'Severe' Systemd Bug Allowed Remote Code Execution For Two Years

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.

Time for tar and feathers?

[chthon]

Anyone?

Re:Time for tar and feathers?

Besides the author who suggests with the title that the bug resides in systemd itself rather than a project included under the systemd umbrella that's disabled by default on most distributions?

Re:Time for tar and feathers?

[KiloByte]

Tarring and feathering would indeed be good -- especially that Lennart as usual insta-closes an obvious and nasty security bug[1] as "non-bug". And when presented with standards documents, he says they don't apply to him. Seriously, can someone buy this guy an "Unix for dummies" book?

While we don't exactly suffer from a dearth of kooks, this particular kook enjoys having his employer promote his masterpieces even when totally inadequate. The world would be so much better without systemd, PulseAudio and avahi.

[1]. "0day" is somehow a popular name for CI systems these days, and those often allow weakly-trusted or even completely untrusted submissions.

Re:Time for tar and feathers?

[The123king]

I can't see how a tape archive could possibly help.

Re:Time for tar and feathers?

[Z00L00K]

Tar and Feathers are so expensive these days, I'd take poison ivy instead.

Re:Time for tar and feathers?

Wow, what a douchebag that guy comes off as.

Re:Time for tar and feathers?

[Opportunist]

But feather probably would Considering how ancient the most recent version of Feather Linux is, chances are good that this might actually not use systemd.

Re:Time for tar and feathers?

[AmiMoJo]

It was closed because it has already been discussed at length here: https://github.com/systemd/sys...

Do you actually have an argument against his logic here? As in a good reason to follow POSIX rules in this case when Linux in general, which is what systemd follows, does not.

I'm not saying he is right, merely that your statement gives a false narrative of what actually happened and that you don't seem to have any actual argument beyond "he immediately closes bugs I think are obvious!"

Re:Time for tar and feathers?

[KiloByte]

It was closed because it has already been discussed at length here:

6237 is about running services as the wrong user, 6259 is about usernames allowed by POSIX but not by systemd.

Do you actually have an argument against his logic here? As in a good reason to follow POSIX rules in this case when Linux in general, which is what systemd follows, does not.

Linux doesn't even know about usernames (just uids), you may at most discuss the behaviour of a particular userland program. And every program I know of (a bunch was tested by someone on IRC) except systemd handles ones starting with a digit correctly, as POSIX prescribes. For some reason, adduser (but not, eg, useradd) dislikes creating new accounts with such a name but all it takes is specifying an option when it relaxes the check from names merely discouraged to ones that are illegal only. No other account creation program complains.

The other reason is that you have to accept any legal external input, and input allowed by the standard is certainly legal. And you need to handle illegal input as well, at the very least by returning an error rather than giving full root access.

any actual argument beyond "he immediately closes bugs I think are obvious!"

That's Lennart's usual response to anything that's not obvious to him. Most of us try to at least research a bug or ask the reporter to explain.

Re:Time for tar and feathers?

[lucm]

Followed your link, and interestingly:

poettering locked and limited conversation to collaborators 23 hours ago

He's a real team player

Re:Time for tar and feathers?

[thegreatbob]

Yay! At some point we crossed 5 million commentards, and they just keep getting better!

Re:Time for tar and feathers?

[squiggleslash]

Not a Lennart critic in general (I usually defend systemd) but I think the GP has a point here.

- The first bug was closed immediately despite systemd treating what Lennart considers an error (debatable) in the worst way possible - escalating a process to root privileges when the user is clearly stating it shouldn't.
- The second bug is an attempt to say "OK, we'll play your game, if you're saying that's correct behavior because of {another issue}, then let's state that {another issue} is also a bug because that's not right either.

In both cases Lennart has immediately closed the ticket without waiting for discussion. He may or may not have reasonable reasons for initially opposing the tickets (he doesn't in the first ticket's case, he absolutely doesn't - root privileges because a username (which you're not even going to bother validating) doesn't look right?! - which is what the GP is complaining about.

This is, frankly, horrifying. systemd is a key part of the GNU/Linux infrastructure, and it exists for a reason: to remove the reliance on shitty, fragile, shell scripts that were all-too-easily made insecure through ignorance or haste. Those who develop it must, absolutely must, listen to and take seriously security concerns. Closing two tickets in a row, immediately, without discussion, concerning a major privilege escalation, still worse because of logic that ultimately boils down to "The user should be smart enough to know some username rules that some developer somewhere pulled out of their arse and which only one or two tools actually enforce", is ridiculously incompetent.

Re:Time for tar and feathers?

[jmccue]

And again, it's not the huge security issue some people make out that it is because in order to create a user with a name starting with a digit and then create a service starting as that user, you have to have root anyway.

true, but - with people downloading packages (rpm/deb/whatever), what if that package contained a unit file with such an ID ? off to root it goes. So does that means a admin after installing a package needs to examine the unit files even if from a trusted source ?

Bugs happen and since systemd is open someone found it and it may very well have been fixed by now. If systemd was proprietary, at this point maybe only the (three letter) orgs would know and keep it a secret. So the development model worked anyway :)

The silly thing is the argument of "is this a bug ? yes/no/yes/no...".

Re:Time for tar and feathers?

[aardvarkjoe]

Poettering's "logic" is pretty much that he doesn't want to adhere to standards just because he doesn't want to. He spouts some nonsense about making the unit files "portable," but that argument really doesn't make any sense in the context of this bug -- how on earth can you justify misinterpreting a username that is valid on some systems as being "portable"?

Re:Time for tar and feathers?

[aardvarkjoe]

So specifically what part of his argument makes you think he doesn't understand this? Because he seems to have addressed your points directly and with reasonable, factually and logically correct arguments.

Well, let's look at his arguements:
First, he said:

Yes, as you found out "0day" is not a valid username.

Which is really damn obviously false, because the relevant standards permit it and various Linux systems permit it. It's only "not valid" as defined by systemd.
Then he says:

1. systemd is not the one coming up with the restrictions on user names, and while some distributions are less restrictive, many do enforce the same restrictions as we do. In order to make systemd unit files portable between systems we'll hence enforce something that resembles more the universally accepted set, rather than accept the most liberal set possible.

Making things "portable" by restricting the configurations that systemd will work with? On what planet does that make any sense at all? It's not like correctly handling user names that Poettering doesn't use is going to break things on his computer; he just doesn't want to make a simple change to fix something because of his ego.

2. User= in unit files is about system users, not regular users, and I am pretty sure we should enforce a stricter regime about system users than regular users.

Since systemd doesn't get to dictate valid usernames, this isn't a reasonable argument.

3. In systemd we generally follow the rule that when we encounter a unit setting that does not validate syntax-wise we'll log about it and ignore it, for compat reasons. We do the same for User= here as for all other options. Note that if you specify a valid user name but where the user doesn't exist, then we'll instead fail the service on start, because in that case there's not just something wrong with the syntax the service author used but actually something inconsistent on the system, and that should be considered fatal.

This just demonstrates a lax attitute towards security. If the unit file specifies a "User=" line, then they obviously want to set a particular user to run the service, and unexpectedly running it as root is a security hole. The fact that Poettering can't see that after 10 seconds of thinking about it tells me that I wouldn't want his code anywhere near my system.

Re:Time for tar and feathers?

[dbIII]

Maybe - but it's truly a newbie mistake to allow invalid input. Letting invalid input allow full access is the sort of stuff we laugh at the worst of MS for and not something to emulate.

Re:Time for tar and feathers?

[Type44Q]

That creepy weirdo would like it.

Re:Time for tar and feathers?

any actual argument beyond "he immediately closes bugs I think are obvious!"

The solution is left as an exercise

Serious users do not consider this a problem

I don't know what the name for this fallacy is, but if nothing else, it's an Appeal to Authority by proxy. It shuts down discussion by implying that if one were at the same exalted intellectual plane as the claimant, then there would be nothing to discuss. And that, by implication, if you consider that there actually is something to discuss, you are inferior.

Given in response to an honest question, it is an attack on the querent, and, as such, intellectual bullying.

Re:Time for tar and feathers?

[DontBeAMoran]

As long as it's open hardware tar and feathers from free range chickens.

Re:Time for tar and feathers?

[AmiMoJo]

That's a fair point. I guess the question is if the input should be validated by systemd or the tool creating the user. I suppose that as the service may be run as root, it's not unreasonable to make that extra check.

Thanks for being the first one to answer with an actual argument rather than "hurrr, systemd!"

Re:Time for tar and feathers?

[AmiMoJo]

- The first bug was closed immediately despite systemd treating what Lennart considers an error (debatable) in the worst way possible - escalating a process to root privileges when the user is clearly stating it shouldn't.
- The second bug is an attempt to say "OK, we'll play your game, if you're saying that's correct behavior because of {another issue}, then let's state that {another issue} is also a bug because that's not right either.

One of us has this backwards... It looks to me like in both cases Lennart is saying that systemd follows the Linux standard, not POSIX. Under the Linux rules on usernames they can't start with a number, so using "0day" as a username is invalid and the service won't start because the user doesn't exist.

Unfortunately some tools allow you to create a user whose name starts with a number, which is a bug in those tools.

I'd say that it's valid to check for this in systemd due to the resulting action being "run as root", but I can appreciate the argument that systemd shouldn't be checking for bugs in other software. And the second bug is complaining that systemd isn't POSIX, which is by design so really is not-a-bug. One could argue it should be POSIX, but bug reports are not the place to do that.

Re:Time for tar and feathers?

[AmiMoJo]

Which is really damn obviously false, because the relevant standards permit it and various Linux systems permit it. It's only "not valid" as defined by systemd.

No! This is where you are confused. It's not valid. Some Linux tools allow it, but they shouldn't. The rules for Linux user names say they must not start with a digit, and for good reason (could accidentally insert a space and be treated as a UID, similar to the old "rm /rf / random_dir" mistake).

Re:Time for tar and feathers?

[drinkypoo]

One of us has this backwards... It looks to me like in both cases Lennart is saying that systemd follows the Linux standard, not POSIX.

What Linux standard? The LSB? POSIX is the only other standard involved, and Linux tends to follow POSIX in spite of the many protestations that Linux is not POSIX.

Re:Time for tar and feathers?

[drinkypoo]

Since systemd doesn't get to dictate valid usernames, this isn't a reasonable argument.

It's also just outright wrong because Unix does not have any concept of system users, nor does Linux. Only one user is inherently special, and that user has UID 0. Every other user is used exactly as you use it. Nothing prevents you from assigning a password to one of those "special" users and logging in to it, any more than anything prevents you from creating another user account with a locked-out password and using it in the same way as the "system users".

Re:Time for tar and feathers?

[squiggleslash]

One of us has this backwards... It looks to me like in both cases Lennart is saying that systemd follows the Linux standard, not POSIX. Under the Linux rules on usernames they can't start with a number, so using "0day" as a username is invalid and the service won't start because the user doesn't exist.

Neither of us have it backwards. First ticket is Lennart essentially saying "It's OK for systemd to run an application as root when a user specifies an username beginning with a digit because I (Lennart) think the user has made an error, a username shouldn't begin with a digit (his justification being what you're saying.) The second is saying "We shouldn't treat a username beginning with a digit as an error".

It's debatable it is a "Linux" standard to begin with. Only one of the two command line tools to add users actually enforces this supposed rule. Literally nothing else does. The kernel is agnostic. And the command line tools aren't Linux, they're GNU. So what we're looking for is evidence that (1) RMS or an officer blessed by RMS has declared this to be a standard and (2) No declaration since has placed POSIX compatibility ahead of legacy GNU functionality.

Both tickets are entirely reasonable and not one of them should have been closed without discussion. Actually, let me correct that, the first should have been closed with just a note along the lines of "Fuck me! You're right! Personally I think {Inserts personal beliefs about "Linux"'s username policy here} so I'll just have it output an error message and not start the daemon", not "Ha, user is an idiot! LOL ROLF APK!! EVERYONE knows usernames begin with letters LOL! Root privileges for everyone!"

Re:Time for tar and feathers?

Why is systemd even validating usernames using its own hastily written code and arbitrary rules? What purpose does this serve other than to introduce bugs like this? Use POSIX rules or just map directly to UID and use that. Is it even reasonable to make that extra check if failing the check just escalates privileges to root anyway?

"hurrr, systemd!" is just shorthand for all of the valid arguments that are continually brought up and dismissed out of hand by Lennart and his gullible followers. Your post here has essentially just wallpapered over a privilege escalation implemented by shoddy architectural logic. How do you expect people to keep wasting time with real arguments if they're received like this. It's maddening!

Re:Time for tar and feathers?

[AmiMoJo]

I suppose technically it depends on adduser.conf and the regex defined in there, which only one tool apparently bothers to check. GNU isn't POSIX either, in any case.

Re:Time for tar and feathers?

[I'm+New+Around+Here]

Best movie ever.

Re:Time for tar and feathers?

[godrik]

tar and feathers?

$ man feathers
No manual entry for feathers

mmm...

Re:Time for tar and feathers?

[BronsCon]

" " is a digit now?

Re:Time for tar and feathers?

[aardvarkjoe]

The rules for Linux user names say they must not start with a digit,

Where are you finding this documented?

As you have been informed repeatedly in this thread, the Linux kernel doesn't even use the concept of user names (it works with IDs instead), so your statement can't possibly be true. Apparently one particular tool, adduser, by default, enforces some extra rules, but that doesn't mean that those rules are universal to all Linux systems.

Linus has a rule "don't break userspace." Poettering's rule is apparently "let's break userspace every chance we get for no damn reason at all."

Re:Time for tar and feathers?

[BronsCon]

This. Look up the username in /etc/passwd and be done with it. Well, maybe also check file permissions and ownership of /etc/passwd and reject it if not owned by uid 0 or if writable by anyone other than uid 0. Then be done with it.

Re:Time for tar and feathers?

[BronsCon]

Restore a non-systemd version of your favorite distro from tape?

Re:Time for tar and feathers?

[aardvarkjoe]

What happens when someone creates a user whose username is purely numeric and that number is different from the uid? What happens when a hacker creates a user with a username of "1" (eg. the uid of root)? Should systemd treat that as root (assuming "1" is a uid) or as the user with username "1" (uid is above 100)?

It would be sensible to disallow creation of all-numeric user names, because of the reasons you stated (far too likely that somebody is doing something nasty.) But disallowing them really doesn't fall under systemd's purview, since systemd is not the manager of the username database. And even if we decided that all-numeric usernames should be disallowed, systemd's totally braindead behavior of granting root access if you try to use one would still be wrong.

In today's environment, we can't afford security to be an afterthought, especially in an extremely pervasive and complex piece of software like systemd.

Re:Time for tar and feathers?

[nnet]

systemd-tar will, bet on it. also coming, systemd-emacs.
/sarcasm

Re: Time for tar and feathers?

[aix+tom]

Maybe the reason is to have a consistent vector into Linuxes.

And it sure does a good job at creating a consistent attack vector.

Re:Time for tar and feathers?

[F.Ultra]

Well that rpm/deb/whatever could run scripts as root when you install it with dpkg/apt anyway. No one is going to attack you this way and the main reason to run the service as user XX is to try and limit the damage in case the specific service gets exploited.

Re:Time for tar and feathers?

[F.Ultra]

It makes unit files more portable since the restrictions on usernames are stricter in systemd that on some other distribution which means that your unit file will work on those distributions where the username restrictions are stricter than the one you created the unit file on. I.e let's say that your distribution allows any byte sequence as a username and you create a unit file with "0x00 0x02" as the username, then some one else tries to use your unit file on a distribution that does not allow this and the unit file refuses to work, so if systemd denies your username even on the less restrictive distribution then it makes sure that your unit file works in that other distribution.

