Inferencium/website
1
0
Fork 0
Code Issues Activity

Update back-end code to new 100-120 column coding style.

Browse Source
This commit is contained in:
inference 2022-12-11 17:29:51 +00:00
parent 6b85ffa35c
commit a3c41df6fa
1 changed files with 21 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
blog/systemd-insecurity.html
View File

@ -5,7 +5,7 @@
<!-- Copyright 2022 Inference --> <!-- Copyright 2022 Inference -->
<!-- License: BSD 3-Clause Clear (with personal content exception) --> <!-- License: BSD 3-Clause Clear (with personal content exception) -->
<!-- 0.2.1.3 --> <!-- 0.2.2.4 -->
<html> <html>
@ -38,8 +38,8 @@
<br> <br>
<br> <br>
<p>Anyone who cares about security may want to switch from systemd as soon as <p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
possible; its lead developer doesn't care about your security at all.</p> developer doesn't care about your security at all.</p>
<br> <br>
<br> <br>
<h3>Issue #0 - Against CVE Assignment</h3> <h3>Issue #0 - Against CVE Assignment</h3>
@ -59,16 +59,15 @@ Yes, if they're security-related.</p>
<h3>Issue #1 - CVEs Are Not Useful</h3> <h3>Issue #1 - CVEs Are Not Useful</h3>
<br> <br>
<p>Poettering:<br> <p>Poettering:<br>
"Humpf, I am not convinced this is the right way to announce this. "Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
We never did that, and half the CVEs aren't useful anyway, hence I am not CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
sure we should start with that now, because it is either inherently inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
incomplete or blesses the nonsensical part of the CVE circus which we bless..."</p>
really shouldn't bless..."</p>
<br> <br>
<p>My thoughts:<br> <p>My thoughts:<br>
CVEs are supposed to be for security, and a log of when they were CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
found and their severity, so yes, it *is* the correct way to announce it. it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
It seems as if over 95 security-concious people think the same.</p> same.</p>
<br> <br>
<p>Source:<br> <p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869" <a class="body-link" href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869"
@ -79,8 +78,7 @@ It seems as if over 95 security-concious people think the same.</p>
<h3>Issue #2 - Security is a Circus</h3> <h3>Issue #2 - Security is a Circus</h3>
<br> <br>
<p>Poettering:<br> <p>Poettering:<br>
"I am not sure I buy enough into the security circus to do that though for "I am not sure I buy enough into the security circus to do that though for any minor issue..."</p>
any minor issue..."</p>
<br> <br>
<p>Source:<br> <p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654" <a class="body-link" href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654"
@ -91,22 +89,20 @@ any minor issue..."</p>
<h3>Issue #3 - Blaming the User</h3> <h3>Issue #3 - Blaming the User</h3>
<br> <br>
<p>Poettering:<br> <p>Poettering:<br>
"Yes, as you found out "0day" is not a valid username. I wonder which tool "Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
permitted you to create it in the first place. Note that not permitting it in the first place. Note that not permitting numeric first characters is done on purpose: to
numeric first characters is done on purpose: to avoid ambiguities between avoid ambiguities between numeric UID and textual user names.<br>
numeric UID and textual user names.<br>
<br> <br>
systemd will validate all configuration data you drop at it, making it hard systemd will validate all configuration data you drop at it, making it hard to generate invalid
to generate invalid configuration. Hence, yes, it's a feature that we don't configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
permit invalid user names, and I'd consider it a limitation of xinetd that it a limitation of xinetd that it doesn't refuse an invalid username.<br>
it doesn't refuse an invalid username.<br>
<br> <br>
So, yeah, I don't think there's anything to fix in systemd here. I So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
understand this is annoying, but still: the username is clearly not valid."</p> still: the username is clearly not valid."</p>
<br> <br>
<p>My thoughts:<br> <p>My thoughts:<br>
systemd was the thing that allowed root access just because a username systemd was the thing that allowed root access just because a username started with a number, then
started with a number, then Poettering blamed the user.</p> Poettering blamed the user.</p>
<br> <br>
<p>Source:<br> <p>Source:<br>
<a class="body-link" href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864" <a class="body-link" href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864"