Systemd Absorbs "su" Command Functionality

← Back to Stories (view on slashdot.org)

Systemd Absorbs "su" Command Functionality

Posted by timothy on Saturday August 29, 2015 @03:29AM from the big-and-professional-like-gnu dept.

jones_supa writes: With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session. The su command is seen as bad because what it is supposed to do is ambiguous. On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.

39 of 747 comments (clear)

Min score:

Reason:

Sort:

Bullshit by mysidia · 2015-08-29 03:34 · Score: 5, Insightful

Lennart Poettering's long story short: "`su` is really a broken concept
Declaring established concepts as broken so you can "fix" them.
Su is not a broken concept; it's a long well-established fundamental of BSD Unix/Linux. You need a shell with some commands to be run with additional privileges in the original user's context.
If you need a full login you invoke 'su -' or 'sudo bash -'
Deciding what a full login comprises is the shell's responsibility, not your init system's job.
1. Re:Bullshit by LoRdTAW · 2015-08-29 03:58 · Score: 5, Insightful
  
  su is not only for root. it has a dual purpose: switch user or super user. Sometimes you might have to run a command as another user. So if you need to login as Gary you $su gary and type in Gary's password.
2. Re:Bullshit by Anonymous Coward · 2015-08-29 04:09 · Score: 1, Insightful
  
  Poettering is very productive and he brings a lot of new code to the Linux ecosystem. That's why his often controversial projects remain so successful: at the end of the day, he is the guy who delivers.
3. Re:Bullshit by Microlith · 2015-08-29 04:21 · Score: 4, Insightful
  
  Su is not a broken concept; it's a long well-established fundamental of BSD Unix/Linux.
  You're pretty much making an argument to tradition here. The correct thing to do would be to counter his claims:
  
  what "su" is supposed to do is very unclear. On one hand it's supposed to open a new session and change a number of execution context parameters (`uid`, `gid`, `env`, ...), and on the other it's supposed to inherit a lot concepts from the originating session (`tty`, `cgroup`, `audit`, ...). Since this is so weakly defined it's a really weird mix&match of old and new paramters.
  I would like more detail from him on why and how it's broken, and how his replacement is truly different from "su -" but since it doesn't appear to be mutually exclusive with the use of "su" or "su -", other than typical reactionary hate I don't see what the problem is.
4. Re:Bullshit by 0123456 · 2015-08-29 04:24 · Score: 3, Insightful
  
  There are plenty of programmers who can spew out hundreds of lines of crap code in a day.
  The problem is that others then have to spend years fixing it.
  It's even worse when you let the code-spewers actually design the system, because you'll never be allowed to go back and redo things right.
5. Re:Bullshit by present_arms · 2015-08-29 04:31 · Score: 3, Insightful
  
  I'm so happy I don't have any systemd shit on this machine, seriously what is that man thinking, nothing is broken with su, in fact it's alot more secure than some systems use of sudo. Pottering, listen to me, nothing is broken, if you want that shit on your machine, you have it, just leave the rest of us the fuck alone. I feel better after that :D
  
  --
  http://chimpbox.us
6. Re:Bullshit by gweihir · 2015-08-29 04:35 · Score: 4, Insightful
  
  Deciding what a full login comprises is the shell's responsibility, not your init system's job.
  And certainly not the job of one Poettering, who still has not produced one piece of good software in his life.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:Bullshit by Anonymous Coward · 2015-08-29 04:53 · Score: 5, Insightful
  
  He bring new code, but brings nothing new. That's called re-inventing the wheel, and in Poettering's case, the old wheels worked better and didn't go flat as often, and were easier for average people to fix.
8. Re:Bullshit by pla · 2015-08-29 05:58 · Score: 4, Insightful
  
  other than typical reactionary hate I don't see what the problem is.
  
  You now have your init daemon providing an alternate attack pathway for gaining privileged access to the system, in a way that completely circumvents the well-established (and monitored by most IDSs) auditing capabilities of the platform.
  
  I'd call that a problem, but YMMV.
9. Re:Bullshit by bytesex · 2015-08-29 06:21 · Score: 4, Insightful
  
  The problem is at step 5): su isn't confusing. It's a lame excuse to get your way.
  