Re:Time for tar and feathers?

[F.Ultra]

Is that why tools such as "adduser" have a "--system" flag to "Create a system account."?

Re:Time for tar and feathers?

[F.Ultra]

The unit files are portable because the exact same thing will happen regardless of if your specific system would allow that username or not. If "0day" would work on one system but not on another (which currently is the case) then the unit file would not be portable since it would work on one of those systems but not the other.

Re:Time for tar and feathers?

[drinkypoo]

Is that why tools such as "adduser" have a "--system" flag to "Create a system account."?

Quick quiz, what is the difference between a "system" account and a "user" account? How are they handled differently?

Re:Time for tar and feathers?

Welcome to the insane "logic" of systemd, and of course the fanbois chime in to defend it. Sweet jeebus "people shouldn't do that!" is a terrible attitude for system security.

"Herpy derpy doo, I'll just drive my semi through your kernel, don't mind meeeee!"

Re:Time for tar and feathers?

[knope]

lol ... aside from the yes, indeed clickbait... this fails to define exactly what was affected, the LTS branches weren't using this piece of systemd yet

Re:Time for tar and feathers?

POSIX covers this here: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_437

With the exception of the hyphen character, all characters from here are permitted as the leading character in a username: http://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap03.html#tag_03_276

Linux Standard Base has nothing to say about his: http://refspecs.linux-foundation.org/LSB_3.1.0/LSB-Core-generic/LSB-Core-generic/tocusersgroups.html

Nor does the useradd page: https://refspecs.linuxfoundation.org/LSB_3.0.0/LSB-PDA/LSB-PDA/useradd.html

Re:Time for tar and feathers?

[F.Ultra]

There does not exist man pages on your computer?

System users will be created with no aging information in /etc/shadow, and their numeric identifiers are choosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).

They don't get a /home/ directory either per default.

Re:Time for tar and feathers?

[aardvarkjoe]

That is a very tortured definition of "portable" in this context. You're essentially saying that you want unit files to be "portable" in that they can be used unchanged on every system using systemd, but you are achieving that by making systemd itself non-portable to any system that doesn't enforce the particular peculiar user name restrictions that systemd expects. So far, nobody has come up with a single system that actually disallows usernames starting with a number.

Re:Time for tar and feathers?

[aix+tom]

Yeah, the unit file "works" in the sense that the service is now running as root.

Which makes me wonder if Poettering is paid by the NSA or something......

Re:Time for tar and feathers?

[drinkypoo]

I'm asking you to find out if you know, not to find out the answer, which I already know without having to look anything up. They don't have passwords or expiry, and they're in a low UID range. That's it. It's a convention, and if you completely ignore the convention then everything still works anyway. If you create a system-like user with a higher UID, or if you give a system user a password, the system does not give a fig; It does not malfunction, nor does it attempt to prevent it even slightly.

Neither UNIX nor Unix nor Linux even notices if you violate the conventions around "system" users.

Re:Time for tar and feathers?

[Etcetera]

"Making unit files more portable" is a euphemism for "enforcing our standard on other systems and distributions".

If "0day" is a valid user on a system, there's absolutely ZERO reason why "User=0day" shouldn't be valid config on a system management tool (let alone an init replacement) that runs on that system. I don't care what other distributions do.

LP, once again, shows us that he thinks "Doesn't work on anything except my laptop with my particular setup" is a feature, not a bug, for middleware he's snuck into every distro out there.

Tarring and feathering is quite appropriate.

Re:Time for tar and feathers?

[HiThere]

Could you give a reference to the rule you are referring to? I don't know where to look it up and determine that:
"The rules for Linux user names say they must not start with a digit"

Re:Time for tar and feathers?

[F.Ultra]

And your sysv scripts runs as what now? And if someone could change your unit file to contain a "User=0xxx" then they already own you since it requires root to edit the file and to launch it.

Re:Time for tar and feathers?

[F.Ultra]

That's the price you have to pay when the goal is to have distro agnostic unit files. And apparently there are Linux distros which forbids usernames with prefixing numbers, it does work on my Ubuntu so I guess that it's blocked on Rhat or something.

Re:Time for tar and feathers?

[HiThere]

When I've moved files between systems, what ported was the userid#, not the user name. Has that changed recently?

Re:Time for tar and feathers?

[TemporalBeing]

from the "adduser" manpage:
Add a system user
If called with one non-option argument and the --system option, adduser will add a system user. If a user with the same name already exists in the system uid range (or, if the uid is specified, if a user with that uid already exists), adduser will exit with a warning. This warning can be suppressed by adding "--quiet".

adduser will choose the first available UID from the range specified for system users in the configuration file (FIRST_SYSTEM_UID and LAST_SYSTEM_UID). If you want to have a specific UID, you can specify it using the --uid option.

By default, system users are placed in the nogroup group. To place the new system user in an already existing group, use the --gid or --ingroup options. To place the new system user in a new group with the same ID, use the --group option.

A home directory is created by the same rules as for normal users. The new system user will have the shell /bin/false (unless overridden with the --shell option), and have logins disabled. Skeletal configuration files are not copied.


One big difference is the lack of any shell application (f.e /bin/false instead of /bin/bash), the assignment to "nogroup", and a few other things. By convention system users have UID's 1000 and are allowed root equivalent access.

Re:Time for tar and feathers?

[TemporalBeing]

In today's environment, we can't afford security to be an afterthought, especially in an extremely pervasive and complex piece of software like systemd.

Please remind me why we are using systemd at all? This has been a consistent issue with systemd, and Lennart and team. One reason I'm quite happy to see Devuan release 1.0; really good work and without systemd at all (or rather, it's your choice if you want to use it, but it's not enabled by default).

Re:Time for tar and feathers?

[F.Ultra]

They are not only in a low UID range, they are specifically lower than SYS_UID_MAX which in a well setup system means that you can separate them from the other users, i.e if you make sure that UID_MIN is > SYS_UID_MAX. But what matters more in this particular context is what they are intended to be used for; to be used as users for system daemons. The quote from Lennart that makes you so upset is that he thinks that the naming rules for such users should adhere to a higher/stricter standard which for one would rule out "0day" as a valid name.

Neither UNIX nor Unix nor Linux even notices if you violate the conventions around "system" users.

Which of course no one claimed, nice strawman.

Re:Time for tar and feathers?

[F.Ultra]

Where are not talking about moving files, we are talking about executing unit files on different systems. Like i.e trying to execute the sysv script from RHat on a FreeBSD system.

Re:Time for tar and feathers?

[F.Ultra]

He asked, and he asked in a way that suggested that he didn't believe that system users existed so I quoted a man page as a form of QFT.

Re:Time for tar and feathers?

[serviscope_minor]

The rules for Linux user names say they must not start with a digit, and for good reason

Which rules?

Re:Time for tar and feathers?

[serviscope_minor]

Maybe "feathers" is an option for cpio instead? I can never remember how to use that one.

Re: Time for tar and feathers?

[KGIII]

Some quick searching indicates this is the standard, for a few reasons. I am on a tablet, but Google that statement. There are a bunch of hits to wade through.

Re: Time for tar and feathers?

[KGIII]

Tools like chown can use either a UID or name. If I am reading correctly, this stems from that. It isn't specific to a starting digit, but is meant to prevent usernames being made up entirely of digits. It looks like this does go back to POSIX.

Hmm...

Re:Time for tar and feathers?

[viperidaenz]

"rm /rf / random_dir" won't do much
It'll remove a file called /rf
It'll remove a file called random_dir
It will refuse to remove the directory /

Re:Time for tar and feathers?

[viperidaenz]

Perhaps this:

~# adduser 0day
adduser: Please enter a username matching the regular expression configured
via the NAME_REGEX configuration variable. Use the `--force-badname'
option to relax this check or reconfigure NAME_REGEX.

Wait a minute...

~# adduser --force-badname 0day
Allowing use of questionable username.
Adding user `0day' ...
Adding new group `0day' (1001) ...
Adding new user `0day' (1001) with group `0day' ...
Creating home directory `/home/0day' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:

Re: Time for tar and feathers?

[aardvarkjoe]

Nope, red hat permits it as well. It appears that the misconception came from the default behavior of the useradd tool, but that is hardly the definitive source of what is and is not permissible.

If the goal was really for all unit files to be distribution agnostic, then you'd have to disallow things like "exec" which obviously can't be guaranteed to have identical behavior. Of course, that would be a ridiculous limitation. A much more sensible approach would be to publish guidelines for portable unit files, but not have systemd exhibit broken behavior if someone doesn't follow them exactly.

In any case, LP's refusal to make any change should be considered completely unacceptable. It would be one thing if systemd threw an error in this case; at least then the user knows that they'll have to work around this bug. But allowing a security hole to persist after it's been reported? That's almost malicious.

Re: Time for tar and feathers?

[squiggleslash]

I just Googled serviscope's statement and I found a lot of links to articles about the systemd controversy, plus a Stack Overflow where someone asks why, and is told emphatically that he's wrong - but in all cases the links are to, and quotes are from, manpages, not to a standards document blessed by RMS, the LSB people, or anyone else.

I can believe that this is the standard though I disagree with the rationale, which seems to be "Then someone could create a username that's all digits fooling applications that allow you to specify either a UID or username" (I've never come across an application that does, but assuming some do, so what? They shouldn't) but it'd be nice to see an actual formal document, followed by all mainstream GNU/Linux distributions as a matter of policy, that mandates this.

Re:Time for tar and feathers?

[aardvarkjoe]

I've been a Debian user for a really long time and have put up with systemd since it's easier than trying to avoid it. But this has pretty much convinced me that I need to switch. I can't afford to allow these jokers to compromise the security of my system.

Re:Time for tar and feathers?

[drinkypoo]

I suppose technically it depends on adduser.conf and the regex defined in there, which only one tool apparently bothers to check. GNU isn't POSIX either, in any case.

Too bad you didn't check the manpage for adduser.conf:

/etc/adduser.conf - configuration file for adduser(8) and addgroup(8).

It's not that "only one tool [...] bothers to check" that file. It's that this file is specifically for adduser. You're mischaracterizing the purpose of the file in order to serve a disingenuous interpretation of the situation.

Re: Time for tar and feathers?

[KGIII]

It looks like convention, more than a default rule.

Stuff like chown will run with the UID or username. So, if you had username of 1001, with a real UID of 1000, and a second user as 1001, then stuff like that would get confused. That's one such example.

I'm not sure that it's so much a standard, it's just that that's what people have been doing. Some further reading said it goes way back to early POSIX?

I am, by no means, asserting any skill or authority on the subject. That's just what I read. It does seem strange that it's not actually a formal statement OR that usernames aren't just automatically processed - so that (in the above example) 1001 would be processed via UID and appear as 1000 to the system. That later seems like it shouldn't be too hard to do - check against some API, or something, and interpreted usernames would be the solution? Maybe?

Again, I am absolutely not an authority.

Re: Time for tar and feathers?

[aberglas]

If you use C or C++ you are an idiot. Archaic shit obsolete before it was introduced long ago. And responsible for a huge number of bugs, both security and stability.

Re:Time for tar and feathers?

[dbIII]

I guess the question is if the input should be validated by systemd or the tool creating the user

Considering that the tool can be a text editor it's nothing but ignorance (on the part of the developer not yourself) or an excuse for laziness to expect the tool to do the work of checking for a valid input.

Re:Time for tar and feathers?

[Bert64]

But the service may get exploited, and it's good practice to run as an unprivileged user incase it does...
The user may believe that the service runs as an unprivileged user when in fact it does not. If an error like this is encountered the service should refuse to start and display/log a clear error message rather than running as root, so the user can go and correct the situation.

Re: Time for tar and feathers?

[Demena]

Errr.... since the first #! line indicates what shell is to be used to run the script there should be no problem as a default FreeBSD install comes with the requisite shells.

Re: Time for tar and feathers?

[Joce640k]

...and it's still causing bugs like this one.

Re:Time for tar and feathers?

[putaro]

If his response was "That's an invalid user name, we'll just reject it and fail the command" that would be OK. Ignoring it and running as root silently isn't.

Re: Time for tar and feathers?

[paulatz]

Systemd is not kernel code

Re: Time for tar and feathers?

[MoHaG]

I'm assuming they should be using something using a compiler/interpreter written in C / C++ instead?

Re:Time for tar and feathers?

[slashways]

Someone killing a bulletproof 'security model'; and replacing it by a lot of absurd random layer of software code is at least an 'useful idiot' in this post Snowden era.

Re:Time for tar and feathers?

[strikethree]

The fact that Poettering can't see that after 10 seconds of thinking about it tells me that I wouldn't want his code anywhere near my system.

Welcome to the "Frothing at the mouth Poettering haters club". Your opinion will now be ignored because you can now be classified as a hater.

It does not matter what the reality of the situation is because this is NOT about logic or reasonableness. It is about one group forcing their power and control on another group. Logic and reasonableness have no place in a political fight for control. THAT is why there is no use discussing any of this. Poettering and Redhat have made their stance clear: They will dominate and control Linux and fuck you if you do anything that could jeopardize that control.

I am just shocked that nobody else seems to see this and call it out. But then, I have never been politically savvy so I end up calling out shit like this at all the wrong times. Meh. Linux will be a political beast no less than Microsoft and I can't help wondering why more people are not fighting against it. I want code that does what *I* want it to do, not what someone else wants it to do.

Re:Time for tar and feathers?

[strikethree]

As you have been informed repeatedly in this thread ...

As I said in my earlier response to you: Logic and reason do NOT apply here. The words you are arguing against have no meaning of their own, they are just words that convey the message of, "Poettering is right and everyone is wrong."

You are wasting your time arguing about any of this. (We are on the same side of all of this if it is not obvious yet)

Re: Time for tar and feathers?

[F.Ultra]

The goal really is to be distribution agnostic, that is why the master list of unit files are managed in a central location from which the various distributions fetches the majority of their unit files (and contribute changes). Things like exec of course does exist but if you use a distro specific script there then your unit file will not be accepted upstream, but writing your own personal unit files are of course ok.

This is hardly a security hole. All sysv scripts have run as root for ages without people crying wolf, and for this to impact your security you have to first come up with a way where I can attack you with this bug with no other possibility for me to run things as root on your system first.

All that said, I believe that this behaviour is going to change, LP is not the sole dictator of systemd and note that the bug on GitHub was not closed but closed for public discussion so to me this looks like they discuss it internally.

Re:Time for tar and feathers?

[F.Ultra]

Oh a funny AC who sees no merit in man pages. Junior College? Now I'm not American, but that would have been over 20 years too late if I where.

Re:Time for tar and feathers?

[F.Ultra]

Of course, but then we also have to dream the pipe dream that running a exploited daemon with a non privileged user will still protect the system. So far this have not worked out so well unfortunately. And there is a warning logged when this particular bug is encountered, that is how it was found in the first place.

And no I don't think that this behaviour of systemd is good or OK but I also don't see the sky falling.

Re: Time for tar and feathers?

[F.Ultra]

I see that you have not written sysv init scripts before.

The sysv init scripts from Linux does not work on FreeBSD i.e because they don't use sysv init to begin with. And there are big differences between Debian and Red Hat systems and then you have all the other distros with their little changes here and there. For the most part the init scripts are written by the distro maintainers and not by upstream due to these differences. And this is one of the things that made systemd be so quickly adopted by the distributions because they no longer had to maintain their old specific scripts.

Re: Time for tar and feathers?

[aardvarkjoe]

The goal really is to be distribution agnostic, that is why the master list of unit files are managed in a central location from which the various distributions fetches the majority of their unit files (and contribute changes). Things like exec of course does exist but if you use a distro specific script there then your unit file will not be accepted upstream, but writing your own personal unit files are of course ok.

