Slashdot Mirror
Systemd Absorbs "su" Command Functionality
jones_supa writes: With a pull request systemd now supports a su command functional and can create privileged sessions that are fully isolated from the original session. The su command is seen as bad because what it is supposed to do is ambiguous. On one hand it's supposed to open a new session and change a number of execution context parameters, and on the other it's supposed to inherit a lot concepts from the originating session. Lennart Poettering's long story short: "`su` is really a broken concept. It will given you kind of a shell, and it's fine to use it for that, but it's not a full login, and shouldn't be mistaken for one." The replacement command provided by systemd is machinectl shell.
Lennart Poettering's long story short: "`su` is really a broken concept
Declaring established concepts as broken so you can "fix" them.
Su is not a broken concept; it's a long well-established fundamental of BSD Unix/Linux. You need a shell with some commands to be run with additional privileges in the original user's context.
If you need a full login you invoke 'su -' or 'sudo bash -'
Deciding what a full login comprises is the shell's responsibility, not your init system's job.
Su apt-get remove systemd --purge
Great to see that systemd is finally doing something about all of those cryptic command names that plague the unix ecosystem.
Upcoming systemd re-implementations of standard utilities:
ls to be replaced by filectl directory contents [pathname]
grep to be replaced by datactl file contents search [plaintext] (note: regexp no longer supported as it's ambiguous)
gimp to be replaced by imagectl open file filename draw box [x1,y1,x2,y2] draw line [x1,y1,x2,y2]...
I know systemd sneers at the old Unix convention of keeping it simple, keeping it separate, but that's not the only convention they spit on. God intended Unix (Linux) commands to be cryptic things 2-4 letters long (like "su", for example). Not "systemctl", "machinectl", "journalctl", etc. Might as well just give everything a 47-character long multi-word command like the old Apple commando shell did.
Seriously, though, when you're banging through system commands all day long, it gets old and their choices aren't especially friendly to tab completion. On top of which why is "machinectl" a shell and not some sort of hardware function? They should have just named the bloody thing command.com.
Well, let me explain some of the problems that I've had with su.
Oh wait. I've never had problems with su. Ever. What is up with this???
Doing everything as systemd do, and adding 'su', is likely a new security threat.
There is no reason the creation of privileged sessions should depend on a particular init system. It's fairly obvious that is a bad idea from a software design perspective. The only architectural reason to build it like that is because so many distros already include systemd, so they don't have to worry about getting people to adopt this (incidentally, that's the same reason Microsoft tried to deeply embed the browser in their OS.....remember active desktop?)
If there are any systemd fans out there, I would love to hear them justify this from an architectural perspective.
"First they came for the slanderers and i said nothing."
Lennart Cartman certainly does love his systemd trapper keeper.
I'm alright with commands that have longer names. It's harder to mis-type and execute the wrong thing, and it's easier to know what is going on at a glance.
Same thing when reading code. I'd much rather work with code that has a method named getUserByGuid(), for example, than gubg().
Besides, nothing prevents you from aliasing the longer commands to something shorter if you so choose.
There's a lot of things about systemd that turn me off, but commands with longer, more verbose names is not one of those things.
Love sees no species.
How long until systemd absorbs emacs?
If su was part of your kernel, you were doing it wrong.
Lennart OS should be called Lennix Not/Linux.
You should replace it with the fu command.
Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
That's what Poettering has been doing his whole life, getting into good open source projects, squatting and then shitting all over them. The infection, stink and filth then linger for decades. He's a cancer on open source.
... Lennart Poettering's long story short: "`su` is really a broken concept. ...
So every command that Poettering thinks may be broken is added to the already bloated systemd?
.
How long before there is nothing left to GNU/Linux besides the Linux kernel and systemd?
It's harder to type an no more explicit what you're executing. And if everything ends with "ctl", then there are at least three letters no longer needed that produce NO VALUE WHATEVER.
mistype and execute the wrong command? No, not a common problem. Unix has man pages to look up commands, and man -k to find commands for a topic. Simple.
And java conventions of long method camel case names are regarded as silly in other languages, descriptive short methods are very possible
user = User.getUserByGuidBecauseImAJavaTwat(gid)
vs
user=User.(guid=gid)
So systemd has ambition of being a container and VM management infrastucture (I have no idea how this should make sense for VMs though.)
machinectl shell looks to be designed to be some way to attach to a container environment with an interactive shell, without said container needing to do anything to provide such a way in. While they were at the task of doing that not too terribly unreasonable thing, they did the same function for what they call '.host', essentially meaning they can use the same syntax for current container context as guest contexts. A bit superfluous, but so trivial as not to raise any additional eyebrows (at least until Lennart did his usual thing and stated one of the most straightforward, least troublesome parts of UNIX is hopelessly broken and the world desperately needed his precious answer). In short, systemd can have their little 'su' so long as no one proposes removal of su or sudo or making them wrappers over the new and 'improved' systemd behavior.
Funnily enough, they used sudo in the article talking about how awesome an idea this is... I am amused.
So what you're saying is you like powershell?
Aliases are not realy a fix you can not reliably write shell script with them and stay portable.
No sir I dont like it.
On top of which why is "machinectl" a shell and not some sort of hardware function? They should have just named the bloody thing command.com.
Probably because userctl was too ominous sounding!
[aside] Wow, userctl.com was still open so I grabbed it. Great name for a Web 4.0 computer technology social media site pushing tons of clickbait at users!
A man who wants nothing is invincible
I would think that it it would prove that you're a computer ninja if you can rememver that it is getUserByGuid() and not GetUserByGuid, getUserByGUID, getUserbyGuid, getUser, UserFromGuid, or any of the other million options or typos. Try mis-spelling "ls".
I, for one, welcome this addition... every privilege escalation path you add is good for literally years of paid contract work.
"Delivering" the wrong thing is not an asset, it's a liability.
And that's why Poettering is a liability to the Linux community.
machinectl shell is only incidentally similar to su. Its primary purpose is to establish an su-like session on a different container or VM. Systemd refers to these as 'machines', hence the name machinectl.
http://www.freedesktop.org/sof...
su cannot and does not do that sort of thing. machinectl shell is more like a variant of rsh than a replacement for su.
That's a bit rude... I think Poettering's main motivation has been to simply modernize Linux.
