83 lines
2.8 KiB
HTML
83 lines
2.8 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>Inferencium Network - Blog - systemd Insecurity</title>
|
|
<link rel="stylesheet" href="../infnet.css">
|
|
</head>
|
|
<body>
|
|
<h1>Blog - #1</h1>
|
|
<br>
|
|
<h2>systemd Insecurity</h2>
|
|
<br>
|
|
<h3>2022-01-29 (UTC+00:00)</h3>
|
|
<br>
|
|
<p>Anyone who cares about security may want to switch from systemd as soon as<br>
|
|
possible; its lead developer doesn't care about your security at all, and<br>
|
|
makes the thing seem like an intentional government backdoor if I've ever<br>
|
|
seen one.</p>
|
|
<br>
|
|
<br>
|
|
<p>Poettering:<br>
|
|
"You don't assign CVEs to every single random bugfix we do, do you?"</p>
|
|
<br>
|
|
<p>My thoughts:<br>
|
|
Uhh... Yes, if they're security related.</p>
|
|
<br>
|
|
<p>Source:<br>
|
|
<a href="https://github.com/systemd/systemd/pull/5998">https://github.com/systemd/systemd/pull/5998</a></p>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
<p>Poettering:<br>
|
|
"Humpf, I am not convinced this is the right way to announce this.<br>
|
|
We never did that, and half the CVEs aren't useful anyway, hence I am not<br>
|
|
sure we should start with that now, because it is either inherently<br>
|
|
incomplete or blesses the nonsensical part of the CVE circus which we<br>
|
|
really shouldn't bless..."</p>
|
|
<br>
|
|
<p>My thoughts:<br>
|
|
CVEs are supposed to be for security, and a log of when they were<br>
|
|
found and their severity, so yes, it *is* the correct way to announce it.<br>
|
|
It seems as if over 95 security concious people think the same.</p>
|
|
<br>
|
|
<p>Source:<br>
|
|
<a href="https://github.com/systemd/systemd/pull/6225">https://github.com/systemd/systemd/pull/6225</a></p>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
<p>Poettering:<br>
|
|
"I am not sure I buy enough into the security circus to do that though for<br>
|
|
any minor issue..."</p>
|
|
<br>
|
|
<p>Source:<br>
|
|
<a href="https://github.com/systemd/systemd/issues/5144">https://github.com/systemd/systemd/issues/5144</a></p>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
<p>Poettering:<br>
|
|
"Yes, as you found out "0day" is not a valid username. I wonder which tool<br>
|
|
permitted you to create it in the first place. Note that not permitting<br>
|
|
numeric first characters is done on purpose: to avoid ambiguities between<br>
|
|
numeric UID and textual user names.<br>
|
|
<br>
|
|
systemd will validate all configuration data you drop at it, making it hard<br>
|
|
to generate invalid configuration. Hence, yes, it's a feature that we don't<br>
|
|
permit invalid user names, and I'd consider it a limitation of xinetd that<br>
|
|
it doesn't refuse an invalid username.<br>
|
|
<br>
|
|
So, yeah, I don't think there's anything to fix in systemd here. I<br>
|
|
understand this is annoying, but still: the username is clearly not valid."</p>
|
|
<br>
|
|
<p>My thoughts:<br>
|
|
systemd was the thing that allowed root access just because a username<br>
|
|
started with a number.</p>
|
|
<br>
|
|
<p>Source:<br>
|
|
<a href="https://github.com/systemd/systemd/issues/6237">https://github.com/systemd/systemd/issues/6237</a></p>
|
|
<br>
|
|
<br>
|
|
<br>
|
|
<a href="../blog.html">Back</a>
|
|
</body>
|
|
</html>
|