Slashdot Mirror
Multiple Linux Distributions Affected By Crippling Bug In Systemd (agwa.name)
An anonymous reader writes: System administrator Andrew Ayer has discovered a potentially critical bug in systemd which can bring a vulnerable Linux server to its knees with one command. "After running this command, PID 1 is hung in the pause system call. You can no longer start and stop daemons. inetd-style services no longer accept connections. You cannot cleanly reboot the system." According to the bug report, Debian, Ubuntu, and CentOS are among the distros susceptible to various levels of resource exhaustion. The bug, which has existed for more than two years, does not require root access to exploit.
and been around for 2 years and doesn't require root access??
If this happened on Windows, I & many others would be scornful of it.
Pain is merely failure leaving the body
Fortunately, we have so many different Linux distributions that this is not a problem! (...right?)
Ezekiel 23:20
https://medium.com/@davidtstrauss/how-to-throw-a-tantrum-in-one-blog-post-c2ccaa58661d
Can't have anyone criticizing any aspect of the holy systemd.
Whole thing boils down to:
"Following security practices in an init system is hard, and you've never done it so leave us alone."
Completely ignoring the fact that the only reason they patched this thing is because he made a big deal out of it.
And on what planet is testing for corner cases like empty strings the domain of fuzz tools?
That seems like a pretty standard test case to me.
I can understand if you don't test for a 1MB string, but empty seems like a no brainer.
That is far from a detailed description and more of a list of uninformed rants. Much better to read the informed reply to TFA here: https://medium.com/@davidtstra...
More clueless autonomic defensiveness without any reflection on what the impact of the bug actually is. I especially enjoyed this old chestnut as the author attempts to fisk the original bug report:
"SystemD, let me just stop you there. I know the Linux kernel. I've worked with the Linux kernel. You're no Linux kernel."
The incredible hubris of asserting parity with the core of the entire OS, the ignorance that underlies the statement that init was written in C and runs as root, so it's every bit as vulnerable... How the fuck do you even make code run? Do you even teh logic?
The SystemD team is the Microsoft of a new generation. Doubling down on their mistakes; shouting louder when they don't get their way; using every available ratiocination and intellectual contortion to excuse themselves; resorting to any means to make their strategy win, instead of stopping to ask themselves for once, 'Are we following a winning strategy here?'
Thank g*d I quit writing software last year. Dealing with Microsoft's mind-crushing blindness was enough for one lifetime. Now I can just grump about it and walk away.
Crumb's Corollary: Never bring a knife to a bun fight.
As far as I can tell, the problem is mostly one of personality and ideology. Poettering is a rather unpleasant person who is purposefully choosing to do things in an unnecessarily hostile and control-destroying manner, and Red Hat, while obviously having done tremendous things to help Linux over the years, has been in the business of promoting user-hostile asshatery and lock-in philosophies in recent years, something which hasn't been remarked on nearly as much as it should've (possibly because RHAT earned themselves too many OSS brownie points 10+ years ago and are still making useful contributions today.)
None of that excuses the legions of people around who have said that there was no problem with SysV, or that declarative syntax was worthless (tell that to someone who is trying to build a distro), or treated process control or containerization as inherently unworthy things to be concerned with. I do not say that systemd does these things especially well; I merely say that as concerns, they are intrinsically worthy of consideration.
And if you say that no one needs better containerization options or that stateless systems is a worthless concept or that Debian's old init scripts were the pinnacle of perfection, you clearly do not know what you are talking about. Red Hat does have some fiat sway, but if SysV init were easy to stick with we wouldn't have seen all of the major distros adopt systemd in lockstep. It's not completely worthless. Some of the problems it solves are indeed real. I'm not saying it's worth half a million lines of C code to solve those problems, but the problems are fact there.
But if you actually deny that any problems exist, you're basically just an unthinking hater and no one is paying you any attention except a certain subset of systemd haters who didn't need any more convincing.
This actually isn't so dissimilar to Trump and concerns over immigration or terrorism, but that's an analogy for another day.
It's another straw on a very overloaded camel's back - so this "small bug" just gets added to the list.
I've still got pretty well everything on linux still on RHEL6/CentOS6 because the vendors of an application used in the place don't trust systemd yet. The few workstations I have on something newer are as unstable as MS Windows machines used to be - one wouldn't even boot when systemd hung on a wireless mouse dongle - so much for parallel init! It should have failed then moved on instead of blocking every single time it hits that USB device, and the rumoured parallel init should have enabled it to be doing other stuff instead of completely blocking. That's just one, every few weeks there's some different fuckup of the sort we used to laugh at MS Windows.