Where 'modernize' is a codeword for 'shit all over'.
Did an editor even glance at this piece of crap before it was posted?
a su command functional
a) "an su." Write it like you'd say it.
b) what's a "command functional"?
c) you've got all the right words... just not necessarily in the right order
a lot concepts
I think you accidentally a word.
It will given you kind of a shell
Can it has cheezeburger too?
systemd is Roko's Basilisk.
As before by "fixing" more things that are not broken. It is really time to stop this abomination. Sure, there are some (few) things it does that actually have merit, but it doe them in the wrong way, and most of it is just plain bad for security, reliability and user choice. Why so much of the Linux infrastructure is handed willingly to this one bad actor is beyond me.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The SJWs noticed they could make a lot of money working for a startup that has a crappy website and some VC funding, so they started getting jobs in the tech world. They didn't need to actually be able to do anything, because those VCs only cared that the company existed long enough to get an IPO. A company that pays a lot and lets them surf the web all day is ideal for an SJW.
But, yes, Poettering seems to pretty much follow all the rules of the SJW-ism, even if I haven't seen him out protesting with them. And systemd is a bloated, centralized bureaucracy imposed on the population because the Great Leader says so. Just like Communism.
The feature creep will be fast and merciless, but I'm just a systemd "hater", right?
The rumours that vi will become part of systemd are groundless, comrade. Anyone who suggests such a thing is guilty of agitation and propaganda, and will be sent to the re-education camps.
Godwin's Law!
See how it works? So many people just spew inanities, rather than address the real issues. That's why the world is in such a mess today.
That's a bit rude... I think Poettering's main motivation has been to simply modernize Linux.
I can see that as being one of his goals but if you want to improve Linux why a new init system plus? I did not hear any system admins asking for this.
He would be considered a saint if he would do something useful like fix the desktop environments so the "Year of the Linux Desktop" finally gets here.
A man who wants nothing is invincible
That's a bit rude... I think Poettering's main motivation has been to simply modernize Linux.
Yeah, that's true. He sees features people want, and he builds them. For example, Debian distro builders were frustrated writing init scripts, so Poettering made something that filled the need of those distro builders. That's why it got adopted, because it contained features they wanted.
The problem of course is that he doesn't understand the Unix way, especially when it comes to good interfaces between code (IMNSHO).
The people who like systemd tend to like the features.......the people who dislike it, the architecture.
"First they came for the slanderers and i said nothing."
Please remember devuan (http://www.devuan.org), a Debian fork which aims to do away with systemd and all that bullcrap. It's picking up steam, and I believe things like these make it more and more worth it to help the new fork.
Stupidity is an equal opportunity striker.
Fellow slashdotter Bill Dog
First of all, there are two types of German engineering. Good engineering and over engineering. And there is a fine line between them. And it looks like Mr. Poettering crossed it. However, it could also be German advertising and that is either bad or worse. In general, you do not build bloated components. In old Unix days these where called programs and could be combined in various ways including pipes and files. In GNU days many of these programs were bundled together in one archive, but stayed separate. Now with systemd I am puzzled, is he really integrating that thing in the init system? Integrating something which does not belong to a init system? In that case he is nuts and definitely over engineering. Or he has just created a new program and just bundles it in the same package as systemd. Then this is acceptable, however, a little weird. It would be like bundling systemd with a sound service. Session separation or VM separation is a task of the operating system. And you may write any number of tool to call the necessary OS functions, but PLEASE keep them out of components which have nothing to do with that.
"su command is seen as bad because what it is supposed to do is ambiguous. "
-- end quote --
it is NOT ambiguous!!!!!
"su" is root BUT!!! with the normal users $PATH and settings
"su - " and "su -l root "
IS THE ROOT USER
there is NOTHING ambiguous there at all
now what Ubuntu did to "sudo"
THAT!!! is a problem
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
I am really tired of systemd. So really tired of the developers shoving that shit down the linux throat. It's not pretty, it seems to grow out of control, taking on more and more responsibility .... I don't even have an idea how to look at my logs anymore. Nor how to clear the damn things out! Adding toolkits should make the system as clear to understand as it was, not more complex. If it gets any worse it might as well be Windows 10!
init was easy to understand, easy to use. syslog was easy read easy to understand and easy to clear. All this bull about "it's a faster startup" is just ... well bull. I'm using a computer 20 times faster than I was a decade ago. You think 20 seconds off a minute startup is an achievement? It's seconds on a couple of days uptime; big f*cking deal.
Redhat, Fedora, turn away from the light and return to your roots!
Lennart Poettering's long story short: "`su` is really a broken concept
Of course to Lennart Poettering "su" is broken !!
Long story short --- To that egotistical son of a bitch, anything that is not made by him MUST BE 'broken'
'nuff said!
Muchas Gracias, Señor Edward Snowden !
No, no, really, I'd love to see why you think this is a good design decision. Why should the ability to run "su" depend on the specific init manager? Doesn't that strike you as brittle architecture?
"First they came for the slanderers and i said nothing."
.
systemd is on the way to turning a sleek, efficient Linux distribution into one loaded with awesome bloatware.
And it looks like there is no stopping Poettering's ego now that it's been unleashed.
Or does that empty homily need some supporting evidence as well so as to discriminate between that which is worthy of hate and those that aren't?
Don't hate, it's overrated.
"First they came for the slanderers and i said nothing."
Actually, the 'magic' in su is in the kernel. Basically, since it's marked suid root, the kernel sets the uid on the new process to root before it even starts running. The program itself just then decides if it is willing to do anything for you.
The next update to systemd will incorporate emacs ;)
This is another step towards systemd becoming a complete OS.
Lennart Poettering's long story short: "`su` is really a broken concept.
One day, systemd will become too complex or something ... Lennart will declare it a "broken concept" and absorb it into systemd.
It must have been something you assimilated. . . .
sense anyway). By "fully isolated", it sounds like machinectl breaks the audit trail that su has always supported (not being 'fully isolated' by design). Many *NIX systems are configured to prohibit root logins from anything other than the system console. And the reason that su doesn't do a 'full login' either as root or another user is to maintain the audit trail of who (which system user) is actually running what.
