From ed3a3a664f2b4c5ade48522aa50c006e144ef8e1 Mon Sep 17 00:00:00 2001 From: inference Date: Fri, 23 Jun 2023 18:29:16 +0100 Subject: [PATCH] Add HTML sections. --- blog/systemd_insecurity.html | 110 +++++++++++++++++++---------------- 1 file changed, 60 insertions(+), 50 deletions(-) diff --git a/blog/systemd_insecurity.html b/blog/systemd_insecurity.html index 1ff0507..2f89bdc 100644 --- a/blog/systemd_insecurity.html +++ b/blog/systemd_insecurity.html @@ -5,7 +5,7 @@ - + @@ -32,57 +32,67 @@

Posted: 2022-01-29 (UTC+00:00)

Updated: 2022-11-14 (UTC+00:00)

-

Table of Contents

- +
+

Table of Contents

+ +

Anyone who cares about security may want to switch from systemd as soon as possible; its lead developer doesn't care about your security at all.

-

Issue #0 - Against CVE Assignment

-
-
"You don't assign CVEs to every single random bugfix we do, do you?"
-

- Lennart Poettering, systemd lead developer

-

My thoughts:
- Yes, if they're security-related.

-

Source:
- systemd GitHub Issue 5998

-

Issue #1 - CVEs Are Not Useful

-
"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the - CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either - inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't - bless..."
-

- Lennart Poettering, systemd lead developer

-

My thoughts:
- CVEs are supposed to be for security, and a log of when they were found and their severity, so yes, - it *is* the correct way to announce it. It seems as if over 95 security-concious people think the - same.

-

Source:
- systemd GitHub Issue 6225

-

Issue #2 - Security is a Circus

-
"I am not sure I buy enough into the security circus to do that though for any minor - issue..."
-

- Lennart Poettering, systemd lead developer

-

Source:
- systemd GitHub Issue 5144

-

Issue #3 - Blaming the User

-
"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create - it in the first place. Note that not permitting numeric first characters is done on purpose: to - avoid ambiguities between numeric UID and textual user names. +
+

Issue #0 - Against CVE Assignment


- systemd will validate all configuration data you drop at it, making it hard to generate invalid - configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider - it a limitation of xinetd that it doesn't refuse an invalid username.
-
- So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but - still: the username is clearly not valid."
-

- Lennart Poettering, systemd lead developer

-

My thoughts:
- systemd was the thing that allowed root access just because a username started with a number, then - Poettering blamed the user.

-

Source:
- systemd GitHub Issue 6237

+
"You don't assign CVEs to every single random bugfix we do, do you?"
+

- Lennart Poettering, systemd lead developer

+

My thoughts:
+ Yes, if they're security-related.

+

Source:
+ systemd GitHub Issue 5998

+ +
+

Issue #1 - CVEs Are Not Useful

+
"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the + CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either + inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't + bless..."
+

- Lennart Poettering, systemd lead developer

+

My thoughts:
+ CVEs are supposed to be for security, and a log of when they were found and their severity, so yes, + it *is* the correct way to announce it. It seems as if over 95 security-concious people think the + same.

+

Source:
+ systemd GitHub Issue 6225

+
+
+

Issue #2 - Security is a Circus

+
"I am not sure I buy enough into the security circus to do that though for any minor + issue..."
+

- Lennart Poettering, systemd lead developer

+

Source:
+ systemd GitHub Issue 5144

+
+
+

Issue #3 - Blaming the User

+
"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create + it in the first place. Note that not permitting numeric first characters is done on purpose: to + avoid ambiguities between numeric UID and textual user names. +
+ systemd will validate all configuration data you drop at it, making it hard to generate invalid + configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider + it a limitation of xinetd that it doesn't refuse an invalid username.
+
+ So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but + still: the username is clearly not valid."
+

- Lennart Poettering, systemd lead developer

+

My thoughts:
+ systemd was the thing that allowed root access just because a username started with a number, then + Poettering blamed the user.

+

Source:
+ systemd GitHub Issue 6237

+