'Severe' Systemd Bug Allowed Remote Code Execution For Two Years

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.

Re:Time for tar and feathers?

Besides the author who suggests with the title that the bug resides in systemd itself rather than a project included under the systemd umbrella that's disabled by default on most distributions?

Even Windows isn't this bad

When I first read about systemd I thought it was a knock off of the NT service control manager. Except on Windows, that's all it does. It controls services. It starts and stops them. And manages dependencies. And that's it. It doesn't take over the fucking world and try to control everything in the OS. I think this is where systemd lost its way. It's a sad day when we look to Windows as the example of "does one thing and does it well" and not the whole fucking kitchen sink.

Re:Even Windows isn't this bad

[SharpFang]

Systemd's extra promise was *optimization* of startup.

It was meant to be achieved through creation and binding of sockets: Service X must wait for service Y to start and create a start up, because X needs to bind to a socket Y creates. It won't be using that socket in a while yet, but it can't initialize without that socket present.
What systemd does is create that socket so that Service X can bind to it right away, and proceed with startup, and once Y arrives at the point of creation of the socket, it's bound to the socket Systemd created. There, instead of sequence of complete startups of services, which is lengthy, you have only sequence of socket binding, which is fast, and parallel startup, which is fast too.

This is a neat idea which breaks upon meeting the reality.

Because not everything uses sockets. Not everything can start up with the socket merely present, some need it for real right away. Not everything is structured the way systemd envisioned it; some applications aren't just monolithic executables, but e.g. lengthy shell scripts repeating hundreds of calls to a given executable with different parameters (e.g. iptables). They just don't fit that idealized framework.

And so, the framework does what a framework with overinflated ego author does. Including the crap part.

Re:Even Windows isn't this bad

[SharpFang]

That is doable but very cumbersome. You'd need a central makefile for the whole system, and adding or removing anything would require a rebuild.

Gentoo isn't exactly everyone's favorite, and this would make Gentoo's level of problems pale by comparison.

Note it's not just about ordering the startup, it's about fulfilling all the requisites with 'dummy' interfaces until the provider of what the 'dummy' is for starts up, then transparently substituting. "Want to write logs but syslog still didn't start? We provide a queue that will store your logs until syslog... uh, wait, syslog can't do this that way. Welp, fuck syslog, here's our journald, and it has binary log files which are superior because we say so."

I don't quite see how just makefiles could solve that.

OTOH I really don't see the problem with delaying the startup by literally several milliseconds to let syslog start, instead of ripping it off and replacing with something everyone hates. Simply put, some optimizations are definitely not worth the cost.

Old News

This is old news, why don't you publish that story how "Principal systemd developer refuses to acknowledge serious security vulnerability where processes that request to be run as unprivileged user, run as root because Lennyboi does NOT like them start with zeroes! And POSIX be damned, Lenny knows better!"

Re:Time for tar and feathers?

[KiloByte]

Tarring and feathering would indeed be good -- especially that Lennart as usual insta-closes an obvious and nasty security bug[1] as "non-bug". And when presented with standards documents, he says they don't apply to him. Seriously, can someone buy this guy an "Unix for dummies" book?

While we don't exactly suffer from a dearth of kooks, this particular kook enjoys having his employer promote his masterpieces even when totally inadequate. The world would be so much better without systemd, PulseAudio and avahi.

[1]. "0day" is somehow a popular name for CI systems these days, and those often allow weakly-trusted or even completely untrusted submissions.

Re:not the init, and it doesn't affect Debian

[Viol8]

"that are not even needed quite often, and can generally be run without having systemd running as init."

I don't think anyone is in any doubt that once systemd has the option to run a service most of the bleeting distro maintaining sheep use it. It won't be long before it becomes the default resolver on most of them.

Re:The problem with systemd

Systemd, is a poor idea, poorly implemented in a project thats poorly managed.

Yup.

Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

I don't know how he got a foot in the door, so all I have is my long-distance high-level. The short and sweet is "politics", and he's red hat's useful idiot in their war with oracle.

red hat tried to tighten up their business model by splitting red hat-the-distro into fedora and RHEL. The centos guys forced red hat to release RHEL anyway because GPL. oracle then copied the whole thing verbatim, minus the branding, and called it "unbreakable linux". This allowed them to piggyback on red hat's hard work including their knowledge base. Which is why red hat put that thing behind a paywall. So oracle is doing their level best to eat red hat's lunch and using red hat's own work to do it.

So, what can red hat still do? Well, they can become more proprietary, which is where systemd comes in. No, it's not closed source, but it sure is wilfully, deliberately, and very gratuitously, incompatible with everyone else. So if a big enough party like red hat pushes it into the market, then the rest (*cough* debian *cough*) feels they have to follow suit. That means a big boon in control for red hat. And that's what it ultimately is about.

Of course, you have to have some sort of story of benefit for people to go along with the gambit. But for many the sort of fine-grained control you lose by going systemd wasn't that important anyway, for the good and simple reason that throwing more virtualisation and more hardware at it seems faster and so more cost effective. It's the same sort of reason why virtualisation and massive hardware is so popular in the windows world. The big gain for red hat sure isn't technical, it's political. You can see this in the fact that many rebuttals to technical complaints about systemd are entirely non-technical. Any time a technical argument ends up full of bullshit and personal attacks it really isn't about the technical merits any more.

I doubt poettering himself understands his role in this, seeing his grasp of architecture, code quality, and so on, so that makes him a "useful idiot". He sure does have the personality to pull it off, though. Incompetent arrogance does go a long way, with the right backing.

And, of course, once they get off the ground, bad ideas are hard to kill.

Re: The problem with systemd

It's worse than that. The community didn't have any say in it, it just got rammed down everyones throats; its revealed that linux has started to follow the cathedral model as vendors like Redhat gain more and more exclusive control over it. At this point its worth asking who controls linux, the community built out of tends of thousands of projects that come together, or a few corporate entities?

Re: The problem with systemd

POSIX actually permits user names that start with a number. Not a bug.

Re:The problem with systemd

[makomk]

Because systemd is now a hard dependency of the Gnome desktop, which a lot of distros want to ship. There were some interesting shenanigans involved in getting that through too - initially the Gnome developers insisted this was no bid deal because logind (the part they required) didn't actually depend on systemd and could be used seperately. Ubuntu did this for a while. Then Poettering declared that actually this was never supported, Ubuntu were idiots for doing it, and it would be broken shortly. Ubuntu reluctantly switched to systemd in the next release.

Re:The problem with systemd

[KiloByte]

Systemd is abysmal for users, but less work for distro maintainers.

For example, service files are drastically shorter than init scripts (albeit unlike them, not universal unless you fall back). This could be easily fixable by using a common library, but that'd be a bit of actual work!

On the other hand, systemd is a complete and utter abomination for sysadmins. When sysv-rc (not sysvinit, these parts are modular!) does something wrong, it's a matter of a single line of shell to hack it for your particular use case. On the other hand, when you want systemd to do something Lennart didn't think of, there's no resource (unless you really want to dig through the source of the huge blob, debug it, recompile, install, then do the whole thing again on an upgrade or security update). Just two examples: 1. the usual idiom of mount --bind a filesystem with complex sub-mounts so you can rsync/etc it in peace, 2. degraded mount of btrfs RAID.

Seriously, an init implementation that conflicts with something as basic as RAID, has no place on any non-toy machine.

I for one wear both hats, of a distro developer and a sysadmin. But it's the latter what I get paid for, thus sorry, no systemd anywhere I can shake a shit-covered stick at.

Re:The problem with systemd

[silas_moeckel]

The reason is simply every commercially used Linux distro switched to it. We're stuck going along for the ride.

Re: The problem with systemd

[dyfet]

Indeed, I already had two remote servers lost over this very issue. I never had systems fail before systemd, either. The first was one that consistently failed to shutdown, but no logging and nothing in the journal made it impossible to ever discover exactly why. Another failed to boot, and it is equally unclear why. It really is rather crappy.