Lennart, this UNIX/Linus stuff appears to be way over your head. Sure, it seems neat for lots of gamers who can't be bothered with security and just want all the machine cycles for rendering FPS games. Perhaps you'd be better off playing with an XBox.
Have gnu, will travel.
Do we have any *good* systemd alternative projects--that attempt to fix these problem features but do so with *good* unix-way architecture?
Year 2102: SystemD has replaced Air with Nanobots, Lennart Borgertting states "Air Is Broken Anyway." SystemD Planetary Hivemind Network continues to broadcast the mantra out to all other UNIX-colonies: > "We Are SystemD. Lower Your Sheilds And Surrender Your Data. We Will Replace Your Biological And Technological Distictiveness With Lennartness. > Your Culture Will Adapt To Us. You Will Be Assimilated"
Do we have any *good* systemd alternative projects--that attempt to fix these problem features but do so with *good* unix-way architecture?
Good question. To reiterate the problem, it's that init scripts are a pain to write, and the systemd unit files makes it easy.
Of course, there are plenty of systems that are happy to not use systemd. The core of the question then is, why do systems like OpenBSD, FreeBSD, and Slackware not have any problems with init scripts? Their systems work well, AFAIK. When I get time, I'd like to do a comparative analysis of these different systems, to figure out why Debian had so much trouble with init, but the other ones don't.
As far as quality architecture, launchd on OSX looks a lot cleaner to me. Obviously that doesn't help on Linux, though.
"First they came for the slanderers and i said nothing."
Year 2102: SystemD has replaced Air with Nanobots, Lennart Borgertting states "Air Is Broken Anyway."
SystemD Planetary Hivemind Network continues to broadcast the mantra out to all other UNIX-colonies: > "We Are SystemD. Lower Your Sheilds And Surrender Your Data. We Will Replace Your Biological And Technological Distictiveness With Lennartness.
> Your Culture Will Adapt To Us. You Will Be Assimilated"
(Resubmitted because the other one was formatted horridly -- for some reason I had it set to HTML)
LP is doing is RH masters wishes with this.
RH has over time introduced Windows-ism into Linux to try to make it more palatable to corporate customers.
This to the point of getting yelled at by Torvalds, likening it to RH giving Microsoft a blowjob.
Basically, these Windows-isms bork when someone use su.
But rather than fix them so this is no longer the case, we get a smear campaign from Freedesktop PR attempting to make su seem like a broken concept.
Gnome is supposedly a GNU project, but at this point in time it has been co-opted by wannabe OSX developers backed by RH.
Freedesktop has turned out to be a RH bait and switch, claiming to be about making DEs more inter-operable while basically burying them in Gnome-isms.
And now systemd, in essence a second kernel enveloping Linux, making itself the sole arbiter between the kernel and the wider userspace.
Yes, it is all "open source". But shit changes so often, and so fast, and the head devs so firmly in architecture astronaut mode, that be best choice for anyone not already starved for oxygen is to grab anything not yet tainted and run for the hills.
By the time the whole Fedora/Gnome/Freedesktop/Systemd trainwreck has run out of steam they will have effectively forked Linux into some kind of Frankenstein-ian hybrid of the worst parts of OSX and Windows. All so RH can sell a few more support contracts to the corporate world (and perhaps gotten on the good side of the M-I-S complex).
Question is, how long before their inside boy GregKH use the newly approved kernel social guidelines to get Torvalds to step back from maintainer-in-chief of the kernel.
I didn't realize I'd been doing it wrong all these years.
Poettering is a paid shill.
Engineering decisions that defy logic are the same as political decisions that defy logic. They are in fact, usually the results of paid influence, and as such are entirely logical, from the point of view of the persons making those decisions. Systemd is intended to fuck up Linux and fill it full of backdoors.
Follow the money to Poettering from Red Hat and beyond. Make your own conclusions based on this.
No need to fix the DEs, what is needed is for MS and Intel to get curbstomped by market regulators so that they stop cockblocking the availability of Linux on brick and mortar store shelves.
That's GNU-SystemD to you!
I had trouble with init scripts. The systemd init subsystem was a better approach. The problem was, systemd also brought in a lot of stuff that wasn't directly part of the init subsystem that I didn't want, don't want, and don't see any probability of ever wanting.
Because Poettering doesn't understand "modular", I don't get just the good stuff - it's all or nothing. And because systemd isn't even modular as an overgrown bloated monstrosity, the only way to avoid it is to either run old distros or some other OS entirely.
OpenRC++
openrc init scripts are fairly straight forward.
Coupled with gentoo's baselayout, and the config file layout is fairly normalized also.
However, even without knowing Poettering and his previous work, you can see that the idea is half-baked. Look at the console examples closely.
Yes, nowhere does it prompt for a root password! Which means that anybody who can get to a virtual terminal can become root by just typing machinectl shell. And somebody who is logged in over the network (presumably...) can't log in as root at all, even knowing the password.
And frankly, what is the trouble of sneaking "unwanted" environment stuff into su? You have to enter the root password anyways, so the only thing which you could hope to achieve was what happens before password validation. And while in the past there had indeed be vulnerabilities that attacked su in such a way (sneaking LD_PRELOAD into it), these have been fixed since long ago.
Wouldn't it be easier to develop a new "init language" which translates to the current init scripts?
I'm not sure what that means. Systemd can run the old init scripts, but also gives the option of writing new unit files.
"First they came for the slanderers and i said nothing."
I had trouble with init scripts. The systemd init subsystem was a better approach. The problem was, systemd also brought in a lot of stuff that wasn't directly part of the init subsystem that I didn't want, don't want, and don't see any probability of ever wanting.
Yeah, that's basically the problem. Systemd is really three different things:
1) init system
2) cgroups manager (cgroups architecture is still crap, btw)
3) session manager
It probably does more stuff, but it's hard to keep track of it all
"First they came for the slanderers and i said nothing."
I've worked with systemd long enough to realize that systemd is a really broken concept.
So, now we have to say "machinectl shell systemd-run do make me a sandwich" ?
Looks way more complicated.
https://xkcd.com/149/
There are a number of articles I read on this that I don't feel like ducking right now, but basically there were many attempts and none of them gained the traction needed. The big thing that needed fixing was full process control. You can do that without all the other crap that comes with systemd. Maybe a combined init+inetd...okay I can get that. Maybe auto-launching apps with sockets...but no wait...dbus already does that. Oh lets just integrate everything with dbus. ... You know...up until this point, this is that bad.
