Inferencium/website
1
0
Fork 0
Code Issues Activity

Add HTML sections.

Browse Source
This commit is contained in:
inference 2023-06-23 18:29:16 +01:00
parent cffebab69a
commit ed3a3a664f
Signed by: inference
SSH Key Fingerprint: SHA256:9Pl0nZ2UJacgm+IeEtLSZ4FOESgP1eKCtRflfPfdX9M
1 changed files with 60 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

110
blog/systemd_insecurity.html
View File

@ -5,7 +5,7 @@
<!-- Copyright 2022 Jake Winters --> <!-- Copyright 2022 Jake Winters -->
<!-- SPDX-License-Identifier: BSD-3-Clause --> <!-- SPDX-License-Identifier: BSD-3-Clause -->
<!-- Version: 4.1.0.23 --> <!-- Version: 4.1.0.24 -->
<html> <html>
@ -32,57 +32,67 @@
<p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p> <p class="update_date">Posted: 2022-01-29 (UTC+00:00)</p>
<p class="update_date">Updated: 2022-11-14 (UTC+00:00)</p> <p class="update_date">Updated: 2022-11-14 (UTC+00:00)</p>
<!-- Table of contents --> <!-- Table of contents -->
<h2 id="toc"><a href="#toc" class="h2">Table of Contents<a/></h2> <section id="toc">
<ul> <h2 id="toc"><a href="#toc" class="h2">Table of Contents<a/></h2>
<li><a href="#issue0" class="body-link">Issue #0 - Against CVE Assignment</a></li> <ul>
<li><a href="#issue1" class="body-link">Issue #1 - CVEs Are Not Useful</a></li> <li><a href="#issue0" class="body-link">Issue #0 - Against CVE Assignment</a></li>
<li><a href="#issue2" class="body-link">Issue #2 - Security is a Circus</a></li> <li><a href="#issue1" class="body-link">Issue #1 - CVEs Are Not Useful</a></li>
<li><a href="#issue3" class="body-link">Issue #3 - Blaming the User</a></li> <li><a href="#issue2" class="body-link">Issue #2 - Security is a Circus</a></li>
</ul> <li><a href="#issue3" class="body-link">Issue #3 - Blaming the User</a></li>
</ul>
</section>
<p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead <p>Anyone who cares about security may want to switch from systemd as soon as possible; its lead
developer doesn't care about your security at all.</p> developer doesn't care about your security at all.</p>
<h2 id="issue0"><a href="#issue0" class="h2">Issue #0 - Against CVE Assignment</a></h2> <section id="issue0">
<br> <h2 id="issue0"><a href="#issue0" class="h2">Issue #0 - Against CVE Assignment</a></h2>
<blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>My thoughts:<br>
Yes, if they're security-related.</p>
<p>Source:<br>
<a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334" class="body-link">systemd GitHub Issue 5998</a></p>
<h2 id="issue1"><a href="#issue1" class="h2">Issue #1 - CVEs Are Not Useful</a></h2>
<blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
bless..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>My thoughts:<br>
CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
same.</p>
<p>Source:<br>
<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869" class="body-link">systemd GitHub Issue 6225</a></p>
<h2 id="issue2"><a href="#issue2" class="h2">Issue #2 - Security is a Circus</a></h2>
<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
issue..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>Source:<br>
<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654" class="body-link">systemd GitHub Issue 5144</a></p>
<h2 id="issue3"><a href="#issue3" class="h2">Issue #3 - Blaming the User</a></h2>
<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
it in the first place. Note that not permitting numeric first characters is done on purpose: to
avoid ambiguities between numeric UID and textual user names.
<br> <br>
systemd will validate all configuration data you drop at it, making it hard to generate invalid <blockquote>"You don't assign CVEs to every single random bugfix we do, do you?"</blockquote>
configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider <p>- Lennart Poettering, systemd lead developer</p>
it a limitation of xinetd that it doesn't refuse an invalid username.<br> <p>My thoughts:<br>
<br> Yes, if they're security-related.</p>
So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but <p>Source:<br>
still: the username is clearly not valid."</blockquote> <a href="https://github.com/systemd/systemd/pull/5998#issuecomment-303782334" class="body-link">systemd GitHub Issue 5998</a></p>
<p>- Lennart Poettering, systemd lead developer</p> </section>
<p>My thoughts:<br> <section id="issue1">
systemd was the thing that allowed root access just because a username started with a number, then <h2 id="issue1"><a href="#issue1" class="h2">Issue #1 - CVEs Are Not Useful</a></h2>
Poettering blamed the user.</p> <blockquote>"Humpf, I am not convinced this is the right way to announce this. We never did that, and half the
<p>Source:<br> CVEs aren't useful anyway, hence I am not sure we should start with that now, because it is either
<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864" class="body-link">systemd GitHub Issue 6237</a></p> inherently incomplete or blesses the nonsensical part of the CVE circus which we really shouldn't
bless..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>My thoughts:<br>
CVEs are supposed to be for security, and a log of when they were found and their severity, so yes,
it *is* the correct way to announce it. It seems as if over 95 security-concious people think the
same.</p>
<p>Source:<br>
<a href="https://github.com/systemd/systemd/pull/6225#issuecomment-311739869" class="body-link">systemd GitHub Issue 6225</a></p>
</section>
<section id="issue2">
<h2 id="issue2"><a href="#issue2" class="h2">Issue #2 - Security is a Circus</a></h2>
<blockquote>"I am not sure I buy enough into the security circus to do that though for any minor
issue..."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>Source:<br>
<a href="https://github.com/systemd/systemd/issues/5144#issuecomment-276740654" class="body-link">systemd GitHub Issue 5144</a></p>
</section>
<section id="issue3">
<h2 id="issue3"><a href="#issue3" class="h2">Issue #3 - Blaming the User</a></h2>
<blockquote>"Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create
it in the first place. Note that not permitting numeric first characters is done on purpose: to
avoid ambiguities between numeric UID and textual user names.
<br>
systemd will validate all configuration data you drop at it, making it hard to generate invalid
configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider
it a limitation of xinetd that it doesn't refuse an invalid username.<br>
<br>
So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but
still: the username is clearly not valid."</blockquote>
<p>- Lennart Poettering, systemd lead developer</p>
<p>My thoughts:<br>
systemd was the thing that allowed root access just because a username started with a number, then
Poettering blamed the user.</p>
<p>Source:<br>
<a href="https://github.com/systemd/systemd/issues/6237#issuecomment-311900864" class="body-link">systemd GitHub Issue 6237</a></p>
</section>
</body> </body>
</html> </html>