Fixing this problem doesn't stop systemd from being distribution agnostic in any way. If he wants a policy of "no usernames starting with numerals in standardized unit files", that's fine. But refusing to fix a systemd problem for a completely valid configuration just because of his tremendous ego? Not acceptable.

This is hardly a security hole. All sysv scripts have run as root for ages without people crying wolf...

These aren't equivalent. In this case, the user is telling systemd to run something as another user, and systemd is ignoring that directive, without any notification to the user. So you end up with something that is intended to run as another user with root permissions.

With sysv init, the scripts are intended to run as root. If you want to run something from a sysv init script as a different user, that's easy to do with various tools. And guess what -- if those tools can't run the command as the specified user, they don't run the command. That's how you handle this situation correctly in a secure way. You don't say, "screw it, if I don't like the username I'll just run it as root instead!"

...and for this to impact your security you have to first come up with a way where I can attack you with this bug with no other possibility for me to run things as root on your system first.

Typical systemd apologism. LP claims that it's not a problem because any tool that can create one of these userids is broken. (He's wrong.) You claim that it's not a problem because you can't see a way to trivially exploit it. (You're wrong.) In both cases, you dismiss any criticism of systemd because you don't understand the underlying issues. We've see this happen over and over.

In the real world, most security exploits need multiple steps to exploit. Running software with elevated permissions is a classic security vulnerability. This is the kind of bug that turns a small problem into a gaping security hole.

All that said, I believe that this behaviour is going to change, LP is not the sole dictator of systemd and note that the bug on GitHub was not closed but closed for public discussion so to me this looks like they discuss it internally.

According to https://github.com/systemd/systemd/issues/6237, it's been closed with not-a-bug. I hope it gets fixed someday, but I'm not holding my breath.

Re: Time for tar and feathers?

[F.Ultra]

without any notification to the user.

Do I really have to tell you once again that systemd logs a warning when this happens?

With sysv init, the scripts are intended to run as root. If you want to run something from a sysv init script as a different user, that's easy to do with various tools. And guess what -- if those tools can't run the command as the specified user, they don't run the command. That's how you handle this situation correctly in a secure way. You don't say, "screw it, if I don't like the username I'll just run it as root instead!"

Only if you specifically check the exit code of su in your script, so you must manually check all sysv scripts that claim to run under a different user just as you have to check all the unit files that claim to run under a different user and checking all the unit files is way easier "grep User= /lib/systemd/system/.*service" and see if any of them starts with a number. Far easier than to go over all the sysv scripts in order to find missing checks.

You claim that it's not a problem because you can't see a way to trivially exploit it. (You're wrong.)

So prove me wrong then. Please come up with a scenario where you can exploit this.

it's been closed with not-a-bug.

The bug reads: "This conversation has been locked and limited to collaborators.". Perhaps that is how all bugs that are closed looks like (I don't use github) but if not then too me this sounds exactly what I wrote earlier.

Re: Time for tar and feathers?

[aardvarkjoe]

Do I really have to tell you once again that systemd logs a warning when this happens?

Unless you happen to be monitoring the specific logfile where that is logged, you will never know. I have no idea where the hell systemd would log such a thing. And why would I be looking for it? I made a completely reasonable setting in the unit file, and the associated program started. I would have no reason to dig through logfiles to make sure that systemd actually did what it was told to do.

Only if you specifically check the exit code of su in your script, so you must manually check all sysv scripts that claim to run under a different user....

You are speaking from ignorance. You can't actually use 'su' the way you're suggesting. This doesn't work:

#!/bin/sh
su user
whoami

Instead, you have to use something like the following:

#!/bin/sh
su user -c "whoami"

That will print "user", as expected. And if you give it a bad username, then instead you'll get:

[root@oc0114316170 ~]# sh test.sh
su: user user does not exist

Under no circumstances will this construct end up running the 'whoami' command as root.

So prove me wrong then. Please come up with a scenario where you can exploit this.

This is security 101, dude. Take a service with one of any number of potential security problems -- a buffer overflow, for instance. Normally it is run under a non-root user account, but because of the systemd bug it is run as root instead. Abracadabra, systemd has turned a limited exposure into a local root exploit.

And please don't turn around and claim that that doesn't count because it requires a problem in another piece of software. Secure engineering means that you design your software to limit exposure from other sources.

The bug reads: "This conversation has been locked and limited to collaborators.". Perhaps that is how all bugs that are closed looks like (I don't use github) but if not then too me this sounds exactly what I wrote earlier.

The state of the bug is shown near the top. LP closed the bug, saying it's not-a-bug, and then locked the discussion, because he can't stand to have people point out that he's full of crap.

Re:Time for tar and feathers?

[jeremyp]

If I create a unit file with jeremyp as the user name, it probably isn't going to be portable. You understand that, even if you restrict user names to start with a letter, you can't guarantee they exist on an arbitrary different system?

This whole conversation is bullshit. The so called standard seems to be based on oner tool that restricts user names, but nobody seems to have noticed that the rule is defined by a regular expression in a configuration file, which means you are allowed to change it.

Re:Time for tar and feathers?

[jeremyp]

Firstly, some other bit of software also having a security hole is no excuse for leaving this one in system-d.

Secondly, this bug will manifest itself not only if somebody maliciously changes the user name, but also if you accidentally mistype it such that it breaks Poettering's mysterious syntax rules (or have a perfectly legal user that breaks Poettering's rules). Then you have a service running as root that might have a vulnerability that can be exploited from outside if it, for example, opens a listen socket

There's no excuse for this.

Re: Time for tar and feathers?

[F.Ultra]

Unless you happen to be monitoring the specific logfile where that is logged, you will never know. I have no idea where the hell systemd would log such a thing. And why would I be looking for it? I made a completely reasonable setting in the unit file, and the associated program started. I would have no reason to dig through logfiles to make sure that systemd actually did what it was told to do.

With systemd you don't have to hunt down logfiles, you either issue a "systemctl status servicename" which gives you the last few log rows from the service or you issue "journalctl -u servicename" to get the full log of the service you just started.

You are speaking from ignorance. You can't actually use 'su' the way you're suggesting. This doesn't work:

#!/bin/sh su user whoami

Problem with this is that you just guessed now and didn't test it because it does work, su changes to the new user and the rest of the script runs as that very user. Yes I did just test it on my machine and "whoami" gave the name of the other user I put after su.

This is security 101, dude. Take a service with one of any number of potential security problems -- a buffer overflow, for instance. Normally it is run under a non-root user account, but because of the systemd bug it is run as root instead. Abracadabra, systemd has turned a limited exposure into a local root exploit.

And please don't turn around and claim that that doesn't count because it requires a problem in another piece of software. Secure engineering means that you design your software to limit exposure from other sources.

But for this to work some one must have been also able to #1 put such an invalid username in the User= setting in this unit file and #2 the very some one must also have somehow convinced you that this particular unit runs under a different user account and #3 you never checked that it did.

#1 rules out any unit file supplied by a distribution so where did you get the unit file from. And if you never did #3 then that person could just as easily not have used the User= setting in the first place.

The end of it is that you simply cannot trust a random sysv script or systemd unit file regardless of if this bug is fixed or not. You must always check that it does what it claims it does. Do you now understand why I see this as a problem but not of a the sky is falling kind if problem?

Re:Time for tar and feathers?

[F.Ultra]

You don't write init scripts and rpm/deb packages do you? Features like this, when we are talking about distro agnostic unit files, the rpm/deb/whatever creates a user with adduser in the postinst script with the same name that you then use in the User= stanza in the unit file. If this where for a sysv script you usually put the username in the daemon config instead (if the daemon supports changing user and/or group), which at the moment is also how 99% of the daemons on systemd distributions also handle this since the User= stanza have not been used yet.

Re:Time for tar and feathers?

[F.Ultra]

I never said that it wasn't a problem. But if you create your own unit files and never once looks at the logs or checks that it runs as the user you thought it should then this accidental typo could as easily be that you prefixed User= with #User= and thus turned it into a comment. Yes silly argument I know but so are your "LP must protect my from ever making a mistake".

Re: Time for tar and feathers?

[aardvarkjoe]

With systemd you don't have to hunt down logfiles, you either issue a "systemctl status servicename" which gives you the last few log rows from the service or you issue "journalctl -u servicename" to get the full log of the service you just started.

How do I know I'm supposed to do that? I gave systemd a clear, correct directive, and it started the service. Why am I double checking that it did what I told it to do? (Well, unless I happen to know that systemd is total crap and so needs constant monitoring.)

Problem with this is that you just guessed now and didn't test it because it does work, su changes to the new user and the rest of the script runs as that very user. Yes I did just test it on my machine and "whoami" gave the name of the other user I put after su.

As a matter of fact, I did. What is your /bin/sh, and what was the exact script you ran? I have one redhat (/bin/sh is bash) and one debian (/bin/sh is dash) system, and neither one exhibits the behavior that you describe. The script, as I posted, will invoke a new login shell as the user, and then after you exit that shell, will run the whoami command. Given that this should be the expected behavior with any shell and any version of su, I have a hard time believing what you're saying.

More to the point, I defy you to find any existing sysv init script that tries to use that idiom. It's not an issue, and the fact that you think it is tells me that you don't really know what you're talking about.

Do you now understand why I see this as a problem but not of a the sky is falling kind if problem?

I don't think that the fact that systemd had this particular bug is a huge deal. It's symptomatic of the lack of foresight that we see in systemd a lot -- in this case, not fully thinking through the implications of simply ignoring a parsing error in a unit file -- but if the bug had been reported, accepted, and fixed, most people wouldn't have cared.

The fact that LP and friends refuse to fix it is the big deal.

Re: Time for tar and feathers?

[F.Ultra]

How do I know I'm supposed to do that? I gave systemd a clear, correct directive, and it started the service. Why am I double checking that it did what I told it to do? (Well, unless I happen to know that systemd is total crap and so needs constant monitoring.)

Because you are developing a new daemon and testing out your unit/service file/script. Why else would you play around with the User= setting?

As a matter of fact, I did. What is your /bin/sh, and what was the exact script you ran? I have one redhat (/bin/sh is bash) and one debian (/bin/sh is dash) system, and neither one exhibits the behavior that you describe. The script, as I posted, will invoke a new login shell as the user, and then after you exit that shell, will run the whoami command. Given that this should be the expected behavior with any shell and any version of su, I have a hard time believing what you're saying.

Sorry got confused, my bad. The new shell output the username of the new user which the whoami command also does which is why I was fooled (tested too quickly)

More to the point, I defy you to find any existing sysv init script that tries to use that idiom. It's not an issue, and the fact that you think it is tells me that you don't really know what you're talking about.

Well I thought that no sysv script did that was afraid that if I claimed that this where the case then I would get 2 billion angry comments about that (I'm already getting tons of hate posts due to me not writing shit about systemd on this very article). So yes systemd can (if you use a username that starts with a zero) run your daemon as root just like sysv does in 100% of the time and still people claim that this bug of systemd makes it less secure than old sysv (I'm not saying that you claim this) while the User= feature of systemd actually makes for a more secure environment than sysv could ever achieve.

Yes that LP closes bugs like this a bit too quick is a problem, I would however be concerned if he did so for something really serious and I have not seen him do that just yet so I'm not ready to throw him under the bus right now. Systemd is such a big improvement over sysv, upstart, smf, launchd and so on that he have done quite a lot of things right at least.

Re: Time for tar and feathers?

[aardvarkjoe]

Because you are developing a new daemon and testing out your unit/service file/script. Why else would you play around with the User= setting?

Why am I not surprised that you can't imagine a reason to change a configurable option?

So yes systemd can (if you use a username that starts with a zero) run your daemon as root just like sysv does in 100% of the time and still people claim that this bug of systemd makes it less secure than old sysv (I'm not saying that you claim this) while the User= feature of systemd actually makes for a more secure environment than sysv could ever achieve.

You're still talking utter nonsense.

In a sysv init script, if you want to run your daemon as a particular user, you add a line like the following:

su 0day -c /usr/bin/daemon

It's simple and it works. If you do give it an invalid username, it will fail to start the daemon, as one would expect, instead of running the daemon with elevated privileges.

Perhaps the reason you're getting all this "hate" is because you keep making obviously false statements? In this case that "the User= feature of systemd actually makes for a more secure environment than sysv could ever achieve."

Re: Time for tar and feathers?

[F.Ultra]

Why am I not surprised that you can't imagine a reason to change a configurable option?

That is not what I wrote! If you change it then you have an equal responisibility as that of the maintainer, i.e you have to check that your change did what you expected it to do. Or are I'm to believe that you blindly make changes to systems without checking the result?

You're still talking utter nonsense.

In a sysv init script, if you want to run your daemon as a particular user, you add a line like the following:

su 0day -c /usr/bin/daemon

It's simple and it works. If you do give it an invalid username, it will fail to start the daemon, as one would expect, instead of running the daemon with elevated privileges.

Perhaps the reason you're getting all this "hate" is because you keep making obviously false statements? In this case that "the User= feature of systemd actually makes for a more secure environment than sysv could ever achieve."

Okey that one was stretching it a bit I admit but one such statement is far from "keep making". And there is a good reason why no sysv script changes the user but lets the daemon itself do it and that is due to the complexity needed to make su work here. First you need to have a user with a password since su does not work with passwordless users, then you need to use an expect script in order to send this password with your non interactive script, then you have to either give this user a valid shell which breaks a few of the reasons we used this user to begin with so you then have to enter the command to run as the shell which means that the daemon have to be in a path where this user have the right to execute it and it must also have execute rights on the daemon.

None of this is of course impossible but AFAIK no one have yet bothered to do it this way leading us to a world where all sysv scripts execute as root and the responsibility to be able to drop privileges is left to the daemon itself, and have we checked the source of every such daemon to see if they exit if setuid() and/or getpwnam() fails?

So yes, the User= feature or systemd will lead to a more secure environment than what we had in the old sysv days not because it's impossible to do so under sysv but because it was too much trouble. And yes this bug in systemd puts some shame on this whole premise but I have a hard time seeing any one successfully exploiting this.

Re: Time for tar and feathers?

[F.Ultra]

runit is not sysv though, it's compatible with sysv scripts but so are most other replacements including upstart and systemd of course.

Re: Time for tar and feathers?

[aardvarkjoe]

And there is a good reason why no sysv script changes the user but lets the daemon itself do it...

Totally, utterly false. Switching users in an init script is something that a fair number of scripts do, as you'd know if you bothered to google it.

First you need to have a user with a password since su does not work with passwordless users, then you need to use an expect script in order to send this password with your non interactive script, then you have to either give this user a valid shell which breaks a few of the reasons we used this user to begin with so you then have to enter the command to run as the shell which means that the daemon have to be in a path where this user have the right to execute it and it must also have execute rights on the daemon.

You are still talking complete nonsense. Yes, using 'su' only works for users with a password. There are other tools that don't have that limitation, if that's what you need. For instance, look up "setuidgid" from daemontools, which is specifically designed to address running daemons as a different userid -- the use case that you are now claiming that nobody does!

I don't know what you're trying to talk about with your stuff about expect scripts. As I've already mentioned, a perfectly acceptable way to start a daemon as user 0day is:

su 0day -c /usr/bin/daemon

No expect script needed. And as for what you're trying to say about permissions ... of course the user that you're running as has to have permission to run the daemon. That's the whole point! What, do you think that doesn't hold true with systemd's "User=" option?

None of this is of course impossible but AFAIK no one have yet bothered to do it this way...

Apparently, "as far as you know" isn't very far at all. You probably should stop talking about topics that you obviously know next to nothing about.

Re: Time for tar and feathers?

