
<p>So, yeah, I don't think there's anything to fix in systemd here. I understand
this is annoying, but still: the username is clearly not valid."</p></blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p><b>My thoughts:</b> systemd was the thing that allowed root access just because a
username started with a number, then Poettering blamed the user.</p>
<p>Source:
<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864">systemd GitHub Issue 6237</a></p>
</section>
<div class="sitemap-small"><a href="../sitemap.xhtml">Sitemap</a></div>
</body>
</html> </html>