  --
  Religion is what happens when nature strikes and groupthink goes wrong.
10. Re:Bullshit by rnturn · 2015-08-29 08:37 · Score: 3, Insightful
  
  ``They try to Apple-ize linux but it's half-baked and neither more user-friendly or more reliable than the stuff they replace.
  
  I've had the same complaint about CUPS -- Apple's screwball replacement for simple lpd -- for years. (And it's not just the Linux version that, IMHO, sucks. I recently had to live through using CUPS in an Apple shop and getting hard copy of anything was a real time sink.) I have a hard time figuring out what problem CUPS was intended to solve. All I can come up with was that it was shiny and new whereas lpd was old (but reliable). For my trusty, rock-solid HP LaserJet, I keep an old Linux distribution running so I can set it up using LPRng. A couple of lines in a text file and -- Voila! -- I have a print queue. Time spent^Wwasted in CUPS' GUI never seemed to make anything work.
  Systemd and well, just about anything Poettering touches is more obtuse than what it replaces, has commands that are difficult to remember, require more typing (making them prone to typos), and don't make much sense. Am I looking for the status of "servicename" or am I looking for the status of "servicename.target"? What's the difference? The guy's pushing me back to Slackware. Or, as someone above mentioned, BSD.
  
  --
  CUR ALLOC 20195.....5804M
What's with all the awkward systemd command names? by RabidReindeer · 2015-08-29 03:38 · Score: 5, Insightful

I know systemd sneers at the old Unix convention of keeping it simple, keeping it separate, but that's not the only convention they spit on. God intended Unix (Linux) commands to be cryptic things 2-4 letters long (like "su", for example). Not "systemctl", "machinectl", "journalctl", etc. Might as well just give everything a 47-character long multi-word command like the old Apple commando shell did.
Seriously, though, when you're banging through system commands all day long, it gets old and their choices aren't especially friendly to tab completion. On top of which why is "machinectl" a shell and not some sort of hardware function? They should have just named the bloody thing command.com.
Hang on a minute... by Anonymous Coward · 2015-08-29 03:40 · Score: 5, Insightful

Well, let me explain some of the problems that I've had with su.
Oh wait. I've never had problems with su. Ever. What is up with this???
1. Re:Hang on a minute... by magamiako1 · 2015-08-29 05:42 · Score: 4, Insightful
  
  Welcome to IT. Where the youngin's come in and rip up everything that was built for decades because "oh that's too complicated".
2. Re:Hang on a minute... by TheGratefulNet · 2015-08-29 06:19 · Score: 4, Insightful
  
  its the other way around. we used to have small, simple programs that did not take whole systems to build and gigs of mem to run in. things were easier to understand and concepts were not overdone a hundred times, just because 'reasons'.
  now, we have software that can't be debugged well, people who are current software eng's have no attention span to fix bugs or do proper design, older guys who DO remember 'why' are no longer being hired and we can't seem to stand on our giants' shoulders anymore. again, because 'reasons'.
  
  --
  
  --
  "It is now safe to switch off your computer."
3. Re:Hang on a minute... by Blymie · 2015-08-29 08:33 · Score: 4, Insightful
  
  I honestly, seriously sometimes wonder if systemd is Skynet... or, a way for Skynet to 'waken'.
  And if Pottering isn't just a T3 from the future or some such, working to prepared the existing internet for it to awaken.
  I mean, really -- honestly, he has essentially re-written the entire userland, as one package, maintained by one. More kernel patches are next.
4. Re:Hang on a minute... by Anonymous Coward · 2015-08-29 13:41 · Score: 2, Insightful
  
  The problem is that systemd is light years ahead of pulse audio (LP's other main project) in terms of not breaking my system, but it shares a number of qualities from my perspective: it fixes problems that I don't have at the cost of throwing away things that I value. The quality of software he produces has improved quite a bit in the last 10 years, but his arrogance and inability to listen to the needs of his users has not changed much at all.
  The thing is, I *really* don't care if these projects exist. My main frustration is that Red Hat continues to exert it's considerable political strength to ensure that these projects must be used by every distribution. If GNOME would work without systemd, then people could legitimately have a choice about what init system they want. As it is, a distribution has to choose between systemd and GNOME or a distro without GNOME (I've chosen to wipe GNOME from my box). In fact, as much as I think LP is utterly crap at running a software project, I blame Red Hat for employing him and placing him in a position where he has so much authority in what ultimately ends up on people's desktops.
  Keep in mind that Red Hat also pushed network manager (the thing that completely breaks network setups) as well and I don't think LP had a hand in that (though the problems as so similar that I often imagine he must have been responsible).
Security by slashways · 2015-08-29 03:42 · Score: 5, Insightful