[F.Ultra]

Yes there are other tools that don't have that limitation and you could write your own tools. But that is besides the point because I'm not talking from the "I hack on my own system" point of view, I'm talking about creating init scripts meant for distribution and that will work on all systems. When you do that you can not hope that the end user have daemontools installed or some other tool that does this for you. This is where systemd (and upstart before it) helps because it offers all this functionality and more as a base.

You need an expect script if you plan to use su in a init script so that you can supply the password to it, your "su 0day -c /usr/bin/daemon" would just hang the the entire boot sequence waiting for interactive input. The permissions is that your "0day" user must have execute rights on /usr/bin/ which it does not need if you use User= in systemd. Your 0day user also needs to have a shell, somehting that the User= in systemd doesn't need.

And even with something like daemontools (which I have used extensively back when I wrote sysv scripts for Gentoo) the daemon runs as a different user but not the rest of the sysv script, which btw is one of the ways that the MySQL sysv script was hacked last year.

Apparently, "as far as you know" isn't very far at all. You probably should stop talking about topics that you obviously know next to nothing about.

So show me a single sysv script shipped with any distribution that uses SU in order to run a daemon as a different user, a single one.

Re: Time for tar and feathers?

[F.Ultra]

So now the sysv script that I distribute to people borks if they don't have runit installed?

Re: Time for tar and feathers?

[aardvarkjoe]

Yes there are other tools that don't have that limitation and you could write your own tools. But that is besides the point because I'm not talking from the "I hack on my own system" point of view, I'm talking about creating init scripts meant for distribution and that will work on all systems. When you do that you can not hope that the end user have daemontools installed or some other tool that does this for you. This is where systemd (and upstart before it) helps because it offers all this functionality and more as a base.

Init scripts are typically maintained per-distribution, and so will rely on tools present in that distribution. The utility of being able to distribute a common file to start a service is a point worth considering, but it is completely irrelevant to your claims that nobody uses this function.

You need an expect script if you plan to use su in a init script so that you can supply the password to it, your "su 0day -c /usr/bin/daemon" would just hang the the entire boot sequence waiting for interactive input.

You're looking more and more like either a troll or an idiot. If you don't know how su works, how about you try it instead of spouting more incorrect information? I gave you a script earlier that runs 'whoami' as a different user. It's just two lines long. How hard is it to run it instead of looking like a moron when you make incorrect claims about it?

"su" does not require a password when run as root. This whole expect script requirement is a fiction that you've invented.

And even with something like daemontools (which I have used extensively back when I wrote sysv scripts for Gentoo)

...uh huh. right. If you used them "extensively" and wrote init scripts, I'm pretty sure you'd be a little better informed about how they work.

...the daemon runs as a different user but not the rest of the sysv script,...

Nobody has objected to the script running as root. We also don't object to systemd running as root. Is this the strawman you're attempting to attack?

So show me a single sysv script shipped with any distribution that uses SU in order to run a daemon as a different user, a single one.

Although I don't know any good way to search all released init scripts for a distribution, the script "/etc/init.d/speech-dispatcher" on my debian stretch system runs the /usr/bin/speech-dispatcher daemon as the user "speech-dispatcher". This is done using "start-stop-daemon --user", which is a Debian-provided tool to start daemons.

(I'm not sure why you would be insistent on using "su" to achieve this.)

Re: Time for tar and feathers?

[aardvarkjoe]

Forgot to respond to this part; hate to let this little bit of misinformation to stay uncommented on.

The permissions is that your "0day" user must have execute rights on /usr/bin/ which it does not need if you use User= in systemd.

First off, I have no idea what you think you'd be accomplishing by denying the user id that is supposed to be running the daemon search permission (execute permission on the directories) for the executable that it is supposed to be executing. That's what those permissions are for, after all -- to define which users are or are not permitted to perform certain operations. If you want a particular user to be able to access an executable in a particular directory, you grant that user permission to do so.

Secondly, since your claim that systemd doesn't require the the user to have search permission sounded fishy, I checked it out.

exec_spawn() (src/core/execute.c) calls fork() to create the child process, and then calls exec_child(). exec_childs call enforce_user(), which switches the UID by calling setresuid(). It then calls execve() to execute whatever it needs to run.

execve() will fail with EACCES if search permission is denied on any portion of the path prefix for the executable file. So systemd will have the exact same behavior with regard to permissions as su or any other similar tool. That shouldn't be a surprise, since this is essentially exactly the same process that su uses.

Your 0day user also needs to have a shell, somehting that the User= in systemd doesn't need.

We've already established that using 'su' is not a requirement. The only reason we're even talking specifically about 'su' is because you keep bringing it up.

I've mostly kept responding because I'm curious exactly how much deeper you're going to dig yourself in. So far, it seems like you haven't hit the limit.

Re: Time for tar and feathers?

[F.Ultra]

The state of the bug is shown near the top. LP closed the bug, saying it's not-a-bug, and then locked the discussion, because he can't stand to have people point out that he's full of crap.

And now systemd will no longer run a unit with an invalid name: https://github.com/systemd/sys... , so as I assumed there where further non-public discussions that eventually led to this bug being solved.

The problem with systemd

[SharpFang]

That's a problem with Systemd. It's a pretty decent idea with a sub-par execution and a crappy way of dealing with an inherent problem.

Idea: centralized place to optimize startup, management and interconnectivity of all kinds of services.

Problem: some services in their standard form don't quite fit that model.

Solution: let's rewrite them and include as parts of systemd.

The crap part: while the originals were made by experts in that field, the replacements are made by a group of wannabe experts on everything ever, some with overinflated ego. This results in seriously inferior code replacing old 'tried and true' solutions.

At this point, the only real solution I can see is making a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size. If a service doesn't quite fit systemd, work on systemd until it fits, don't rewrite it!

Re:The problem with systemd

[dwywit]

"a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size. If a service doesn't quite fit systemd, work on systemd until it fits, don't rewrite it!"

That's not a bad idea - meanwhile, Poettering's response (presumably): "Systemd is working as expected. This is a flaw in {bind/whatever}. Bug closed."

Re:The problem with systemd

[Tranzistors]

If a service doesn't quite fit systemd, work on systemd until it fits, don't rewrite it!

Part of the appeal of the systemd is that it minimises the idiosyncrasies of all the different tools. You don't have to rewrite the services, but fitting them to systemd is reasonable. For example, udev was not rewritten, just integrated.

originals were made by experts in that field

Whatever made you say that? There are no mandatory security audit, secure coding practices, mandatory code reviews, qualification certificates or anything like that in free software. Some of it is even insecure by design (I'm looking at you, X.org). systemd will get rid of these bugs eventually as time goes on.

Of course, all theses problems could have been avoided, if it had been written in C++14 or rust from the beginning. (And yes, that was sarcasm. Sorry.)

Re:The problem with systemd

[carnivore302]

The crappy part is the centralized place to optimize startup.

Re:The problem with systemd

[Gravis+Zero]

At this point, the only real solution I can see is making a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size.

There are problems with that idea:

* Red Hat is backing Systemd and this is the only thing Lennart seems to work on. You'll be in the quagmire of always trying to catch up on new shitty features and broken compatibility.
* Systemd was 250K+ LoC last I checked
* Systemd's source code is poorly documented at best.
* Systemd has a overly clever design that makes it difficult to grok.

I'm not saying that Systemd shouldn't be replaced, I'm saying that you need to discard the original.

Re:The problem with systemd

[Viol8]

"Some of it is even insecure by design "

So because all software has bugs we should just say: "Meh, who cares if systemd is bloated, has monumental feature creep, an author with a serious ego problem who doesn't like fixing them and it replaced an init which, while a bit crusty did what it said on the tin, because, well, systemd." Right?

Wrong. Systemd, is a poor idea, poorly implemented in a project thats poorly managed. Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

Re:The problem with systemd

[jellomizer]

So the product is open source but not open spec.

Re:The problem with systemd

[Tranzistors]

I am not saying that systemd is flawless, but the OP made a point that other software is well designed and well written. Which is not true. I would suggest reading The Unix-Haters handbook.

Re:The problem with systemd

That's a problem with Systemd. It's a pretty decent idea with a sub-par execution and a crappy way of dealing with an inherent problem.

If by "decent" you mean "spectacularly stupid, fantastically bad, terrible to depraved depths, will never work properly", then yes.

The problems with basically anything written by poettering and crew start with them being... let's be polite here, not very good with this "software architecture" thingy. Their approaches to any problem they're setting out to solve, real or imagined, are baroque, juvenile, overly complex, brittle, prone to spectacular breakage, and so is their entire everything else.

Yes, there are problems with the software they're seeking to replace, but that doesn't mean their solutions are anything of the sort. We're seeing time and again that their improvements are in fact detriments and so even as a simple user you're typically better off without.

It also doesn't mean the problems cannot be solved some other way. In fact, we have at least a dozen replacements for sysvinit, fully half of which would certainly better than systemd. So there really is no point to use their software at all except because you like sticking to fantastiterribad ideas.

Among poettering and crew's many failings is that they have no truck at all with "the Unix philosophy". If they are dimly aware of where that came from, at best they'll wilfully do something else, just to "be different". Linux' own dave cutler, with fanclub, if you will.

This is quite damaging. So why are red hat still backing poettering and crew? In short, politics. They're having their lunch eaten by oracle, yet they're bound by the GPL, so they're trying a different tack. And for them it's working fine, to the point that many other linux distributions are following their lead.

Which, frankly, is entirely stupid from the other projects' users' PoV. But too many in the community don't grasp the finer points of what's really going on (did you know red hat and oracle are in a corporate war of domination, with oracle doing a good cuckoo impression?) so they'll just bob along with the currents, to their detriment.

I don't expect poettering and crew to understand that they're red hat's useful idiots in this, mind. They might, but from their works I'm inferring they're just not that bright.

So the simple solution is really quite simpler than your proposal: Do away with the poettering crap. Just out with it. All of it. No exceptions. Yes, some things will break, most of which well deserve to break. Some in fact don't even need fixing. Then we can fix the important broken bits, preferrably in a sensible, simple way that keeps well to itself, and doesn't try to overpower fifty other unrelated subsystems. A little architecture and some (un)common decency go a long way here.

Re:The problem with systemd

[SharpFang]

Because "the crap part" is not what is written on the box. Systemd *appears* attractive. The idea is neat. The promise is tempting.

Including systemd in your distro is like preordering No Man's Sky.

Re:The problem with systemd

[AmiMoJo]

while the originals were made by experts in that field, the replacements are made by a group of wannabe experts on everything ever, some with overinflated ego. This results in seriously inferior code replacing old 'tried and true' solutions.

This is a form of survivor bias. Those older tools have just been around longer, with issues fixed over many decades. And even then, there are still some serious bugs in them. For example, recently it was found that some tools to add users allow the username to start with a number, which isn't allowed by the spec and can result in such a user (e.g. "0day") getting root access. Been there for a long, long time because apparently no-one does even basic tests on such critical bits of software to make sure it complies with he established rules.

I'm not saying systemd is great, merely that older tools aren't really either and their current level of quality is largely the result of decades of accidental testing and improvement.

What we really need is people dedicated to testing important OS code. It's a boring job that no-one wants, and anyone who takes it on will probably give up quickly as their bug reports are met with abuse and indifference.

Re:The problem with systemd

Systemd, is a poor idea, poorly implemented in a project thats poorly managed.

Yup.

Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

I don't know how he got a foot in the door, so all I have is my long-distance high-level. The short and sweet is "politics", and he's red hat's useful idiot in their war with oracle.

red hat tried to tighten up their business model by splitting red hat-the-distro into fedora and RHEL. The centos guys forced red hat to release RHEL anyway because GPL. oracle then copied the whole thing verbatim, minus the branding, and called it "unbreakable linux". This allowed them to piggyback on red hat's hard work including their knowledge base. Which is why red hat put that thing behind a paywall. So oracle is doing their level best to eat red hat's lunch and using red hat's own work to do it.

So, what can red hat still do? Well, they can become more proprietary, which is where systemd comes in. No, it's not closed source, but it sure is wilfully, deliberately, and very gratuitously, incompatible with everyone else. So if a big enough party like red hat pushes it into the market, then the rest (*cough* debian *cough*) feels they have to follow suit. That means a big boon in control for red hat. And that's what it ultimately is about.

Of course, you have to have some sort of story of benefit for people to go along with the gambit. But for many the sort of fine-grained control you lose by going systemd wasn't that important anyway, for the good and simple reason that throwing more virtualisation and more hardware at it seems faster and so more cost effective. It's the same sort of reason why virtualisation and massive hardware is so popular in the windows world. The big gain for red hat sure isn't technical, it's political. You can see this in the fact that many rebuttals to technical complaints about systemd are entirely non-technical. Any time a technical argument ends up full of bullshit and personal attacks it really isn't about the technical merits any more.

I doubt poettering himself understands his role in this, seeing his grasp of architecture, code quality, and so on, so that makes him a "useful idiot". He sure does have the personality to pull it off, though. Incompetent arrogance does go a long way, with the right backing.

And, of course, once they get off the ground, bad ideas are hard to kill.

Re: The problem with systemd

Like his reply to the fact that systemd so often swallows log messages.

Re: The problem with systemd

And, security problems + no logs = even bigger problem. Even if he doesn't get why logs are important for security, I wish he would get why they're needed for troubleshooting. It sucks managing a lot of special snowflake servers with systemd since so often error messages don't make it to the journal.

Re:The problem with systemd

[SharpFang]

"Their approaches to any problem they're setting out to solve, real or imagined, are baroque, juvenile, overly complex, brittle, prone to spectacular breakage, and so is their entire everything else."

The problem is moving goalposts.

There is a problem, which they spot, and most people can agree this is a problem.

Then they come up with a solution which is clean, neat, simple and wrong.

Simply, the problem is more complex than what they postulated and their solution, while working on most of it, breaks on the edge cases, which are... more than a bit numerous. And sometimes quite fundamental.

And so, instead of thinking up a different solution, that is more correct, they begin patching the caveats and edge cases in a half-assed manner one by one, building that brittle, baroque, juvenile and overly complex tower on top of the neat core. And as more and more things start falling through the cracks, they keep adding bandaids.

Re:The problem with systemd

[Viol8]

Can't disagree with any of that.

Re: The problem with systemd

It's worse than that. The community didn't have any say in it, it just got rammed down everyones throats; its revealed that linux has started to follow the cathedral model as vendors like Redhat gain more and more exclusive control over it. At this point its worth asking who controls linux, the community built out of tends of thousands of projects that come together, or a few corporate entities?

Re: The problem with systemd

POSIX actually permits user names that start with a number. Not a bug.

Re:The problem with systemd

[makomk]

Because systemd is now a hard dependency of the Gnome desktop, which a lot of distros want to ship. There were some interesting shenanigans involved in getting that through too - initially the Gnome developers insisted this was no bid deal because logind (the part they required) didn't actually depend on systemd and could be used seperately. Ubuntu did this for a while. Then Poettering declared that actually this was never supported, Ubuntu were idiots for doing it, and it would be broken shortly. Ubuntu reluctantly switched to systemd in the next release.

Re:The problem with systemd

[KiloByte]

Systemd is abysmal for users, but less work for distro maintainers.

For example, service files are drastically shorter than init scripts (albeit unlike them, not universal unless you fall back). This could be easily fixable by using a common library, but that'd be a bit of actual work!

On the other hand, systemd is a complete and utter abomination for sysadmins. When sysv-rc (not sysvinit, these parts are modular!) does something wrong, it's a matter of a single line of shell to hack it for your particular use case. On the other hand, when you want systemd to do something Lennart didn't think of, there's no resource (unless you really want to dig through the source of the huge blob, debug it, recompile, install, then do the whole thing again on an upgrade or security update). Just two examples: 1. the usual idiom of mount --bind a filesystem with complex sub-mounts so you can rsync/etc it in peace, 2. degraded mount of btrfs RAID.