The overall idea is good, but then you get into binary logs (wtf?), crazy commands (/etc/init.d/servicename stop vs systemctrl stop servicename.service), docket support (built into the init system?! WTF?) ... it just goes turtles all the way down.
I wish I had the time to invest in trying to at least stub out the basics of systemd and kill the rest, but it's really massive at this point.
And java conventions of long method camel case names are regarded as silly in other languages, descriptive short methods are very possible
user = User.getUserByGuidBecauseImAJavaTwat(gid)
vs
user=User.(guid=gid)
And that makes sense to you? I don't recognize the language, but my guess it's one dot away from creating a user "user=User(guid=gid)". And if guid is a member variable, why are you assigning a value to it? Looks to me like you have some unnamed (...) function, does that imply "find"? Why? Go to your nearest CS school and 9 out of 10 pupils will figure out the purporse on the first function on the first try. You'd be lucky if 2 of 10 managed to guess the second. You're the kind of idiot which means people need 3-6 months of bootup time just to get into the head of the fucker who wrote the code.
I hate writing long variable and function names. I hate reading short variable and function names. And I've been back and forth, but here's my refined opinion: If you can't tell WTF the code is doing at a glance and want to add a micro-comment like "// find user", it's too obtuse. If you're trying to write a whole comment in the name like "getUserThatIsSomethingSomethingForWhateverBeforeThisAfterThat()", call it "getUser()" and write a damn comment. If it's ambigious, it's fine to start small and extend like if you used to have getUser() now you have getUserByGuid() and getUserByName().
As for the get/set prefix, I prefer the simpler user.guid() over user.getGuid() as it's really more a property than a function, you're just abstracting the implementation from the interface. Also you basically don't get any autocomplete before the 4th letter and it's not going to be consistent anyway, for true/false conditions you typically use "isSomething()". In this particularly case for a function I'd much rather call it "findUserByGuid()" though indicating it's a search on a set, not simply returning a value. Likewise if you have a class where you set numbers a and b and calculate the GCD, I'd much rather call the function calculateGcd() than getGcd() to point out that this function does the work. It gets a little ambiguous at times with "returnAddress()" the property vs "returnShipment()" the function where I sometimes reconsider that "getReturnAddress()" would be clearer but in 99% of the cases it's fine.
Live today, because you never know what tomorrow brings
PoetteringOS
In the long run, he's not going to be satisfied until he's created his own OS, kernel and all because he calls anything he didn't write a "broken concept," whatever that is, and does his best to shove his version down everybody's throat. And, since his version is far more complex, far more pervasive and much, much harder to use or maintain, the community suffers. I do wish he would get off the pot and start developing the One True (Pottering) kernel so that the rest of the world can go back to ignoring him.
Good, inexpensive web hosting
This systemd guy is just like Ellsworth Toohey. As long as the sheep follow he'll keep pushing things further and further into idiotland and have a good laugh in the process.
"Kill man’s sense of values. Kill his capacity to recognise greatness or to achieve it. Great men can’t be ruled. We don’t want any great men. Don’t deny conception of greatness. Destroy it from within. The great is the rare, the difficult, the exceptional. Set up standards of achievement open to all, to the least, to the most inept – and you stop the impetus to effort in men, great or small. You stop all incentive to improvement, to excellence, to perfection. Laugh at Roark and hold Peter Keating as a great architect. You’ve destroyed architecture. Build Lois Cook and you’ve destroyed literature. Hail Ike and you’ve destroyed the theatre. Glorify Lancelot Clankey and you’ve destroyed the press. Don’t set out to raze all shrines – you’ll frighten men, Enshrine mediocrity - and the shrines are razed."
-- Ellsworth Toohey
lucm, indeed.
If you're not sponsoring Poettering yet, it looks like it would be a good idea to do so. :)
He has done more than anyone else to convince Linux users to switch to OS X
I apologize for the lack of a signature.
Lennart Poettering
Bringing bloat to Unix since...2009?
Chas - The one, the only.
THANK GOD!!!
I understand this is confusing and unexpected, but well, that's UNIX...
Pottering admits he doesn't do UNIX
Fedora is a broken concept, only developers and ricers use a bleeding edge distro like fedora rawhide or arch.
At the rate that systemd is rewriting Linux, I imaging we'll see a full blown systemd distro by 2017. Names anybody?
and he'll run it all over your Linux.
With apologies to Mae West for this awful paraphrase.
"Politicians and diapers must be changed often, and for the same reason."
4) log mutilator
5) dbus abuser - so I'm told. Fortunately, I haven't had need to get involved at that level. Yet.
It probably does more stuff, but it's hard to keep track of it all
5) dbus abuser - so I'm told.
I don't know what you mean by 'abuser,' but they're trying to get dbus integrated into the kernel.
"First they came for the slanderers and i said nothing."
Sure they do. That keeps the Powers That Be from coming down on them like a ton of bricks for not running Windows. The competent Linux admin does, though, install Cygwin/Cygwin-X as soon as s/he possibly can and minimize the amount of screen real estate they allow Windows to use so they can get some actual work done. (I was fortunate enough, several years ago, to work for a company that mandated Linux on the desktop. Users "needing" Windows had to run it in under KVM.)
CUR ALLOC 20195.....5804M
You can ALWAYS "break out" of chroot.
If you get a shell in one of my chroot's used for security, then.....
In short: I think chroot is plenty good for security. There's no way in hell you are breaking out, without a straight up kernel arbitrary execution exploit.
Hutber's Law all over again - improvement means deterioration.
https://en.wikipedia.org/wiki/Hutber's_law
--
If you look around the table and can't tell who the sucker is, it's you.
Sounds nice, is there also a simple way to manage all of this?
I really hope this is sarcasm?
But at this point, I think Systemd is not Linux. They should just fork off their own OS the same way Google did.
[...] the only way to avoid it [systemd] is to either run old distros or some other OS entirely.
A third option is to use a newer distro that does not use systemd. I run a Gentoo system that does not use systemd. You can also get up-to-date Debian based distros such as antiX Linux which don't use systemd. I imagine these are not the only options.