Doing everything as systemd do, and adding 'su', is likely a new security threat.
1. Re:Security by phantomfive · 2015-08-29 04:42 · Score: 5, Insightful
  
  Can you explain how it is "likely a new security threat" or is it simply FUD?
  Bruce Schneier (in Cryptography Engineering) pointed out that to keep something secure, you need to keep it simple (because exploits hide in complexity). When you have a large, complex, system that does a lot of different things, there's a high chance that there are security flaws. If you go to DefCon, speakers will actually say that one of the things they look for when doing 'security research' is a large, complex interface.
  
  So that's the reason. When you see a large complex system running as root, it means hackers will be root.
  
  --
  "First they came for the slanderers and i said nothing."
2. Re:Security by chthon · 2015-08-29 05:19 · Score: 3, Insightful
  
  So that would maybe be the way to destroy systemd: organise a conference of security hackers, and only concentrate on systemd.
quality engineering by phantomfive · 2015-08-29 03:42 · Score: 3, Insightful

There is no reason the creation of privileged sessions should depend on a particular init system. It's fairly obvious that is a bad idea from a software design perspective. The only architectural reason to build it like that is because so many distros already include systemd, so they don't have to worry about getting people to adopt this (incidentally, that's the same reason Microsoft tried to deeply embed the browser in their OS.....remember active desktop?)

If there are any systemd fans out there, I would love to hear them justify this from an architectural perspective.

--
"First they came for the slanderers and i said nothing."
1. Re:quality engineering by QuietLagoon · 2015-08-29 04:10 · Score: 5, Insightful
  
  Poettering is following the philosophy that has created nearly every piece of bloated software that is in existence today: the design is not complete unless there is nothing more than can be added. Bloated software feeds upon the constant influx of new features, regardless of whether those new features are appropriate or not. They are new therefore they are justified.
  .
  You know you have achieved perfection in design, not when you have nothing more to add, but when you have nothing more to take away.
  -- Antoine de Saint-Exupery
Re:BSD is looking better all the time by rubycodez · 2015-08-29 03:55 · Score: 2, Insightful

That's what Poettering has been doing his whole life, getting into good open source projects, squatting and then shitting all over them. The infection, stink and filth then linger for decades. He's a cancer on open source.
systemd is a broken concept by QuietLagoon · 2015-08-29 04:02 · Score: 4, Insightful

... Lennart Poettering's long story short: "`su` is really a broken concept. ...
So every command that Poettering thinks may be broken is added to the already bloated systemd?
.
How long before there is nothing left to GNU/Linux besides the Linux kernel and systemd?
1. Re:systemd is a broken concept by Anonymous Coward · 2015-08-29 04:57 · Score: 3, Insightful
  
  I'd just like to interject for moment. What you're refering to as GNU/Linux, is in fact, Systemd/Linux, or as I've recently taken to calling it, Systemd plus Linux. GNU is not a modern userland unto itself, but rather another free component of a fully functioning Linux system that needs to be replaced by a shitty nonfunctional init system, broken logging system, and half-assed vital system components comprising a fully broken OS as defined by Lennart Poettering.
  Many computer users run a version of the Systemd system every day, without wanting it. Through a peculiar turn of events, the version of Systemd/Linux which is widely used today often still contains some working GNU components, and many of its users are not aware that they need to be replaced by the Systemd system, developed by Lennart Poettering.
  There really is a GNU/Linux, and some people are using it, but these people need to be forced to stop. Systemd is the light: the program in the system that owns the machine's resources and decides what other programs you can run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of Systemd. Linux should always be used in combination with the Systemd operating system: the whole system is basically Systemd with Linux graciously hosted, or Systemd/Linux. All the so-called Linux distributions are really distributions of Systemd/Linux!
Re:What's with all the awkward systemd command nam by iggymanz · 2015-08-29 04:11 · Score: 1, Insightful