Seriously, an init implementation that conflicts with something as basic as RAID, has no place on any non-toy machine.

I for one wear both hats, of a distro developer and a sysadmin. But it's the latter what I get paid for, thus sorry, no systemd anywhere I can shake a shit-covered stick at.

Re:The problem with systemd

[thegarbz]

Systemd, is a poor idea

Which is why all the technical leads of various distributions couldn't wait to adopt it...

Re:The problem with systemd

Which is why all the technical leads of various distributions couldn't wait to adopt it...

...wherever its promoters had managed to remove the opposition through politicking. No success *at all* anywhere else.

Wake us up when anyone adopts systemd-trojan *voluntarily*. Till then, do abstain from crowing.

Re:The problem with systemd

[ckatko]

There is no one on the internet who uses Linux who hasn't heard a hate-filled rant calling systemd a piece of shit.

Every comment section, of every website. Reddit. Slashdot. Mailing lists.

So you're welcome to come up with a new reason for why everyone uses it "even though it sucks." But your reason of "nobody knew it would suck" is complete bullshit.

Re:The problem with systemd

[dyfet]

I have come to like runit, which at least only tries to do the task of being a better init rather well and consistent with existing practices, rather than having idiots rewriting everything and force needless changes just to create one big fail.

Re:The problem with systemd

Original emails concerning "why systend" have been published. Years ago. All have read them I trust. The given reason was to force **brand** on RedHat/Gnome products.

Re:The problem with systemd

[Bing+Tsher+E]

The only way said 'real solution' would ever be able to work is if a certain individual was hit by a bus sometime this week.

We can erect brass statues of said individual so that people can commemorate him and in fifty years time people will have forgotten the details and will revere him and the work he did. So his 'legacy' can go on. Eventually.

Would that suffice? Who's got a chauffeur's license?

Re:The problem with systemd

[silas_moeckel]

The reason is simply every commercially used Linux distro switched to it. We're stuck going along for the ride.

Re: The problem with systemd

[dyfet]

Indeed, I already had two remote servers lost over this very issue. I never had systems fail before systemd, either. The first was one that consistently failed to shutdown, but no logging and nothing in the journal made it impossible to ever discover exactly why. Another failed to boot, and it is equally unclear why. It really is rather crappy.

Re:The problem with systemd

[dbIII]

systemd will get rid of these bugs eventually as time goes on.

Over the last decade it's simply expanded instead of getting things right with existing functions.
Note in the summary "the bug has apparently been present in systemd code since June of 2015". That's about the time DNS was dragged into SystemD isn't it?

Re:The problem with systemd

[dbIII]

If systemd is that bad, why is it so popular

Because RedHat are pushing it and Lennart convinced the Gnome people to depend upon it. Grubby office politics not functionality.

Re:The problem with systemd

[Gr8Apes]

The simple reason is that systemd generates consulting dollars for those selling certain distros and maintenance contracts. When you first start, it seems simpler. When you run into trouble, you're screwed. You're going to need someone well-versed in systemd (consultant) or spend the effort to learn that monumental pile of shit yourself. Conceptually, systemd's proposal is sound. Everyone would love a simple one stop shop to simple start their services with an easy to understand model. The reality is a convoluted and over engineered and complex system that's not really setup to do just what it promised, instead doing a whole slew of extra crap that it really didn't need to deal with.

Re: The problem with systemd

[lucm]

Lately I had a flaky service and to get it working I ended up wrapping the daemon in a shell script, and had systemd call that shell script instead. I still had to fight with systemctl because apparently it knows better than me how long a daemon should take to start before giving up, but I managed to get it working *in spite* of systemd.

Now I have a Docker-first policy and for the most part it's to avoid dealing with systemd.

Re:The problem with systemd

[gweihir]

Pretty good summary. Also make sure sysvinit and systemd can be swapped out against each other without any need to change anything else in the system, including traditional init-scripts. (I mean if Solaris SMF manages to do that, then systemd should easily be able to do that as well.) You know, because some people actually want an init-system that is modular, easy to debug and respects KISS. With that fixed and the things from your comment fixed, all my issues with systemd would vanish. As it is, systemd is on my blacklist for things to never install or use. Rewriting system services because their init-system is broken is just insane.

Re:The problem with systemd

[gweihir]

Excellent comparison, except that for No Man's Sky, I got a full refund a day before it launched officially. The early reviews made it pretty clear that it was mostly vaporware.

Re:The problem with systemd

[gweihir]

I doubt there is a spec, except maybe some chaotic jumble in Lennarts deranged mind.

Re:The problem with systemd

[gweihir]

I fully agree on this. Excellent summary on the political angle.

For myself, I will just stick with Debian with sysIVinit until the major distros finally wake up and make systemd _not_ the default again. Works reliably, is simple, and I have not yet found anything that I care about being broken as a result. Sure, there is some systemd cruft still around, but that can be mostly ignored at this time.

Re:The problem with systemd

[ooloorie]

Idea: centralized place to optimize startup, management and interconnectivity of all kinds of services.

Ah, the central planning mindset at work again.

Re:The problem with systemd

[Opportunist]

The entries for the obfuscated C code contest are open source too. But nothing you should take as a foundation for any kind of sensible work.

Re:The problem with systemd

[SharpFang]

So their initial analysis of the problem and consequently the design of their solution falls woefully short of reality...

Yes. Something that looks good on paper. The kind of naivety found in Tom Clancy's novels, where a single clever unorthodox political move brings peace to Middle East.

... and they'll never admit they were wrong in the first place, but will just keep trying to polish that turd into solid gold.

Ego.

Re:The problem with systemd

Oh, plenty waited. Some got dragged into it kicking and screaming. Some still haven't adopted it.

And a bunch of users just switched to some flavor of BSD.

Re:The problem with systemd

[SharpFang]

You're completely missing the point.

Systemd is a neat idea the same way communism is a neat idea.

Everyone being kind to each other, everyone doing their fair share and receiving their fair share out of honest sense of duty and desire to build a better future for all, no enemies of the system because who'd be stupid to oppose an utopia like that, and nobody slacking off or grabbing more than their fair share because people are inherently honest, generous and laziness doesn't exist.

That's the world where systemd would have been a wonderful solution. Too bad reality doesn't work like that, and Lennart has similar ego problems as Stalin.

Re:The problem with systemd

[silas_moeckel]

Supporting commercial software on top of Linux and you're quickly out of options, old rehl6 based stuff is pretty widely supported but also very old.

Re:The problem with systemd

[aardvarkjoe]

For example, recently it was found that some tools to add users allow the username to start with a number, which isn't allowed by the spec and can result in such a user (e.g. "0day") getting root access. Been there for a long, long time because apparently no-one does even basic tests on such critical bits of software to make sure it complies with he established rules.

This is gold. You're throwing an absolute hissy fit over people saying that systemd is responsible for the bug in question. Then you turn around and claim that the real fault is in long-established tools for not following your (imagined) rules, and exposing a serious security bug in your new systemd code.

What we really need is people dedicated to testing important OS code. It's a boring job that no-one wants, and anyone who takes it on will probably give up quickly as their bug reports are met with abuse and indifference.

.... I bet you don't even realize the irony of this coming from a systemd supporter.

Re:The problem with systemd

[myowntrueself]

Systemd, is a poor idea

Which is why all the technical leads of various distributions couldn't wait to adopt it...

Not quite. It was more a case of "Do we want to include Gnome in our distribution or not?"

Re:The problem with systemd

[phantomfive]

Are you sure? Devuan seems to have Gnome, so it must be working without systemd.

Re:The problem with systemd

[Wolfrider]

--I've read the Unix-Haters handbook - more than once. Systemd is arguably as bad as, or worse, than what they had to deal with back then. (Most of the stuff in that book from waybackwhen has been fixed, at least in Linux and some of the BSDs.)

--Pulseaudio is not bad these days, in fact it helps with HDMI output. But the horror stories surrounding systemd are so godawful that I go out of my way to avoid it wherever possible, at least on systems that I control directly.

--Ubuntu 16.04 in particular was such a non-starter for my needs (and the frequent Ubuntu support-forum bug reports from other users will bear me out on this) that I switched to Antix/MX for daily use/testing - and stuck with Ubuntu 14.04 as a fallback on my main PC - rather than having to deal with the bugs and random system-no-longer-boots issues.

Re:The problem with systemd

[Qzukk]

If systemd is that bad, why is it so popular?

Because 4 people on Debian's tech committee voted for it? Because RedHat hired Pottering?

You seem to have a twisted idea of "popular". The vast majority of people run Windows. Of the tiny fraction that's left, the vast majority doesn't give a shit because it isn't causing a problem for them. The only people we hear about against it are the ones who have been bitten by the issues in it and faced nothing but frustration getting them fixed thanks to Pottering's view that if systemd doesn't work, it's the rest of the universe's fault, and therefore the rest of the universe MUST be changed to fix it. Whether that is network filesystem issues that have lingered for years because Pottering insists that ALL network devices must be turned off before turning off the computer, or this bug where invalid usernames bypass all the other checks and run as root.

Which, btw, isn't limited to just usernames starting with a digit. Because the "invalid username" check disables the User= option, it therefore also bypasses the "username exists" check. Therefore, it could also include code you copy off Stack Overflow which appears to run a service as "User=nobody" but "nobody" is actually written with Cyrillic "nоbody" and is therefore invalid.

Re: The problem with systemd

[F.Ultra]

This old FUD again? Systemd does not and have never swallowed any logs. In fact it (in contrast with sysv init) even preserves everything the daemon outputs to stdout and stderr by sending it to the journal together with the logs from syslog.

Re:The problem with systemd

[kbahey]

I disagree that systemd centralization of services is a good idea. That is exactly what got it into this bug, and there will be more.

But, regarding this:

At this point, the only real solution I can see is making a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size.

Systemd has only two advantages:

1. Startup Sequence Dependency Management. A way to tell daemon X that daemon Y and Z have to start first.

2. An easier syntax. I myself don't mind shell script startup inits, but it seems that other do, perhaps the younger generation.

To that end, there is a solution that addresses the above two advantages, while abandoning all the other bad things about systemd, such as scope creep, swallowing all other services, ...etc.

It is called uselessd. It seems dormant at the moment though, but that is the right approach.

If systemd is replaced by uselessd, AND a given distro (e.g. Debian) allows for multiple init replacements, without a deep dependency chain (e.g. most Desktop Environments today), then I don't mind those who want systemd to remain as an option. The rest of us can just replace it with uselessd, or OpenRC, or anything else and everything works, and continue the UNIX philosophy of many components each specializing in one thing: do one thing and do it right.

Re: The problem with systemd

Yeah except if the binary log files get corrupted in which case systemd just truncates. Nice.

Re: The problem with systemd

[amorsen]

The server probably had something sensible in /etc/fstab that systemd didn't happen to like. It causes systemd to stop booting without giving any kind of error.

Re: The problem with systemd

[Etcetera]

Possibly also SELinux problems. I've seen policy problems silently freeze startup for no reason that were quite tricky to resolve. And a policy rollback in RHEL7.1 ended with me wiping and rebuilding the box.

Re:The problem with systemd

[Etcetera]

Many people turned the other way, trusting that RH (which had just seamlessly switched from traditional init to upstart in the previous release) wouldn't do anything particularly dumb. We were wrong. Or we assumed that Fedora's community would self-correct.

All through the F14 and F15 release cycles concerns were raised as feature and scope creep began to set in (even then). Many people "knew it would (likely) suck" because things were getting out of hand (and they remembered how LP had screwed up PulseAudio) and spoke up about it.

Re:The problem with systemd

[sjames]

Most people believe the flu sucks, but it remains "popular".

Re:The problem with systemd

[SharpFang]

I meant centralization of service startup and management (start/stop/reload/reinit). Not centralization of *services*. That's a definitely bad idea.

Init started rc. Rc, besides its own scripts, would branch out into a dozen custom startup sequences for various stuff; xinit, iptables, these are separate initialization systems. It was... manageable, though far from clean.

Systemd trying to *be* everything it can't *start* (and some which it can but still prefers to *be*) is stupid though.

Re: The problem with systemd

[F.Ultra]

And logs that it did happen. Compare that with what would happen if say /var/log/syslog would be corrupted by inserting say a 0x00 byte somewhere ;)

Re:The problem with systemd

... are you fucking serious, or making some sort of joke?

For example, recently it was found that some tools to add users allow the username to start with a number, which isn't allowed by the spec and can result in such a user (e.g. "0day") getting root access

You know systemd is the thing that gave them root access, right? That everything else would have allowed the username and NOT given it escalated privileges, but Poettering's idea of 'fail safe' is 'fuck it, here's root'. And by the holy spec of "has been working that way for years", usernames starting with numbers were frowned upon but not disallowed.

I'm not saying systemd is great, merely that older tools aren't really either and their current level of quality is largely the result of decades of accidental testing and improvement.

The older tools WERE great. That's why everyone is bemoaning systemd replacing them. If systemd was actually better, we'd be lauding the genius who overshadowed so many of his technological forefathers. But we're not. It's almost as if Red Hat Inc. has forced an inferior replacement on us to get the upper hand on Oracle...

What we really need is people dedicated to testing important OS code. It's a boring job that no-one wants, and anyone who takes it on will probably give up quickly as their bug reports are met with abuse and indifference.

Agreed. It amazes me how many businesses rely on linux, how much money it makes for them, but no one seems to be willing to pay testers. As you said, it's a shit job that no one competent is going to volunteer for. Then again, Red Hat pays Lennart's salary. If systemd is what we get when Red Hat foots the bill, then I'm thinking we're better off without paid testers...

Re:The problem with systemd

[HiThere]

Sorry, but you're forgetting that the current system has had a bunch of startup pains that have been corrected. But this is what makes replacing it with systemd except on a few test systems such a bad idea.

Note: Pottering may be less pleasant and more opinionated than the current maintainers of the standard tools, but the early builders of those tools weren't mild and unopinionated themselves. And they weren't all experts to start with. The difference is that the tools they were working on were relatively small, and they didn't have a major corporation pushing their megalomania.

The past wasn't anything golden, but over time we worked through the problems. And a part of the way we did so was by modularizing so that small pieces were worked on at any particular time.

Re:The problem with systemd

[F.Ultra]

So that is why I can run Gnome3 on FreeBSD, because FreeBSD adopted systemd? Are you sure?

Re:The problem with systemd

[F.Ultra]

Yeah systemd is such a hard dependency on Gnome that you cannot run Gnome3 on say FreeBSD, oh wait, it does!

Re:The problem with systemd

[serviscope_minor]

Systemd is abysmal for users, but less work for distro maintainers.

For example, service files are drastically shorter than init scripts (albeit unlike them, not universal unless you fall back). This could be easily fixable by using a common library, but that'd be a bit of actual work!

No surprises it came out of deadrat. Did you ever look at their init scripts? Christ alive! those things were huge, hairy and hideous. I remember screwing around with the X init scripts somewhere in the early 2000s. Basically RH6.something had completely rewritten scripts, but the old scripts for 5.2 then 4 were pasted at the end such that if one failed it would fall through to the next.

Most weren't quite that bad, but given that's how they wrote shell scripts, no wonder they though the scripts sucked.

On the other hand, when you want systemd to do something Lennart didn't think of, there's no resource (unless you really want to dig through the source of the huge blob, debug it, recompile, install, then do the whole thing again on an upgrade or security update)

And of course, it's still in C in the 2010s. So you have to figure out the system logic from in amongst all the micro-managing of resource allocation. Yay!