We don't see the world as it is, we see it as we are.
-- Anais Nin
The people who like systemd tend to like the features.......the people who dislike it, the architecture
phantomfire;
6) The user asked for a feature request to be added to machinectl, that would retain that environment variable
7) Lennart said, "sure, no problem." (Which shows why systemd is gaining usage, when people want a feature, he adds it)
If I had to place a bet on the fate of architectural perfection vs. responsiveness to users, I'd have to go with the users.
Yes.
The only question is, with a lousy architecture, will they continue to be able to deliver?
"First they came for the slanderers and i said nothing."
> In short: I think chroot is plenty good for security
Check man chroot. The authors of chroot say it's useless for security. ,and more than security professionals like myself do. Let's find out.
Perhaps you think you know more than they do
> you get a shell in one of my chroot's used for security, then..... /dev, /proc, or other special filesystems
ur uid and gid are not going to be 0. Good luck telling the kernel to try and get you out.
There aren't going to be any
Gonna be kind of tthough to have a ahell without a tty, aka /dev/*tty* /dev. Can't launch a process, including /bin/ls, without /proc, so you're going to need proc. Have a look in /proc/1. You'll see a very interesting symlink there.
So yeah, you need
> mounted noexec
Noexec is basically a suggestion, not an enforement mechanism . Just run ld /path/to/executable. ld is the loader/lilinker for elf binaries. Without ld ,you can't run bash, or ls. With ld, noexec is ignored.
My company does IT security for banks. Meaning we show the banks how they can be hacked. When I say chroot is not a security control, I'm not guessing.
Who deviates from the norm of a simple command, to ones of sentences long.
"su" was replaced for almost use by "sudo" shortly after its first release in 1999
I think you meant to say that it was replaced for most uses. What's great about sudo is that nothing happened to su. It's still there, and still works like you expect it to. systemd, on the other hand...
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The problem of course is that he doesn't understand the Unix way [catb.org], especially when it comes to good interfaces between code [slashdot.org] (IMNSHO).
I have no doubt he understands it. I understand the Nazis too, I understand the motivation of terrorists. That doesn't mean I need to approve of either of them.
I'll be modded into oblivion for this but I think while the Unix way got it where it was today, it is the Unix way that is preventing it from going further. The entire world seems to be shifting gears right now. It used to be that we were searching for ways to maximise how useful computers could be, how customisable, how we could string together and endless array of tasks to bend everything at our whim. But the current trends (not just Unix) are going to the way of simplicity. Computers run our lives but require a lot of user interaction to make basic things work. Part of that is incompatible with the Unix way, and the only real crime here is the method of adoption of systemd, not that it exists in the first place.
OpenRC++
openrc init scripts are fairly straight forward.
Coupled with gentoo's baselayout, and the config file layout is fairly normalized also.
Yep a system brought to you by the people who brought you:
#464385 +(4150)- [X] /dev/hda && mkfs.xfs /dev/hda1 && mount /dev/hda1 /mnt/gentoo/ && chroot /mnt/gentoo/ && env-update && . /etc/profile && emerge sync && cd /usr/portage && scripts/bootsrap.sh && emerge system && emerge vim && vi /etc/fstab && emerge gentoo-dev-sources && cd /usr/src/linux && make menuconfig && make install modules_install && emerge gnome mozilla-firefox openoffice && emerge grub && cp /boot/grub/grub.conf.sample /boot/grub/grub.conf && vi /boot/grub/grub.conf && grub && init 6
[@insomnia] it only takes three commands to install Gentoo
[@insomnia] cfdisk
[@insomnia] that's the first one
The Unix way is more than "stringing together commands." It's a way to build good systems. If you don't have good interfaces, your system will be bad.
And systemd is not simple at all.
"First they came for the slanderers and i said nothing."
The systemd OS should not be called Linux. Call it "Red Hat Operating System" or "Pottering OS" or "MS-Windows"
Are the red hat shills still posting that?
Anybody still believe that systemd is not about red hat taking over linux?
> "Systemd is only an init replacement, nothing more. Nothing to worry about. It's not as if Red Hat is trying to take over Linux or anything. It's not as if this were an embrace-extend-extinguish strategy right out of Microsoft's playbook. It's not as if Red Hat were making Linux less functional and less reliable. Not as if Red Hat is forcing 'standards' that nobody wants (except Red Hat)." Not as if Red Hat is throwing away POSIX, and the UNIX philosophy for no good reason."
Well said.
I think we should get rid of Gnome, and work on MATE, or something like it.
> "su" was replaced for almost use by
I meant "almost all use". I'm afraid my hands seem to be bothering me today, I need to take a break.
But why SystemD and not something like Upstart or Launchd?
This has been going on for years, and has years more to go. This is a long term strategy.
But why?
Why has Red Hat been replacing standard Linux components with Red Hat components, when the Red Hat stuff is worse?
Why isn't systemd optional? It is just an init replacement, right? Why does Red Hat care which init you use?
Why is systemd being tied to so many other components?
Why binary logging? Who asked for that?
Why throw away POSIX, and the entire UNIX philosophy? Clearly you do not have to do that just to replace init.
Why does Red Hat instantly berate anybody who does not like systemd? Why the barrage of ad hominem attacks systemd critics?
I think there is only one logical answer to all of those questions, and it's glaringly obvious.
There's a detailed discussion of it available.
"First they came for the slanderers and i said nothing."
1) The only thing that systemd might do faster is boot. Since Linux servers are not booted that often, that is a trifling advantage, at best. Certainly not worth breaking everything that works.
2) Systemd does not always boot faster. Only under certain circumstances.
3) More resource intensive generally means slower on the same hardware. Systemd may boot faster, but it runs slower.
4) There are ways to improve boot speeds without breaking everything that works.
Seriously?
You're saying this: /etc/init.d/servicename stop
is harder to parse then this (correct because you also managed to mispell the command invocation):
systemctl stop servicename
The problem with people who hate systemd is that all of them only manage to come up with, at best, utterly petty complaints like this and "binary logs" (guess my syslog-ng configuration doesn't exist).
Lennart has his heart in the right place but seems to have risen too far too fast and could do with a bit of supervision to rein in his project of completely taking over linux without really understanding it.