mistype and execute the wrong command? No, not a common problem. Unix has man pages to look up commands, and man -k to find commands for a topic. Simple.
And java conventions of long method camel case names are regarded as silly in other languages, descriptive short methods are very possible
user = User.getUserByGuidBecauseImAJavaTwat(gid)
vs
user=User.(guid=gid)
Re:What's with all the awkward systemd command nam by silas_moeckel · 2015-08-29 04:17 · Score: 4, Insightful

So what you're saying is you like powershell?
Aliases are not realy a fix you can not reliably write shell script with them and stay portable.

--
No sir I dont like it.
I, for one, welcome this addition... by tlambert · 2015-08-29 04:23 · Score: 5, Insightful

I, for one, welcome this addition... every privilege escalation path you add is good for literally years of paid contract work.
Change for change's sake by Anonymous Coward · 2015-08-29 04:23 · Score: 2, Insightful

he is the guy who delivers.
"Delivering" the wrong thing is not an asset, it's a liability.
And that's why Poettering is a liability to the Linux community.
Re:BSD is looking better all the time by 0123456 · 2015-08-29 04:25 · Score: 5, Insightful

That's a bit rude... I think Poettering's main motivation has been to simply modernize Linux.
Where 'modernize' is a codeword for 'shit all over'.
Re:What is happening with the SJW stuff? by 0123456 · 2015-08-29 04:30 · Score: 1, Insightful

The SJWs noticed they could make a lot of money working for a startup that has a crappy website and some VC funding, so they started getting jobs in the tech world. They didn't need to actually be able to do anything, because those VCs only cared that the company existed long enough to get an IPO. A company that pays a lot and lets them surf the web all day is ideal for an SJW.
But, yes, Poettering seems to pretty much follow all the rules of the SJW-ism, even if I haven't seen him out protesting with them. And systemd is a bloated, centralized bureaucracy imposed on the population because the Great Leader says so. Just like Communism.
Re:BSD is looking better all the time by phantomfive · 2015-08-29 04:35 · Score: 5, Insightful

That's a bit rude... I think Poettering's main motivation has been to simply modernize Linux.
Yeah, that's true. He sees features people want, and he builds them. For example, Debian distro builders were frustrated writing init scripts, so Poettering made something that filled the need of those distro builders. That's why it got adopted, because it contained features they wanted.

The problem of course is that he doesn't understand the Unix way, especially when it comes to good interfaces between code (IMNSHO).

The people who like systemd tend to like the features.......the people who dislike it, the architecture.

--
"First they came for the slanderers and i said nothing."
Re:BSD is looking better all the time by menkhaura · 2015-08-29 04:39 · Score: 4, Insightful

Please remember devuan (http://www.devuan.org), a Debian fork which aims to do away with systemd and all that bullcrap. It's picking up steam, and I believe things like these make it more and more worth it to help the new fork.

--
Stupidity is an equal opportunity striker.
Fellow slashdotter Bill Dog
Thinking about leaving any systemd linux behind by wnfJv8eC · 2015-08-29 04:43 · Score: 5, Insightful

I am really tired of systemd. So really tired of the developers shoving that shit down the linux throat. It's not pretty, it seems to grow out of control, taking on more and more responsibility .... I don't even have an idea how to look at my logs anymore. Nor how to clear the damn things out! Adding toolkits should make the system as clear to understand as it was, not more complex. If it gets any worse it might as well be Windows 10! init was easy to understand, easy to use. syslog was easy read easy to understand and easy to clear. All this bull about "it's a faster startup" is just ... well bull. I'm using a computer 20 times faster than I was a decade ago. You think 20 seconds off a minute startup is an achievement? It's seconds on a couple of days uptime; big f*cking deal. Redhat, Fedora, turn away from the light and return to your roots!
Of course "su" *IS* a broken concept !! by Taco+Cowboy · 2015-08-29 04:46 · Score: 2, Insightful

Lennart Poettering's long story short: "`su` is really a broken concept

Of course to Lennart Poettering "su" is broken !!
Long story short --- To that egotistical son of a bitch, anything that is not made by him MUST BE 'broken'
'nuff said!