Re:The problem with systemd

[serviscope_minor]

For example, recently it was found that some tools to add users allow the username to start with a number,

Like vi, emacs, pico, ed, ex, nano, and even Atom?

Re:The problem with systemd

[viperidaenz]

I thought it was systemd because boottime!
initd was a bit shit at starting services in parallel

I know it's been worth my while using it. My 'workhorse' linux machine has saved seconds off the only boot it's done in the last 4 months.

Re: The problem with systemd

[KGIII]

\o

But, I am just a fairly typical user and have just a small network. I kinda like systemd.

Re:The problem with systemd

[chihowa]

Systemd, is a poor idea, poorly implemented in a project thats poorly managed.

If systemd is bad, why the distros featuring it are thriving, while the non-systemd ones are small projects with uncertain future [Nota bene: I'm not a systemd advocate?

Inertia. The specifically non-systemd ones are either brand new and are in the early stages of adoption/development (Devuan) or are old, but haven't had a large following for years (Slackware). [Slackware will never die, by the way. It's one of the immortals.]

Let's look at it another way: This may be because I'm not in the corporate world, but I haven't met somebody who has deliberately installed anything from RedHat (or had anything good to say about RedHat) during this decade and systemd development and integration started at the beginning of this decade at RedHat. If systemd was not bad, why would this be the case?

Re:The problem with systemd

[fisted]

Show me the pages in the Unix Haters Handbook

1994

that cover

  - bind

Early 1980s

- ntp

1985-1988

- syslog

1980s

- sudo

1980s

they don't exist because the book predates all of those.

Yeah right.

Re:The problem with systemd

[fisted]

This sums it up pretty nicely.

Re:The problem with systemd

[Tranzistors]

rather than having to deal with the bugs and random system-no-longer-boots issues

This is rather interesting. As a Fedora user I have lived with systemd for quite a while and now looking back I can say that i had much more issues with booting and shutdown before switching to systemd. Perhaps I'm just lucky, perhaps software has matured more and with time such bugs get caught regardless of init systems.

Re:The problem with systemd

[phorm]

Most shops I know that are paying for RHEL support contracts, not for the software. That gives them somebody to call if issues come up or there's a critical bug to fix, as well as access to the KB's etc.

I don't know that SystemD changes this much. If anything, it's hurting RedHat's reputation.

Re:The problem with systemd

[makomk]

Devuan has gnome since it's a Debian fork, but all the information I can find says it doesn't work properly and they don't encourage people to use it, e.g. https://www.theregister.co.uk/...

Re:The problem with systemd

[SharpFang]

Gotta agree. Optimized startup is a nice thing, but not necessary, by far. Definitely not worth sacrificing so much.

(and while startup optimization IS important in embedded, systemd alone is heavyweight enough that it's not really welcome.)

Personally, I'd much rather see a robust, fault-proof hibernation. My Windows desktop has 15 days of uptime by now recorded (since last updates that required reboot) - because thanks to hibernation I can resume work where I ended it last day, everything back to original state, and faster than with cold boot. Linux... if you ever get hibernation to work, after resuming the work several times, programs begin misbehaving. Firefox starts leaking memory left and right, Plasmashell crashes, something everything freezes.

Systemd is really a solution in search of a problem.

Re: The problem with systemd

[strikethree]

It sucks managing a lot of special snowflake servers with systemd since so often error messages don't make it to the journal.

You are doing it wrong. You can have SystemD export text logs. Go reconfigure the defaults on those thousands of servers if you don't like it.

Re: The problem with systemd

[strikethree]

Indeed, I already had two remote servers lost over this very issue. I never had systems fail before systemd, either. The first was one that consistently failed to shutdown, but no logging and nothing in the journal made it impossible to ever discover exactly why. Another failed to boot, and it is equally unclear why. It really is rather crappy.

Again, this is totally your fault. SystemD will do everything that syslog will do if you take the time to configure it correctly. A new paradigm is upon us and your outdated way of doing things will be flushed down the toilet. Get with the times old man, learn how to use PROPER software instead of that ancient junk that you started out with 30 years ago. The old tools are not compatible with the new reality that is upon us. Adapt or die.

(it should be noted that adapting is the same as dying since the philosophical framework behind SystemD does not support actually working correctly in the real world, but being logically coherent and consistent with reality is NOT a requirement in this new paradigm. Gotta love insanity, but meh ... )

Re: The problem with systemd

[strikethree]

SystemD will be completely unavoidable in another 5 to 7 years. I just gave up on Linux two days ago. I can't use insane software and I can't fight it. The only thing left to do is quit entirely. The software world is FUCKED and there is no hope. Microsoft happily collects all of your data (including passwords and such) so that every portion of your life that touches binary communication will be available for analysis. Microsoft sells access to that data to any large group that wants it. Especially concerning since the NSA seems to have gone off the rails and forgotten that the 4th and 5th amendments take precedence over any executive orders or laws that Congress pass (unless those laws are created as a new Amendment!). Linux has Redhat using Poettering to utterly corrupt and "control" the Free Software stack.

OpenBSD is the only operating system worth using at this point. Theo may be a politically incorrect raging asshole (or not) but he has honor, ethics, and morals which appear to be impeccable.

Re:The problem with systemd

[strikethree]

Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

Eh? This is all being driven by Redhat. Poettering is merely the useful idiot in this scenario. Redhat would have chosen someone like Poettering if he was not available.

Redhat wants control. That is the answer to your question.

Re:The problem with systemd

[phantomfive]

oh, nice find, thanks.

Re: The problem with systemd

[TechnoJoe]

I don't know why everyone is complaining so much about systemd. It works great for me.

FYI, I'm the guy who makes airline seats so comfortable.

Re: The problem with systemd

[jeremyp]

open it with a hex editor and change all the nuls to something else.

Re: The problem with systemd

[F.Ultra]

And you can create a program that reads and opens a corrupted journal file as well since the format is open.

Re: The problem with systemd

[F.Ultra]

Yes that is one of the major drawbacks of using a binary format for anything. There are upsides as well and speaking for myself since I have yet to encounter a corrupted logfile by either syslog or journald I find the upsides outweighing that downside.

Re: The problem with systemd

[F.Ultra]

Perhaps you should examine why you experience so much corruption then. I've run journald for years now on lots of servers and have not to this day experienced a single corruption, and that is with servers that create GB:s of logs each day.

Re: The problem with systemd

[F.Ultra]

So they ninja:d their way into your servers and put shitty drives in them or what?

Re: The problem with systemd

[F.Ultra]

Don't know, better yet but doesn't any of my machines show any of this corruption if it's caused by journald? And I run some servers with several millions of rows of logs per server per day, but not a single corruption.

Calm down. Don't panic.

Yes, it's a typical systemd boo-boo: it's just because systemd (the project) wants to absorb the resolver, after having absorbed (hardware) event management, device management, (user) session management, yadda, yadda.

(Disclaimer: I neither like not use myself systemd. And I'm a happy user of Debian. Yes, it is possible).

*But*: systemd-resolved is an *optional* part of the whole thing. And in Debian, for example, it is disabled by default.

So. Just disable systemd-resolved until the problem is... resolved. Pretty normal bug, I'd say. And this "for two years" part is extra scare mongering. If you've been running **bleeding edge** versions of systemd (not your usual, boring distro), then you might have been vulnerable. But then, hopefully, you'll have known what you were doing.

So... don't panic.

Like systemd? Continue using it. Don't enable -resolved until told so. Don't like systemd? Don't use. And oh, be nice to each other.

Re:Calm down. Don't panic.

[KiloByte]

So. Just disable systemd-resolved until the problem is... resolved.

I'd heartily recommend running local unbound -- it provides a sane, RFC-compliant, secure, fast, DNSSEC-validating, ISP-bogosity-resistant resolver.

Re:Calm down. Don't panic.

[dbreeze]

"And oh, be nice to each other."
Newbie ACs are just adorable, ain't they?...

Surprised?

[MrKaos]

No.

Re:Surprised?

[gweihir]

Surprised it took so long to find something _this_ bad. But likely all the really competent people are not using systemd and hence have no reason looking at its code or fuzzying it.

Dupe

[lobiusmoop]

Story from 5 days ago

From all of us Linux greybeards:

[Gravis+Zero]

We told you so.

Re:From all of us Linux greybeards:

[Gravis+Zero]

systemd is broken by design, and despite offering highly enticing improvements over legacy init systems, it also brings major regressions in terms of many of the areas Linux is expected to excel: security, stability, and not having to reboot to upgrade your system.

Don't be dense.

Re:From all of us Linux greybeards:

[Tranzistors]

Thanks for actually saying what you "have been saying". But "not having to reboot to upgrade your system" until very recently has not been true for Linux kernel.

Re:From all of us Linux greybeards:

> greybeard
> six digit uid

Re:From all of us Linux greybeards:

[Barsteward]

show us any useful software that has never had a bug......

Re:From all of us Linux greybeards:

[Gravis+Zero]

There is a tremendous difference between a bug and a remotely exploitable bug.

Re:From all of us Linux greybeards:

[Gravis+Zero]

security and stability are what's important. rebooting to upgrade is just annoying. Being insecure, unstable and annoying isn't exactly a winning combination.

Re:From all of us Linux greybeards:

[segedunum]

Funny. I'm not seeing any arguments here. Only a whole load of psychological issues about how the whole world is so bitter and twisted against systemd.

Re:From all of us Linux greybeards:

[guruevi]

SysV never had a "remote access" bug because it didn't have remote access. Not sure why an init system has TCP capacities. This is typically what you'd find in Windows (and systemd).

Re:From all of us Linux greybeards:

[Bing+Tsher+E]

Believe it or not, credibility does not depend on the size of one's UID on a blog that started in 1998 or so. It's a big world out there.

At times this place stinks so badly that throwing away an account and leaving for six months before coming back anew is the only solution. There are plenty of people who have better things to do than fight and argue on forums.

Now, people who consistently have remained Slashdot loyalists, who have slurped down the Mae Ling Mak/ Natalie Portman/ Hotgrits spam since the beginning... well, anyhow.

Re:From all of us Linux greybeards:

[ArchieBunker]

This is the tip of the iceburg. Just wait.

Re:From all of us Linux greybeards:

[Opportunist]

Yes, that's the big issue here. We finally got rid of rebooting woes that would threaten our e-peen in the form of the numbers in /proc/uptime (because every halfway critical system only exists on a single machine and is not behind a load balancer or at the very least a hot standby, which makes rebooting a critical downtime matter that could threaten the 99.99999999999% availability the SLA promises).

What's a few bugs that allow remote code execution in return?

Re:From all of us Linux greybeards:

[Opportunist]

Wrong question. The right one is "is there any software that could be used instead that has fewer critical bugs?"

Re:From all of us Linux greybeards:

[I'm+New+Around+Here]

Exactly. I am on my third account on slashdot. Mainly because i was logged in on a computer before, that I no longer have access to. Same with email address to reset forgotten password. Solution is to make a new account.

Re:From all of us Linux greybeards:

[Wolfrider]

> greybeard
> six digit uid

--We told you so!!

/ had a bird named Greybeard once
// kinda miss him

Re:From all of us Linux greybeards:

[F.Ultra]

systemd does not have TCP capacities either. systemd-resolved which is a DNS resolver does of course since it would be strange to have a DNS resolver without network capacities. So systemd have not had a remote access bug either, systemd-resolved had one, and so have dnsmasq, bind and many other DNS resolvers.

Re:From all of us Linux greybeards:

[Bing+Tsher+E]

I have a list of Slashdot IDs that I can no longer retrieve a password from, because of old email addresses I no longer have. Some of them I really wish I could go back to using instead of this. But this one works.

Re:From all of us Linux greybeards:

[segedunum]

It is not a lie I'm afraid. The argument is that there is *too much* in PID 1. PID 1 should spawn other process and be done. That's it.

Re:From all of us Linux greybeards:

[strikethree]

show us any useful software that has never had a bug......

Defend yourself sir.

The problems are not the bugs. The problem is what is CAUSING the bugs. The "We told you so" is addressing the CAUSE of the bugs, not the individual bugs themselves.

So you need to defend why your comment is not an outright troll because that is EXACTLY what you are doing whether you realize it or not.

Even Windows isn't this bad

When I first read about systemd I thought it was a knock off of the NT service control manager. Except on Windows, that's all it does. It controls services. It starts and stops them. And manages dependencies. And that's it. It doesn't take over the fucking world and try to control everything in the OS. I think this is where systemd lost its way. It's a sad day when we look to Windows as the example of "does one thing and does it well" and not the whole fucking kitchen sink.

Re:Even Windows isn't this bad

[SharpFang]

Systemd's extra promise was *optimization* of startup.

It was meant to be achieved through creation and binding of sockets: Service X must wait for service Y to start and create a start up, because X needs to bind to a socket Y creates. It won't be using that socket in a while yet, but it can't initialize without that socket present.
What systemd does is create that socket so that Service X can bind to it right away, and proceed with startup, and once Y arrives at the point of creation of the socket, it's bound to the socket Systemd created. There, instead of sequence of complete startups of services, which is lengthy, you have only sequence of socket binding, which is fast, and parallel startup, which is fast too.

This is a neat idea which breaks upon meeting the reality.

Because not everything uses sockets. Not everything can start up with the socket merely present, some need it for real right away. Not everything is structured the way systemd envisioned it; some applications aren't just monolithic executables, but e.g. lengthy shell scripts repeating hundreds of calls to a given executable with different parameters (e.g. iptables). They just don't fit that idealized framework.

And so, the framework does what a framework with overinflated ego author does. Including the crap part.

Re:Even Windows isn't this bad

[Bongo]

That's interesting. I haven't followed the systemd controversy, but as you put it, it is a design idea that should have been toyed with for a few days and then thrown in the trash, just as *most* new ideas should be thrown in the trash. Most new ideas don't work.

"We judge people not by the quality of the ideas they put on the wall, but by the quality of ideas they throw in the trash." -- some professor.

Re:Even Windows isn't this bad

[SharpFang]

That is doable but very cumbersome. You'd need a central makefile for the whole system, and adding or removing anything would require a rebuild.

Gentoo isn't exactly everyone's favorite, and this would make Gentoo's level of problems pale by comparison.

Note it's not just about ordering the startup, it's about fulfilling all the requisites with 'dummy' interfaces until the provider of what the 'dummy' is for starts up, then transparently substituting. "Want to write logs but syslog still didn't start? We provide a queue that will store your logs until syslog... uh, wait, syslog can't do this that way. Welp, fuck syslog, here's our journald, and it has binary log files which are superior because we say so."

I don't quite see how just makefiles could solve that.

OTOH I really don't see the problem with delaying the startup by literally several milliseconds to let syslog start, instead of ripping it off and replacing with something everyone hates. Simply put, some optimizations are definitely not worth the cost.

Re:Even Windows isn't this bad

[SharpFang]

My guess is it's the sunken cost fallacy - in the beginning they didn't realize just how many flaws their idea had, and once they got the thing running initially, they would not admit the failure (ego problem).

Re:Even Windows isn't this bad

[gweihir]

Incidentally, Solaris SMF does pretty much the same. And it can still deal with old-style init-scripts. Not saying it is a really good solution, but it does at least not fall for the absolute beginners mistake of writing a "Master Control Program" that does everything.

Re:Even Windows isn't this bad

[SharpFang]

heh. It IS important in Linux for embedded. You switch your Linux toaster on, or whatever you have running Linux, you want it up and toasting in 10 seconds max.

But the approach is totally misguided because Systemd alone adds so much overhead any benefits it might bring are lost on time spent loading Systemd, all its configurations and dependencies. The actual approach is init with custom inittab consisting of 5-6 lines that start only the bare essentials you need. Systemd is the kind of cure that is worse than the disease.