I've got 3 separate servers that all run different OSes. 1 in-house with direct control running Gentoo with OpenRC. Then there's the two VPS's. One is running CentOs 6.7 with Upstart. Then there's the PoS VPS I have free on Microsoft Azure running Ubuntu something-or-other with SystemD. Nothing critical is on this server...it just serves as a lab environment and data passthrough. The only time I've ever run SystemD on a system I own with physical access was on my primary desktop...which is never permanently online to begin with.
There have been too many points with a systemd system that I don't trust. Nothing to date with the system has personally affected me to say it's as worthless as I think. I just never trusted it because it just felt too much like a Windows Registry clone in how it worked, which in itself screams that it cannot be trusted. This bug seems to prove my intuition correct.
I've made several requests for systemd proponents to supply a use case that SysV initd could not support and haven't received a satisfactory reply to this purely technical question. I was interested in what systemd could offer over initd. I find systemd proponents are overly veherment in their criticisms of initd proponents.
I sense this comes from an inability to address the issues raised and, perhaps a mindset that anyone who has an appreciation for initd's elegant power will simply be bulldozed into irrelevance. I think systemd's criticism of the rc scripts that starts a linux based system is valid criticism however we have to keep in mind that they were devised by Red Hat. It is dealing with rc shell scripts that are the brunt of the justification for systemd.
In that sense the unitd solution is tidy but also reveals the justification to replace initd is not based on a full understanding of its capabilities, or even an understanding of was it is, a process manager. rc scripts are only meant to prepare the system for entries in /etc/inittab, yet everyone tries to get everything done in rc, which serializes the Linux boot process. A parallell boot is completely achievable by using initd properly. I know there is more to it, like events and messaging, I'm just citing one example.
Yet I've never seen a Linux distro that's utilized initd's /etc/inittab file properly. Especially a Red Hat system. They don't use initd properly, the rc scripts are bloated with rewrites of what initd already does, and now we're replacing initd, keh? initd has yet to be utilized fully on modern linux systems.
Criticisms of sco the company aside: sco *as a distribution of unix* had an interesting adjunct feature to initd, the 'enable' and 'disable' command that managed entries in /etc/inittab, where you would configure the characteristics of the system you were running. Franky I think this is functionality is essentially
I think initd would make a lot more sense to more people if this functionality had been available in Linux from the beginning. It is true that initd is beguiling in terms of it's simplicity wrt its power, but it is also very worthwhile. It is supposed to be small as that is where the skill is expressed.
initd is where you design the characteristics of the system, it is not an event manager and all the other things systemd is supposed to be. Something that does all the functionality systemd has, belongs as an inittab enty, not as the first process the kernel runs.
The point of a bug like this is not that it is a big deal itself, the big deal is the failure mode systemd has been revealed to have due to its complexity. This the type of concern I have about systemd, what else can trigger such a failure mode. I have seen initd in a variety of failure modes and not once has it ever consumed all system resources and disconnected running processes.
Now we've seen systemd do something that initd can't.
My ism, it's full of beliefs.
How long are systemd proponents going to evade accountability to crying about detractors, greybeards and positoning opponents as anti-change.
Any criticism of Systemd and out come a hoarde of Redhat supporters and astroturfers to change the focus swiftly from the technical to the political
It's fine to blame RedHat, Inc, and the *current* Fedora Community on top of it, but don't blame RedHat supporters.... Many of us using RHEL and its derivatives (CentOS/SL) think this thing is horrible and would have stepped in earlier if we'd been paying closer attention to Fedora-devel five or six years ago. We kind of just assumed that the adults who'd been in charge there were still making decent architectural decisions while we went on with our lives.
Hire a Linux system administrator, systems engineer,
The whole "FreeDesktop" Movement seems to be about making Linux more and more incomprehensible.
My theory for why this is is like this:
There are lots of people now growing up when Windows kinda worked (since about 2000). At the same time, involvement in "Open Source" software is seen as a good career move. So they churn out some shitty badly designed code as potential recruiters cannot tell good from bad code. Also they take part in design processes without the experience necessary for this. The result are overcomplex buggy solutions which suck in manpower to maintain them.
Take a look at the *BSD people. The team maintaining OpenBSD is probably smaller than the SystemD team, yet they manage to maintain a whole operating system.
My guess* is that they are from separate stems. In Dutch, kleven (clay-vun) is to stick together, and klieven (clee-vun) is to split apart.
No idea where the contradictory meaning in sanction comes from, in Dutch 'sanctioneren' (v) also has both meanings and people get confused.
*) And Internet confirms it :) http://www.etymonline.com/inde...