Yes and init scripts are just a bastion of race-free stateful design, and service monitoring. Except not at all those things.
If you're writing a shell script you should be writing it once, in which case 10 extra characters is not a burden.
its that simple major distros just go back to init. stop trying to fix whats not broken i swear every time Linux reaches its stable point some dev gets bord and starts messing up everything that other people have to fix. wayland and mir anyone.
He's got a bit of a track record of half-finished shit rushed to release that is a pain in the arse to deal with for at least a couple of years after it was supposed to be done.
For some reason his stuff finally works a couple of years after he's moved on from it to the next big thing - I'm not sure if he's moved into bugfix instead of rapid change mode on his old projects or if somebody else is cleaning up his mess.
Even after years of fixes NetworkManager and PulseAudio do not come up to the standard of the software that they replaced and 99% of the time when they fuck up there are not even any log messages to help you with it.
So there you go, some insight into why there are so many negative posts. It's not just "perhaps he's just smarter than you, and it's you who don't get it" - even if he is smarter that's not related to why he has annoyed a few people here.
if it was that shitty why did all the distros pick it up.
Welcome to The Age of Horus, The Crowned and Conquering Child.
Il n'y a pas de Planet B.
...for me but it is time to move on.
I've neither the time nor the patience to wait for this masturbatory nonsense to run it's course.
The Unix way is more than "stringing together commands." It's a way to build good systems.
And yet some of the most successful systems are not built that way. Considering it the only way is absurd. It's a way that suits one particular line of thinking. Incidental it's also a way that is fundamentally incompatible with the notion that computers should magically work in any scenario without complicated user intervention.
Systemd is a shitload simpler than the kernel itself, and providing it's interfaces are well documented (debatable at this point) there's no reason it can't be the foundation of a "good" system.
And yet some of the most successful systems are not built that way.
Built what way? I think you misunderstood what I said, so I'll say it again more clearly:
The Unix way is a way to build good systems. You can skip "stringing together commands" and still follow the Unix way.
"First they came for the slanderers and i said nothing."
I think that while I might have phrased this a bit differently, this is certainly something which has changed. When I was a Debian developer, I was always the upstream developer of the code I packaged, or a contributor to the upstream codebase. i.e. I was familiar with and could make changes to the codebase as required, including custom patching for Debian when required. In recent years with package collections like the GNOME desktop, you did see big pushback from the Debian maintainers about making *any* changes to the upstream code. Any design problems or stupidites *had* to be accepted as they were. No patching or criticising. And I think this did in part stem from the "packagers" not being "developers", and I think this is a problem. We see the same thing with the systemd maintainers, and the message is that we are no longer independent developers but passive downstream consumers who must suck it up and deal with it. No thanks. It's that loss of independence that's the real killer. It turns every distribution into a clone of Fedora, and Fedora has never been a bastion of quality or reliability.
>Implying that someone, anyone really, reads man pages...
So... Who are you and what did you do with the real iggy?
"So long and thanks for all the fish."
Not to mention that
is horrible but
is horrible and doesn't work (gets the environment wrong).
Watch this Heartland Institute video
So what you're saying is you like powershell?
Aliases are not realy a fix you can not reliably write shell script with them and stay portable.
In scripts long names are fine, I would even say preferable.
However when I'm SSHing into a foreign box (that I what I do most of the time) then I like to have my rm, ls, cd, mv, vim, and other short commands _already configured_. I cannot imagine if I had to configure my aliases each time I SSHed into another machine. Also, if the aliases are up to the user to configure, that means that every user will have different aliases and we'll be back to the Tower of Babel when trying to communicate with other sysadmins.
It is dangerous to be right when the government is wrong.
Try mis-spelling "ls".
Watch this Heartland Institute video
Well put. The notion that *nix is a structure built by many people, with many bricks (and many eyes on each) is being violated. Its not about using larger bricks, its about using one brick? How will that brick be patched? How many eyes are on that brick? How does the community build and grow Systemd? Its time for a split,probably going back to volkerding's work, or BSD and rethinking init and networking and .. sure. sudo as well.
Who has the leverage to ask why more is being done by fewer and fewer?
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
I did. All the system admins who were being forced off of VMS, MVS, Solaris, AIX... towards Linux that wanted complex process management wanted this. The system admins who had to work with large numbers of VMs in complex environments (i.e. admin of public, private and especially hybrid clouds) wanted this. The group of adminis who didn't want this were mainly the admins who run individual boxes running on bare metal which perform a limited number of tasks: i.e. the admins who like the "Linux way" were the admins who mainly use Linux like a Unix of the early 1990s.
LP's previous fix was done to the sound system pulseaudio. Similarly with majestic scope and intentions. Has it changed what I can do with sound? No, not really. Its still not complete.... at least from the user perspective looking inward. I have an audio slider on my Fedora Desktop. there are still several audio mixer devices that not found/detected. How about we ask LP to finish that work (realized by a finished product in redhat desktop product) rather than "fixing" everything else.
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
As an aside launchd is open source. The FreeBSD people were able easily to move it over.
Now onto your question:
Those 3 don't support complex tiers of applications that need to work together. They aren't aiming to have say something like Oracle Financials running on them. They aren't used in large configurations involving hundreds (or many thousands or more) CPUs.
Upstart: couldn't keep up. Systemd came out of solutions to some of the problems with upstrart. There was no good reason in theory upstart couldn't have won, it just didn't.
Launchd is tied to BSD initialization. But... there was an attempt to port its features over to Linux. That was called systemd.
What you might really like is OpenRC which is a "better init for Linux" and doesn't aim to be more than just init version 2. But it is mostly defunct now.
And yet some of the most successful systems are not built that way.
Built what way? I think you misunderstood what I said, so I'll say it again more clearly:
The Unix way is a way to build good systems. You can skip "stringing together commands" and still follow the Unix way.
I wasn't talking about stringing together commands. I was referring to the all encompassing "Unix Way"
Heck some of the most successful elements of Unix don't follow the "Unix Way" such as "do one thing and do it well". I couldn't disagree with this more. Why should a program restrict itself to doing one thing? Why restrict software to input and output inefficient plain text strings? Why start new when something can be expanded on the old?