Re:Even Windows isn't this bad

[tirnacopu]

No it doesn't - referring to Windows. The most popular tool you hear of when automating NT systems is PsExec, and that one uncovered to the world an always-on, separate from SMB/CIFS, publicly available file transfer and command execution channel that I shamefully admit at the time, after years of MS servers management, had never heard of: http://techgenix.com/psexec-na...
The author - Mark Russinovich - went on to a technical leadership position within Microsoft itself.

Re:Even Windows isn't this bad

[ausekilis]

Note it's not just about ordering the startup, it's about fulfilling all the requisites with 'dummy' interfaces until the provider of what the 'dummy' is for starts up, then transparently substituting. "Want to write logs but syslog still didn't start? We provide a queue that will store your logs until syslog... uh, wait, syslog can't do this that way. Welp, fuck syslog, here's our journald, and it has binary log files which are superior because we say so."

Put this way it sounds like systemd is to init what GUICE is to Java. Lets create some stub interface for all services that doesn't actually do anything until we can spin up whatever it is that's supposed to go there. It can be very powerful to do this sort of dependency injection in user space and have things like circular dependencies resolved automagically. I haven't had many issues with systemd on any of my personal systems, but I may be a over 3 sigma from the mean.

Though I do have to question the logic of bringing a Java-like idea into kernel space.

Re:Even Windows isn't this bad

[F.Ultra]

Since when has the service control manager in Windows "done things well"? It's a complicated mess that you need 3d party tools just in order to add services, dependencies are hell to setup and you need special code in your application in order to run as a system service; why only have main() when you can have ServiceMain()!

Re:Even Windows isn't this bad

[F.Ultra]

The problem is not having to wait a few ms for syslog to startup, the problem is that syslog have dependencies (like i.e access to a file system) that needs to be up before it can be started and thus everything that logs before that is missed unless something else does it.

And journald is not something that "everyone hates", some people here on Slashdot does yes, but there are lot's of people out in the real world who uses it and prefers it to the old syslog. I was myself quite sceptical when journald was announced with binary files but now that I've used it for some time I do realise that there are things it does and that it does well that would be just impossible or extremely complicated to do with the old syslog text format (i.e that the journal catches all output from stdout and stderr and joins it with the syslog output by adding the unit name in the meta-data, or that you can search for all logs produced by a special unit without accidentally get logs from other applications mixed in due to them matching the same grep pattern).

Re:Even Windows isn't this bad

[drinkypoo]

It can be very powerful to do this sort of dependency injection in user space and have things like circular dependencies resolved automagically.

Saving a second or two on boot time (hey, maybe as much as five seconds, wow!) might be important while you're starting up short-lived VM instances, but it is completely, utterly, and in all other redundant ways irrelevant when it comes to actual, physical computers. They tend to waste more time in POST than you could ever possibly save by optimizing boot. So while systemd might actually make good sense specifically for short-lived VMs, it makes less than no sense for desktops, laptops, servers, media centers, or really any other kind of PC. Most of the time we don't even turn those off any more! We just let them drift off to sleep when we're not using them, and they wake up in much less than boot time when we want to start using them again.

Re:Even Windows isn't this bad

[drinkypoo]

(i.e that the journal catches all output from stdout and stderr and joins it with the syslog output by adding the unit name in the meta-data,

if I want all the output from a daemon, I can have that without systemd. I just stuff it into /var/log/.

or that you can search for all logs produced by a special unit without accidentally get logs from other applications mixed in due to them matching the same grep pattern).

If I want that functionality with syslog, I just log that group to its own file. Then I can search just that file to get only logs from that group. Done and done. Though actually, the only Linux machines I have running 24x7 are actually using busybox's syslogd, which I don't think has that functionality. I don't need it, so why bother to have it? The systems in question are very low-memory.

Re:Even Windows isn't this bad

[SharpFang]

it's good at managing dependencies and starting/stopping services on demand (you've got to admit it was a mess before; init.d scripts often not following the standard format) but it could do this without hijacking half of the OS.

Re:Even Windows isn't this bad

[gustygolf]

That is doable but very cumbersome. You'd need a central makefile for the whole system, and adding or removing anything would require a rebuild.

I believe the GP meant that make(1) is to work as the dependency resolver of init scripts. Because that's what make(1) is: a way to run arbitrary commands in dependency order.

He did not mean that the init system should involve compilation. (I think. I'm no mind-reader. I could be wrong.)

Re:Even Windows isn't this bad

[F.Ultra]

Sorry, forgot that what you need should dictate the need of any other admin out there. So easy to forget such little details.

Re:The real problem is systemd haters

[Tranzistors]

If you want to publish fan-fic about how “the left” victimize software developers, there are more appropriate places, like dedicated fan-fic sites for all tastes, however bizarre.

How unexpected.

Considering Potterings track record writing shoddy software I can't say I'm surprised. After all it's been quite clear for a long time that he has all the qualities someone writing code like that shouldn't have, like being arrogant, ignorant, careless and cavalier and none of the ones you'd want to see.

What I'd really want to know though is; Who the hell, considering his track record with PA et al, thought it was a good idea to let him loose on system critical components? But maybe the more pertinent question is, why is anyone going anywhere near it? I know, "because Red Hat", but that doesn't explain why there apparently isn't anyone there with a working brain. Is it really that important to become "not Linux/UNIX" so you can sell training courses, support, certifications etc? Depressing.

I think we're going to see a lot more critical bugs in the lennartware parts of the system, and if I were a black hat that's where I'd start looking.

Re:How unexpected.

[gweihir]

I have pretty much the same question. I do not go anywhere near that failure of a software project myself, and neither does my employer. But most people do not seem to have a clue what the problem is and that is a rather serious problem in itself.

Re:How unexpected.

[Opportunist]

and if I were a black hat that's where I'd start looking.

Say what you want, I call it job security. Now that MS gets its act together and their OS becomes nearly useable, now that even Adobe starts to catch on that buffer overflow doesn't mean that the toilet is backing up, we in security have to look for new stuff we can wank over, I mean, hold talks about at security conferences.

And this is a gold mine.

Old News

This is old news, why don't you publish that story how "Principal systemd developer refuses to acknowledge serious security vulnerability where processes that request to be run as unprivileged user, run as root because Lennyboi does NOT like them start with zeroes! And POSIX be damned, Lenny knows better!"

Re:Old News

[AmiMoJo]

Okay, let's look at this bug.

It requires existing root access in order to create a new user. So if someone exploits it, you are already fucked.

You say it goes against POSIX. This is true, but so does Linux. So do some of the GNU tools. Somehow that's okay, because strcmp("systemd", "linux") returns a non-zero value in your mind.

What is your argument that it shouldn't be fixed in the various user account management tools rather than in systemd?

Re:Old News

Well, POSIX allows usernames that start with a digit. In fact, systemd reads it as a uid. If you would make a used called 1user it would be executed under uid 1, whoever that may be. Seems harmless, you need to be root to exploit it, however some continuous integration systems have a user account named 0day, which is used to run the latest test build. This has accidentially happened as root due to this bug.

Re:Old News

[Bing+Tsher+E]

Are you a paid 'Red Hat Community Manager'?

Because you stick like shit to all the most poignant criticisms on here about systemd.

"You're doing a hell of a job, Brownie."

Re:Old News

You're too stupid to understand this. The vulnerable vector is not someone creating a user on your system. The vulnerable vector is not someone installing a unit file without your knowledge.

The vulnerable vector is in TIRED admin typing User= and accidentally starting it with 0. The vulnerable vector is process intended to run unprivileged, running as root.

AND WHY?

ONLY BECAUSE the systemd developer is too arrogant to admit his little shit of a product parses values wrongly.

* Forget POSIX
* Forget whether useradd or shadowutils may or may not allow creating usernames that start with 0
* Forget politics, reasons, distros
* Forget EVERYTHING except ONE little thing: "0string" is ** NOT ** a valid integer value, so don't treat it as one.

Your shitty little parser is WRONGLY parsing the value of User= field. It does not take the WHOLE value in consideration but only the numeric part of it. There is not a single situation where you'd want your program to do that. Absolutely no excuse, no use case, nothing, where "0day" is taken AS A VALID NUMBER 0, regardless how it got there.

garbage-in = garbage-out. That makes systemd a GARBAGE DISPENSER, because it allows garbage-in without validating it.

Re:Old News

IF IT DID take the whole value into consideration then it would realize that the value given is NOT 0, but "0day" and would conclude (arrogantly or not) that "0day" cannot be a valid username.

What does systemd do when you put User=inexisting-user ?

It FAILS, it does not start the process. So, parsing "0day" as string and not a number it would conclude that "0day" cannot possibly exist, and it would FAIL.

THAT is acceptable (if you ignore POSIX). Running as root is NOT acceptable.

Re:Old News

[aardvarkjoe]

It requires existing root access in order to create a new user. So if someone exploits it, you are already fucked.

Not really. A really obvious way to exploit this: say someone manages to compromise the repository of a project that has a decent chance of being run by a "0day" user (apparently fairly common in some circles.) They add some code that opens a backdoor if the tool is run as root. A user downloads this software, installs it as the "0day" user, and then installs a completely innocuous unit file to start the tool as that user. At this point, the user would expect that damage would be limited to the user he had created if there is malicious code in the tool, but because Poettering doesn't believe in fixing problems, instead he just gave root access to the malicious tool.

Re:Old News

[AmiMoJo]

So in order for this to work, we have to have a security outfit running as user "0day", a username that is illegal on Linux but apparently some buggy tools allow, and a compromised project... And somehow this is the fault of systemd, not the broken tools that allow you to create illegal user names.

Re:Old News

[aardvarkjoe]

we have to have a security outfit running as user "0day", a username that is illegal on Linux but apparently some buggy tools allow,

You're asserting this over and over again with no proof. Point us to the documentation that shows that such usernames are illegal.

Re:Old News

[chihowa]

"0day" is not an illegal username. You don't even any need "tools", beyond a text editor, to legitimately and legally create users on Linux.

Systemd only considers it to be illegal because they don't want to bother correctly parsing and validating strings and yet still want to use a common field for string or integer input values.

Re:Old News

[AmiMoJo]

http://www.unix.com/man-page/l...

See your NAME_REGEX in /etc/adduser.conf

Re:Old News

[aardvarkjoe]

That page says:

It is usually recommended to only use usernames that begin with a lower case letter or an
              underscore, followed by lower case letters, digits, underscores, or dashes. They can end
              with a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]?

Note the use of the word "recommended." Not "required", or "mandatory." You're misinterpreting a convention as an actual rule.

Re:Old News

[Qzukk]

where "0day" is taken AS A VALID NUMBER 0,

That's not the error here, the error here is that "0day" is ignored, leaving the service to run as the default user "root". It could just as easily been "3day" or "nоbody" and the service would have run as root.

Re:Old News

[serviscope_minor]

Double also, Linux as a system isn't really defined by anyone. The only people who get to say anything official about Linux itself are the kernel people, as it were. There really isn't an official truth for the userland tools.

Re:Old News

[sjames]

I don't know about AC, but I can name a few reasons. First, systemd is the noob, it's up to it to fit in with existing systems which may already have user names it doesn't like. Or it should at least not create an accident waiting to happen (that is, at least fail clean).

Second, any software should be liberal in what it accepts and strict in it's output. I suppose that's an argument that it be fixed in systemd AND the other utilities. Robust systems should deal in a reasonable way with illegal but not actually impossible situations.Surely system init should be robust.

Re:Old News

[chihowa]

Linux, the kernel, doesn't care about usernames at all and only deals in UIDs, which would be the most portable and simple way for systemd to handle this, using the name-to-UID mapping found in /etc/passwd.

This talk attributes the picky behavior of adduser to working around other flaky userland tools' conventions, like chmod's "username.groupname". The no leading numbers rule is certainly not written anywhere that I've found besides the adduser manpage.

As far as POSIX is concerned, usernames can be any of the portable character set [A-Za-z0-9_-.] but can't start with a hyphen.

3.426 User Name
A string that is used to identify a user; see also User Database. To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set. The hyphen should not be used as the first character of a portable user name.

Re:The real problem is systemd haters

[Gravis+Zero]

the fuck are you talking about? what does politics have to do with shitty software development?

No, its not a pretty decent idea

[Viol8]

"centralized place to optimize startup, management and interconnectivity of all kinds of services."

Sorry, thats not how its done in Unix. We don't want a huge monolithic application as init since that brings a huge attack surface to the most important process in the OS, not to mention a bug in a service that doesn't belong there potentially bringing down the entire system.

Re:No, its not a pretty decent idea

[Tranzistors]

We don't want a huge monolithic application as init since that brings a huge attack surface to the most important process in the OS

Perhaps we need to get rid of Linux kernel as well. But seriously, to reduce the attack surface, just disable unused services (the article even points out that Debian has systemd-resolved disabled by default). systemd is modular.

Re:No, its not a pretty decent idea

[Barsteward]

Where do you think this service lies? Do you think its running in PID1? It might be a good idea to find out where systemd_resolved runs in the system. No matter how many time people peddle the lie that "systemd is monolithic", it does not make it true. If you don't want a monolithic software on your system, you'd better remove the kernel and install Hurd.

Re:No, its not a pretty decent idea

[cheesybagel]

Disable unused services? Like DNS in this case? Good luck using your computer to browse the web without it.

Re:No, its not a pretty decent idea

systemd is modular.

Yes, so modular.

Re:No, its not a pretty decent idea

[SharpFang]

There was a centralized place to perform startup: init. There was no optimization of startup at all. Optimization is arguably desirable, and it makes sense to include it.

There was a zoo of interconnectivity methods that everyone hated, and it broke at a lot of points. A unified interconnectivity hub is desirable. Also, the process of optimization of startup required it. (although it *might* be done as a separate service.)

Management was also a loose recommendation of what boiled down to including start), stop) options in the init scripts, sometimes adhered to, sometimes not really.

There was also the dependency tree, which was non-obvious, easy to break and hard to fix (plus far from unified) - the dependencies were usually embedded in the dependency tree of whatever package distribution system given distro used, and once deployed, finding what requires what usually boiled down to "disable something and see what else breaks." A dependency tree within the startup system is a good thing.

But that's it. Dependency, startup optimization, management (start/stop/reload on demand, bring system to given state/runlevel.) And interconnectivity, which could be delegated to a separate demon. This is a good set for a unix demon should be able to do. All the rest of systemd does is bloat.

Re:No, its not a pretty decent idea

[Viol8]

Bash scripts have one syntax and bash is pretty well debugged now.

Re:No, its not a pretty decent idea

[TheRaven64]

Perhaps we need to get rid of Linux kernel as well.

Well, that would make the BSD advocates happy...

More seriously, the biggest Linux vendor (Google) is currently doing that and moving to their Magenta microkernel, which can run a lot of things in userspace at a lower privilege level. Even within the world of monolithic kernels, a lot of things are moving out of the kernel (ironically, for performance reasons: the same reason that they moved in there in the first place). GPU drivers are now almost entirely userspace: the kernel component maps device registers into a process' address space, manages the IOMMU so that memory is shared between the GPU and the process, and then largely gets out of the way. High-end network cards have done this for a while, but NetMap (in the default kernel on FreeBSD, available as patches for Linux) lets most NICs expose send and receive queues directly to userspace so that you can bypass the kernel network stack for very high performance networking with specialist workloads (there's a good chance that the last time you queried a DNS root server the response came from one of these). FreeBSD and XNU do low-latency sound mixing in the kernel, but most other systems do it in userspace. Most *NIX systems have a ugen device type that makes it easy to implement userspace drivers for USB devices and these are commonly used for MIDI and a number of other device types (for example, webcamd uses this to implement a load of webcam drivers in userspace). FUSE has allowed moving some filesystem drivers out of the kernel.

