Slashdot Mirror
Multiple Linux Distributions Affected By Crippling Bug In Systemd (agwa.name)
An anonymous reader writes: System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.
It does not bring down the system, some services are delayed for 30 seconds (which is the timeout before daemons supporting systemd goes on without systemd).
All the people that were telling you that this init system called Systemd was overly complex, unaudited and insecure had warned you that this was coming. All the "Troll -1" modding on people that posted such warning here did not prevent the inevitable.
Not convinced? Here's a graph of the number of issues opened/closed since systemd moved to github last year.
Anons need not reply. Questions end with a question mark.
Everyone who mocks these distributions for not toeing the Debhat line can all enjoy my "told you so".
And the reason they cannot is because apparently this bug exists in debug code (it's a ASSERT that is triggered) so only distributions that compiled with -DDEBUG are affected. Also the affected distributions was patched three days ago.
That is far from a detailed description and more of a list of uninformed rants. Much better to read the informed reply to TFA here: https://medium.com/@davidtstra...
What does feel surreal is that people now all of a sudden pretend that SysV init where without exploits while going completely berserk when systemd have a non remote exploitable denial of service bug that cannot be used to take over the machine that also where patched three days ago...
Try to explain to foreigners that cleave means to stick tight to or to split apart from, or that sanction is to permit or to forbid something, and they will run screaming.
Please. If nobody reviewed the code then it's going to linger around until someone exploits it. Just like very friggen other piece of software ever written.
I see where you are coming from and, yes, it's disingenuous for me to imply that all that code is running in PID 1. It's certainly not. But, my point is that systemd is gigantic because it has started to absorb other fundamental parts of the userland. And so those parts are now heavily reliant on PID 1 or a very near descendant. Instead of layers of software being built on more fundamental layers of software, you now have a nasty web of dependencies that will, in time, become unmaintainable.
We grey beards didn't do it how we did it for fun. We did it because once one layer of the system worked, we stopped caring about it and moved to the next layer. Systemd is compressing all the layers into a single, nasty web of interdependent processes that represent a single layer. The complexity of it *will* overwhelm the stability of it. It's just a matter of when.
In the meantime you may avoid using systemd as init in Debian by installing sysvinit-core or in Ubuntu by installing upstart-sysv in your transition to a systemd-less distro such as Devuan.
If you are using Debian Jessie, you can switch to Devuan by simply changing repositories. Its still in beta so don't do it on production servers yet. But do plan your migration, before this gets out of hand.
Artix
Your Linux, your init.
At least with Debian, can't you choose your init system at install time? Or is that no longer an option?
I choose the distribution to meet my needs. I wouldn't allow the init system to dictate which distro I use.
Its moderately hard to choose the init at install time and requires some changes to the installers boot command.
Its easy enough to strip out systemd after an install and trivially easy to upgrade from Wheezy to Jessie without systemd.
In the free world the media isn't government run; the government is media run.
inflammable = flammable. It's one of those unfortunate english words.
"In-" can mean both "not-" for latin root words, or "overly-" for other words like infamous or ingenious.
Here that's a coincidence, as the root verb is "inflame".
You simply don't know what an English word means until you know its etymology. Hey, at least you don't need to know its Kanji.
Socialism: a lie told by totalitarians and believed by fools.
I take it that you have not looked at the actual code, afaik there is no nasty web of dependencies. Where there are dependencies they are on a documented DBUS service and not on a specific pid 1 and afaik there are no inter-project dependency either.
Yeah, so a fork that tries to split the "applications" in systemd must be quite easy to produce. Or is it?
SystemD a black box that have a lot of features that's hard to understand unless you dig through the source code trying to trace down why it doesn't do what you want and why it doesn't tell you anything about what's wrong.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
The core C code of sysvinit was feature-complete, reviewed, debugged and tested years and years ago. Its original design goals were satisfied, and the project is "done". Software does not need continual churn to mark it as "maintained". The same applies to startpar/insserv and other ancillary bits. If you found a bug in sysvinit, I'd review and test it, and push a commit for it. I no longer maintain the Debian packaging, but I still have upstream commit rights should I need them.
Compare this with systemd. It doesn't have the same clearly-defined scope; it's not possible to say when it will be complete as a result. Software can be complete and finished.