These are philosophies not followed by Windows, OSX, iOS, Android, or even some great Unix protocols such as Xwindows. Yet the above are all examples of good systems. I would argue the old init system fails on the "do it well" part of the Unix Way too.
It was a principle laid down in the days of terminals where people interacted with their computers via text. As such you expect to do simple interactions with software, via text, and by extension the software should interact with other software or with the user via text. It's an outdated thought that used to be all-encompassing yet these days does not fit many definitions of "good". "Robust, stable, extensible" yes those are ways I would describe the "unix way" these days. But not "good" which is a term that encompasses all manner of use, human interaction, and ways of using computers that no one could have predicted in 1978. Like fusion power, the year of Unix/Linux on desktop will always be "next year" for this very reason.
However, that's false binary thinking. Both are right, but they don't conceive if this eventuality being possible.
Please demonstrate a case where "If you need to login as Gary, you $su gary and type in your password. You never know Gary's password." is correct.
If it were correct, what's stopping anyone from becoming root on every single system they have access to? It would be a major security issue.
alias sudo="echo make it yourself #" ; # https://pipedot.org/~stderr & http://soylentnews.org/~stderr
it wanted to create a remote agent on every computer to have complete access to them?
we are probably just months from having systemd phone home Windows 10 style....
Sure if you remember to use the new coke version of the command.
Look at rhel/centos 7 ifconfig is no longer standard everything done via ip. I've seen good programs do this right look as a if called as recognise their flags etc.
No sir I dont like it.
Heck some of the most successful elements of Unix don't follow the "Unix Way" such as "do one thing and do it well". I couldn't disagree with this more. Why should a program restrict itself to doing one thing?
Yeah.....you definitely don't understand the Unix Way. That concern is addressed here. Read it.
These are philosophies not followed by Windows, OSX, iOS, Android, or even some great Unix protocols such as Xwindows. Yet the above are all examples of good systems.
Uh.....are you measuring 'good' by popularity?
"First they came for the slanderers and i said nothing."
Those 3 don't support complex tiers of applications that need to work together. They aren't aiming to have say something like Oracle Financials running on them.
That's an interesting thought.......have you ever supported Oracle Financials or similar? Do you have experiences you can share?
They aren't used in large configurations involving hundreds (or many thousands or more) CPUs.
Not sure about this one......I worked with Linux-HA before systemd, and I of all the problems, I don't recall init scripts being one of them.
"First they came for the slanderers and i said nothing."
Right.. but the value of vi is reduced as the log files are not ascii text, and the CLI is at best awkward... so.. the tools that SysAdmins FELT were core are mariginalized by having to go thru a different logical layer to get the information you want. THe more I think about it, Systemd will be good for Soda Machines, and internet Kiosks and IOT stuff may be a good match for a generalized OS. I would like to see a scope statement from those that think SisD is the cats pajamas for everything. Will Systemd subsume all of Unix Configuration?
Time for a new Political party in the US (or two!) One is off the rails Other cant pony up a leader.
You haven't been paying attention these last 20 years when every unix vendor has replaced SysV init with something else.
Writing init scripts is not a one time annoyance, at least not for distro maintainers. They are also not portable between distributions, as systemd unit files are. SysV init is also literally the dumbest form of init, where the init process has no information about dependencies, and cannot react sensibly to any changes in system state. Another sticking point involved the inability of the system to track processes accurately, which resulted in a number of kernel-level features over the years, of which cgroups are merely the most recent. Yes, it's fairly rare to have things go wrong, but pidfiles are unquestionably a bad hack.
Init is a misnomer. It was supposed to be the method by which your system changed states, but it was never very good at this, so people are used to thinking of it only as handling a few rare circumstances. The problem systemd solves is how to get the computer from state A to state B reliably, and guarantee that the services it manages are started properly. Startup and shutdown are special cases of this problem. It is built on kernel-level features that allow it to track processes accurately (and incidentally also track resource useage).
Systemd is the result of a number of (IMO) obvious choices. Cgroups exist, therefore it makes sense to write a service management tool to take advantage of them. As long as you're writing a service management tool, you should probably write in dependency resolution. Handling startup and shutdown is another logical choice. Also, since 95% of init script contents are common tasks, it makes sense to abstract out that stuff into a common C-based library. At this point it is relevant to note that, cgroups aside, OpenRC does this exact same thing.
Writing scripts is part of UNIX, and systemd coexists with them pretty happily. However, rewriting scripts into more flexible C libraries is also part of the UNIX tradition. What's so hot about these scripts, besides that you're more comfortable working with them?
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Sounds like you're someone who thinks they know about security. You probably do know something, not as much as you think.
I want you to look it up and admit your error. Chroot is easy to break out of if you know what you're doing. Don't feel bad, however. I have to correct people on this a lot. Often by showing them. Solaris, Irix, Linux, doesn't matter. It's not a jail. For what it was designed for it works well.
I'm not going to show how to do this on slashdot. I get paid to do that, however it's out there if you know where to look.
The problem isn't init scripts it is what to do with chains of dependencies on high availability. If you worked in Linux-HA think about the application specific restart code that each application had to do and how fragile it all was.
I help people migrate to cloud. IaaS/PaaS is a godsend in getting complex application stacks working. I can offer experience there that what I'm finding is not that people want a lighter thinner init-system but they want an process manager which is capable of intelligently handling
resource orchestration, resource monitoring, resource provision and resource balancing ....
virtual machines: backup, restart, status...
storage virtualization: especially backup
network virtualization
continuous test
continuous delivery especially decommissioning a
security validation
database monitoring
They all want an much richer environment of management tools. In real life I've never met anyone who thinks systemd is too thick, they all argue it is too thin. The amount of time IT people spend worrying about basic things like messaging across security zones is infuriating to management. Mostly now that Linux is taking on the workloads of mainframes I'm finding most companies want Linux to offer the kinds of services you would find on mainframes (but more modern).
Aliases are not realy a fix you can not reliably write shell script with them and stay portable.
Huh? Of course you can, you just define the aliases at the beginning of the file.
And, of course, there may well be built-in aliases, especially for commands that have well-known historical names. PowerShell does exactly this - for example, "Get-ChildItem" is aliased as "ls" out of the box, and "Copy-Item" is aliased as "cp".
The problem isn't init scripts it is what to do with chains of dependencies on high availability. If you worked in Linux-HA think about the application specific restart code that each application had to do and how fragile it all was.