--
Muchas Gracias, Señor Edward Snowden !
Re:BSD is looking better all the time by phantomfive · 2015-08-29 06:32 · Score: 3, Insightful

I had trouble with init scripts. The systemd init subsystem was a better approach. The problem was, systemd also brought in a lot of stuff that wasn't directly part of the init subsystem that I didn't want, don't want, and don't see any probability of ever wanting.
Yeah, that's basically the problem. Systemd is really three different things:

1) init system
2) cgroups manager (cgroups architecture is still crap, btw)
3) session manager

It probably does more stuff, but it's hard to keep track of it all

--
"First they came for the slanderers and i said nothing."
Re:What's with all the awkward systemd command nam by Kjella · 2015-08-29 07:14 · Score: 1, Insightful

And java conventions of long method camel case names are regarded as silly in other languages, descriptive short methods are very possible
user = User.getUserByGuidBecauseImAJavaTwat(gid)
vs
user=User.(guid=gid)
And that makes sense to you? I don't recognize the language, but my guess it's one dot away from creating a user "user=User(guid=gid)". And if guid is a member variable, why are you assigning a value to it? Looks to me like you have some unnamed (...) function, does that imply "find"? Why? Go to your nearest CS school and 9 out of 10 pupils will figure out the purporse on the first function on the first try. You'd be lucky if 2 of 10 managed to guess the second. You're the kind of idiot which means people need 3-6 months of bootup time just to get into the head of the fucker who wrote the code.
I hate writing long variable and function names. I hate reading short variable and function names. And I've been back and forth, but here's my refined opinion: If you can't tell WTF the code is doing at a glance and want to add a micro-comment like "// find user", it's too obtuse. If you're trying to write a whole comment in the name like "getUserThatIsSomethingSomethingForWhateverBeforeThisAfterThat()", call it "getUser()" and write a damn comment. If it's ambigious, it's fine to start small and extend like if you used to have getUser() now you have getUserByGuid() and getUserByName().
As for the get/set prefix, I prefer the simpler user.guid() over user.getGuid() as it's really more a property than a function, you're just abstracting the implementation from the interface. Also you basically don't get any autocomplete before the 4th letter and it's not going to be consistent anyway, for true/false conditions you typically use "isSomething()". In this particularly case for a function I'd much rather call it "findUserByGuid()" though indicating it's a search on a set, not simply returning a value. Likewise if you have a class where you set numbers a and b and calculate the GCD, I'd much rather call the function calculateGcd() than getGcd() to point out that this function does the work. It gets a little ambiguous at times with "returnAddress()" the property vs "returnShipment()" the function where I sometimes reconsider that "getReturnAddress()" would be clearer but in 99% of the cases it's fine.

--
Live today, because you never know what tomorrow brings
The way this should end by techno-vampire · 2015-08-29 08:02 · Score: 3, Insightful

PoetteringOS

In the long run, he's not going to be satisfied until he's created his own OS, kernel and all because he calls anything he didn't write a "broken concept," whatever that is, and does his best to shove his version down everybody's throat. And, since his version is far more complex, far more pervasive and much, much harder to use or maintain, the community suffers. I do wish he would get off the pot and start developing the One True (Pottering) kernel so that the rest of the world can go back to ignoring him.

--
Good, inexpensive web hosting
Ever stop and ask why? by walterbyrd · 2015-08-29 15:09 · Score: 5, Insightful

This has been going on for years, and has years more to go. This is a long term strategy.
But why?
Why has Red Hat been replacing standard Linux components with Red Hat components, when the Red Hat stuff is worse?
Why isn't systemd optional? It is just an init replacement, right? Why does Red Hat care which init you use?
Why is systemd being tied to so many other components?
Why binary logging? Who asked for that?
Why throw away POSIX, and the entire UNIX philosophy? Clearly you do not have to do that just to replace init.
Why does Red Hat instantly berate anybody who does not like systemd? Why the barrage of ad hominem attacks systemd critics?
I think there is only one logical answer to all of those questions, and it's glaringly obvious.