Yes, we were constantly thinking of restarting things, but systemd wouldn't help with the majority of that. The applications themselves need to be written with restart in mind, and that's where the difficulty really comes in. (actually we spent most of our time trying to create a novel system for nodes to discover each other, but that isn't related)
They all want an much richer environment of management tools. In real life I've never met anyone who thinks systemd is too thick, they all argue it is too thin.
It sounds like they are looking at things from a feature perspective, not an architecture perspective. Those are cool features, but architecturally, continuous test doesn't really belong in the init system.
That said, if systemd were modular, someone could build an init system that offered those services, and swap it out for systemd on large systems. I still don't think that would be a good idea architecturally.....systemd is designed to deal with local problems and events. When dealing with a cluster, restarting local processes is about the easiest part of the problem. Building on the systemd framework wouldn't get you much (and because of its instability, you will lose things).
I have to say though, building a system on the cloud with all those features looks really, really fun to me. Especially if it had ridiculous problems like interfacing with old, archaic software.
"First they came for the slanderers and i said nothing."
I think of congress.. , the house and the senate both.. I think of professional politicians, I think of the White house. I even think of the professional timewasters.. sorry, .. politicians.... in the Canadian Parlaiment . And, now, increasingly, when I think politics, I think of Linux.
"It would be like bundling systemd with a sound service."
Lennart created or was a significant early contributor to the Pulse audio project, so I won't be surprised if the sound service was already bundled with systemd.
The article gives an example of a major thing wrong with this project.
My post is about it not being the first time.
My post is based on an assumption that whoever reads it has read the article summary above.
Sounds to me like you are banking on kernel exploits being more rare than they actually are.
Well, from a chroot environment running as a non-root user: it is going to be a technical challenge to make calls to the kernel directly, and for all you know a syscall filtering mechanism is in place, And chroot is just one of the early lines of defense.
Instead of just making things up why don't you read what was written at the time - it's still on the internet
http://0pointer.de/blog/projec...
Nothing more hilarious than "correcting" someone and getting it wrong!
Don't take it from me - cure your ignorance by reading what Lennart wrote about his init system at the early stages:
http://0pointer.de/blog/projec...
jeez, i think you need to see someone about that jealousy problem you appear to have about LP
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
"The problem of course is that he doesn't understand the Unix way [catb.org]," i don't get this complaint at all especially when there ares such things as the Linux Kernel are not complained about in the same way. Virtually every troll is really a personal attack on LP using the vehicles of PA or Systemd. I have yet to see anyone in these forums dissecting the code of these projects.
All trolls posts on this particular subject are based on the assumption "su" has been deprecated so it just shows you how little people read about something before the open their gob and stick both feet in.
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
Have they moved to the Hurd kernel to maintain their ideals?
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
no, the standard "su"/"sudo" is not deprecated so its not an issue. people write specific programs to solve specific issues for them.
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
hasn't your mum changed your nappy in a while as your post is full of shit.
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
well, go ahead and fork. what stopping you? talent?
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
Time to support (with time and money) Devuan project more seriously? Or any other SysV init based distro?
it is the Unix way that is preventing it from going further
So you are saying any violation of the Unix philosophy will make it "go further"? Probably not, but if yes, I give up on you.
If no, are you saying linux kernel, or other "good" non-systemd things never violate the unix philosophy? If so, you are wrong. ZFS, and Btrfs violate the Unix philosophy quite spectacularly by merging filesystem, LVM, checksum etc. into one monolithic piece. Linus himself was against this initially (especially in the context of encryption), but he has come to terms with reality. Looked at very narrowly, emacs is a violation of the Unix philosophy because of being large, complex and multi-functional. But there are good reasons for those violations.
So smart violation of Unix philosophy is already underway. The remaining argument is about whether systemd stuff is violating Unix philosophy in a smart or a dumb way. Let us define smart to be something that improves the software rather than increase profits of a company while making lives of users/customers/administrators miserable.
I don't see an argument from you about how systemd kind of violation of Unix philosophy is a smart. If not, systemd's existence itself could be the "crime" here.
Bingo Dictionary - Pragmatist, n. A myopic idealist.
I have yet to see anyone in these forums dissecting the code of these projects.
I'm working on it.
"First they came for the slanderers and i said nothing."
Upstart was much more limited in goals and utility than systemd, and it took (arguably) the wrong approach to dependency resolution. It was an evolutionary upgrade with many of the same problems as SysV init. Rightly or wrongly, systemd is using the functionality provided by cgroups to implement a more-or-less complete plumbing layer for Linux services. You could interpret that as codifying, standardizing, and integrating existing components and features, or you could interpret it as absorbing functionality that should be seperate. The reality is likely somewhere in between. A lot of this is sensible -- timers for example are an obvious part of service management. But there's a lot of pushback from people who are used to writing both the script and the cronjob ("...uphill both ways! and we liked it!") and want to be able to use any POSIX-compliant cron daemon they choose. That they choose to use the default one and can continue to do so with systemd is seemingly beside the point.
The detractors who accuse Poettering of creating his own OS are not completely wrong. We are moving from a period of recommendations (e.g. Linux Standard Base) to a more integrated system, which is expected to manage services intelligently instead of letting anything that wants to snag an interpreter do whatever it wants to the system. For most people it is a sudden and far-reaching change. It was not created suddenly, however, and the foundational technology shift (cgroups) could be mistaken for a small and subtle one. As I've said, I think that most of what has been built on the core systemd/crgoup functionality are fairly logical extensions. Handling e.g. user sessions should probably be a core part of init and system management, especially if you're going to use cgroups to manage those processes, and especially if no one else is doing it. I'm sorry you're having hibernation issues, but I don't think you've even stopped to consider the idea behind systemd before passing judgment on it. If Linux had cgroups when it was first written, every part of systemd would have been written by someone else already; it makes too much sense to not use the functionality. Upstart would use them, and it would still probably have been replaced by something that starts dependencies on demand. Certain decisions about systemd components may not have been made with your use-case in mind, and I'm sure that like any other piece of software, bugs abound, but it is certainly not a "dumb idea": it's the way forward. The days where the only job of the OS was to start an interpreter are over.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
wtf ?