Some drivers are moved out because they don't care about performance (the computer is so much faster than the device that latency from an extra context switch doesn't matter) and the isolation is a win. Some are moved out because they really care about performance and the extra context switch to the kernel costs too much, and they're typically very complex so moving the untrusted code into userspace makes more sense. In both cases, there's a general trend towards having less stuff in the kernel.

Re:No, its not a pretty decent idea

[thegarbz]

Disabling a service in systemd does not cause the entire system to stop using it and does not prevent you installing an alternative. Just like that small virtually unknown distribution called Debian that the GP referenced.

Re:No, its not a pretty decent idea

[thegarbz]

Sorry, thats not how its done in Unix.

You'll be happy to know that systemd doesn't run on Unix. Also most computer users don't give a shit about philosophy[1]

1: See Microsoft end users.

Re:No, its not a pretty decent idea

[segedunum]

'Unix' is used in this case to reference a particular philosophy of many small, decoupled systems doing specific jobs. Linux systems, and other 'Unix' derivatives, have followed that philosophy. systemd is a very sharp departure.

Re:No, its not a pretty decent idea

Well, that would make the BSD advocates happy...

No, not at all. We need Linux, if only to keep people like Poettering and the whole "it's shiny, we need it!" crowd away from BSD.

Re:No, its not a pretty decent idea

[cstacy]

We don't want a huge monolithic application as init since that brings a huge attack surface to the most important process in the OS

Perhaps we need to get rid of Linux kernel as well.

Yes we ought to.
Legacy inertia, and efficiency, are the reasons that getting rid of monolithic kernels has not been popularized.
Both of those problems can be overcome with time and resources.
As compartmentalization and virtualization become even more important in the future, that's how things are going to shake out.

Re:No, its not a pretty decent idea

[strikethree]

Perhaps we need to get rid of Linux kernel as well.

Funny that you should mention that... The main difference (re monolithic) between SystemD and the Linux kernel is that the Linux kernel is generally stable and well written... but yeah, we actually do need to get rid of the monstrosity that is known as the Linux kernel. Let me know when you find or create something that is a worthy successor please.

What? Did you think Linux was a religion? lol

Re:No, its not a pretty decent idea

[gweihir]

Very much this.

Re:No, its not a pretty decent idea

[gweihir]

Microkernels have been tried. At this time, they are inferior in several regards, except for special situations. When that changes, the Linux Kernel will likely undergo some major architectural revision. The same is not true for init-systems. You seem to have no clue what you are talking about. Pretty typical for the systemd-proponents, I have to say. All belief, no facts.

Re:No, its not a pretty decent idea

[SharpFang]

The idea with microkernels is that almost all modules are optional, loosely coupled, and the system loads only what it needs.

Systemd, under guise of modularity, is composed of a set of tightly tied modules which have so many cross-dependencies between each other the whole thing crashes and burns if you remove a single one.

Re:No, its not a pretty decent idea

[SharpFang]

instead of dozen towns to surround with city walls, you have a single continent to secure...

Re:No, its not a pretty decent idea

[jon3k]

systemd can either be modular or "one place you need to secure". So, systemd proponents, which is it?

How it's structured between modules when there are no alternatives to those modules and they are all interdependent on one another makes that a philosophical debate, not a practical one.

Re:No, its not a pretty decent idea

[JonJ]

That gambit already didn't work. pkgng (bloat, too clever by half, unstable, arrogant developers

Yes, because if it's one thing the BSD camp lacked, it was arrogant developers.

Re:No, its not a pretty decent idea

[phantomfive]

Also most computer users don't give a shit about philosophy[1]

May those people remain far away from us.

Re:No, its not a pretty decent idea

[cheesybagel]

That is only until it becomes mandatory much like systemd itself.

Re:No, its not a pretty decent idea

[thegarbz]

Systemd is mandatory? That must be news to the many distributions which don't use it.

Re:No, its not a pretty decent idea

[Tranzistors]

My point was that systemd is modular. It is an umbrella term that encompass init system itself, logind, journald, udevd and other daemons and utilities. I personally don't care much about monolith vs. modular meta discussion, since those are vague terms to begin with and each approach has problems of its own, therefore I tend to discard opinion that can be summed up with “project X should be modular/monolith”, unless they have actually worked with the software and the architecture has limited them somehow.

That being said, have you written software for systemd or used its API? If so, what were the issues that would have been solved by further modularization? Have you contacted systemd team (yes, there are many) about the issues? If so and they didn't buy your case, what were the reasons for rejecting proposal?

If you have had issues with administrating machines running systemd, what issues were there because of “monolith design”? The parent “Viol8” was concerned with attack surface, but in this particular case the surface attack could be easily reduced by disabling the service.

Re:No, its not a pretty decent idea

[segedunum]

Alas, many people have warned of these types of things surfacing with systemd's sprawling feature creep. This is only going to get worse, despite your desperate protestations. The code, and the attitude towards security problems, is exactly the same regardless of where it sits in systemd's monolithic mess.

not the init, and it doesn't affect Debian

[Phil+Hands]

The summary misleadingly opens with "systemd, the init system", whereas what we're talking about is "systemd-resolved, a part of the SystemD project" (or some such -- I'm a bit vague about the capitalisation TBH).

Anyway, the point is that this bug is not in the init code.

On Debian, we don't even execute this code by default.

So, if you see red and start screaming whenever you see the sequence of characters: s y s t e m d then I'm sorry if you're still reading this, but perhaps you should consider calming down long enough to notice that systemd is both the name of the init program, and the project that also includes a lot of other bits and pieces that are not even needed quite often, and can generally be run without having systemd running as init.

Re:not the init, and it doesn't affect Debian

[Viol8]

"that are not even needed quite often, and can generally be run without having systemd running as init."

I don't think anyone is in any doubt that once systemd has the option to run a service most of the bleeting distro maintaining sheep use it. It won't be long before it becomes the default resolver on most of them.

Re:not the init, and it doesn't affect Debian

[Barsteward]

You are not expecting the trolls to understand that, are you?

Re:not the init, and it doesn't affect Debian

[KiloByte]

On Debian, we don't even execute this code by default.

But Ubuntu does. And the other security hole mentioned in the article does apply to Debian.

As for systemd being more than just an init: the problem lies in it replacing a large set of modular projects with an entangled blob. For example, vdev is an (experimental for now) replacement for udev that fixes a number of design problems, yet good luck using it on a systemd system.

As for running systemd without it being init: systemd-shim is dead, and it was flaky to the point of uselessness even while it lived. You need to recompile the Utopia stack to enjoy basics we used to take for granted like being able to shutdown or suspend from a GUI.

People have tried carving out pieces of systemd to use them separately, like uselessd, yet all such attempts I know of ended in failure because of systemd's blobbiness.

Re:not the init, and it doesn't affect Debian

elogind is alive and well

Re:Software is shite

[Barsteward]

you don't have to... roll your own if you are capable or go to a distro that doesn't use it.

Clearly

This is why you shouldn't use Windows when... OH WAIT.

I expect nothing less from Poettering

Remote exploits in critical system services? I expect nothing less from the PulseAudio creator.

If you're not familiar with smoke any mirrors from the SystemD PR king, then perhaps these inherent flaws in his projects comes as a surprise to you. But for years a handful of people tried to put the brakes on Poettering and his cronies from hijacking Linux and turning it into his egotistical vision of desktop Unix.

We have failed.

Re:I expect nothing less from Poettering

[thegarbz]

We have failed.

Oh please. This didn't even qualify for a catchy name that other Linux bugs get. Give yourself a hug and pull yourself together.

I don't think anyone is asking for that.

Even though systemd is built as a pile of horseshit to make Linux more like Windows for system builders (not maintainers), this is an issue which any program could have. If some fixing of this causes more bugs elsewhere in systemd to be created as a consequence of fixing this one, THEN that is a good reason to tar and feather poettering, because the design itself is creating bugs that could have been avoided if the system had been designed without monolithic integration. That said, if finding or fixing this bug was made harder because of the deliberately obscurant and monolithic design of the system, that would institute another reason for getting out the feathers and adhesive.

Re:I don't think anyone is asking for that.

[Type44Q]

feathers and adhesive

Ever gotten glue on your hand? Ever gotten hot glue on your hand?? It's called tar for a fucking reason.

Re: Now it becomes clear...

See, this is textbook example of systemd apologists having zero clue about the software they praise.

Is the INIT part of systemd and PROCESS MANAGEMENT "simply better"? Maybe, probably (with the exception of it ignoring invalid values instead of failing to start, like this 0day issue).

But how on gods goddamned earth is reinventing a DNS recursor, which btw is not RFC compliant (per the developer's OWN words it might NEVER be compliant because that idiot has no clue what resolvers really are), any BETTER?!?! It is not better. It is far worse. They're reinventing something they do NOT properly understand and in the process introduce NEW bugs and insecurities, and reinvent OLD bugs that proper resolvers have gone through in the past decades.

Maybe if you would LEARN what systemd really is inside, maybe then you'd see it's a steaming pile of shit that has LONG gone beyond being an init replacement.

Better distro suggestions?

[AHuxley]

Anyone like to list some OS that are can help avoid all this?

Re:Better distro suggestions?

[fnj]

That's easy. FreeBSD! It is POSIX, UNIX philosophy through and through, and not only completely free of Poetteringitis; it's free of all immature and incompetent vanities and warped design crazes.

Re:Better distro suggestions?

[Opportunist]

IIRC BSD looks quite promising the more I look at it. Together with the features of ZFS... I still don't get everything about it (and if this was Slashdot a decade ago I'd add "but I'm sure there's someone around who does and can write a lengthy novel about it") but it looks like something I could move to in the foreseeable future.

Re:Better distro suggestions?

Sure!

Gentoo supports its own OpenRC by default, but has a systemd-specific profile and a general profile for other inits like runit, s6, daemontools+sysvinit, etc. It's one of the few distros left that respects the choices of the user. Other forks of it (Exherbo, Calculate, Sabayon, Funtoo) are similar in their defense of choice and putting the user in the driver's seat.

Devuan is a continuation of the Debian project that explicitly forbids systemd and will do nothing to support it. They recently hit a 1.0 release, so they're gaining more steam and momentum than naysayers assumed.

The BSDs do not have Linux cgroups, so they don't support systemd, which is Linux-only. I do believe there was talks of creating a tool that would work with systemd unit files, but I've not heard much about it since then.

More can be found at:

http://without-systemd.org/wiki/index.php/Main_Page#Free_and_Open-Source_.28FOSS.29_operating_systemswithout_systemd_in_the_default_installation

But generally, if a distro is popular, it's going to run systemd because Mr. Poettering also happens to be a GNOME Foundation member and pushed systemd as a blessed dependency:

https://mail.gnome.org/archives/desktop-devel-list/2011-May/msg00427.html

And here's proof of that functionality's agenda, in code, a year later:

https://cgit.freedesktop.org/systemd/systemd/commit/?id=6bae23a0388dd077fee99e83e161d297c3e2b768

Also note that he has openly trolled Gentoo developers in the initial push for kdbus, saying "Gentoo folks, this is your wake-up call."

https://lists.freedesktop.org/archives/systemd-devel/2014-May/019657.html

Without hard deps from GNOME, KDE, and friends, systemd would be on an even playing field with other inits. It was pushed, and pushed hard. The simple fact is no user-facing software should give a shit what init started the system.

No shill can deny the citations, so spread'em and show the world that there *was* an agenda. Particularly, a Red Hat agenda to commandeer Linux from the bottom up. When confronted, shills will deflect and claim that the only legitimate conversation is technical. They know they're crooked, and attempt to control the conversation to avoid discussing their conduct. The free software world should understand by now that social merit is equally important to technical merit.

Re:Better distro suggestions?

[alkyl]

OpenBSD or FreeBSD. I switched my servers to one or the other (depending on the tasks) during the last couple of years and it's working great. Documentation is top notch. Not going back.

Re:Better distro suggestions?

[drinkypoo]

It is also free of vmware and its nvidia support is crap. If you are the freer-than-free type and refuse to use anything with good performance, then this is not going to be a problem for you, but for many people it is a show-stopper.

Also, Linux runs on many, many more devices these days than all the *BSDs put together, even including netbsd. Odds are very good that you're going to have some Linux in your house anyway...

Re:Better distro suggestions?

[strikethree]

FreeBSD! .. it's free of all immature and incompetent vanities and warped design crazes.

That is not entirely true. There is a very strong "Social Justice Warrior" element within FreeBSD and all it would take is for FreeBSD to hit critical mass and those SJW-type people will feel validated and go batshit crazy. Dragonfly BSD or OpenBSD is the way to go... NetBSD is always a further option. :)

One has to hand it to the systemd team

[gweihir]

Remote exploitable bugs in core-Linux are incredibly rare. The systemd team is really going where nobody else has gone before. That is not a good thing at all, of course, because if you do this, you need to have excellent skills, which the systemd team most decidedly does not have. Fortunately, none of my machines or those of my employer needs to be patched, because we have banned systemd early on due to the massive KISS violation it represents. Nobody here is surprised by this bug.

Re:One has to hand it to the systemd team

[Ash-Fox]

Fortunately, none of my machines or those of my employer needs to be patched, because we have banned systemd early on due to the massive KISS violation it represents.

You wouldn't be using the Linux kernel either, since that would be a "massive KISS violation", so what do you run?

Re:One has to hand it to the systemd team

[Ash-Fox]

As KISS basically says "make it as simple as possible, but not simpler", the kernel is actually not a KISS violation.

The KISS principle is "Keep It Simple Stupid". There is plenty of unnecessary complexity in the kernel, just look at udev's implementation for one.

Re:One has to hand it to the systemd team

[F.Ultra]

Does there exist any DNS resolver out that that have not had a single remote exploit? I would say that systemd-resolved is in "good" (should really be "bad") company there and certainly not where nobody else have gone before. A few days after the bug in systemd-resolved where shouted all over the Internet there where a new CVE issued for bind but no one seams to have been as upset about that.

And no, systemd-resolved is not core-Linux, not more than dnsmasq or bind is.

Re:One has to hand it to the systemd team

[gweihir]

Networking is core-Linux. As for any UNIX or UNIX-like system.

Re:One has to hand it to the systemd team

[F.Ultra]

If so then they are far far long away from "where nobody else have gone before".

What a load of bollocks.

The design of systemd is that they all adhere together. Claiming this is somehow not systemd is only slightly less silly than claiming it's not systemd because it's in one of the source files not called "systemd.c".

Re:What a load of bollocks.

The design of systemd is that they all adhere together. Claiming this is somehow not systemd is only slightly less silly than claiming it's not systemd because it's in one of the source files not called "systemd.c".

Nonsense. Systemd is extremely modular, and this is a module specifically not installed normally because it isn't ready.

The second one

[sad_]

The second 'bug' mentioned is far more crazy. The unit file mentions a user that doesn't exist (well, in tfa it is wrongly parsed, even worse), so the default action is to continue as root (instead of supplied user). And this is a good idea because... ??

Why can't this unit action just fail? Wouldn't that be far far better then just deciding to use root, this might cause all kinds of problems. I wonder which other nice surprises and default fall-back action are encoded.

Re:The second one

[dbIII]

In systemd, if a unit fails, the ENTIRE init system fails and your system boots in emergency mode.

And that is worse than allowing full escalation to root in what way?
The problem with that development team is a focus on single user laptops and desktops where it doesn't really matter if the user has full root access. They should be paddling in the shallow pool of MS Windows 10 instead of changing something people want to use for servers.

Re:The second one

[F.Ultra]

Full escalation? You don't start home written unit files in order to contain escalation attacks.

Re:The second one

[Qzukk]

Wow, I'll have to keep that in mind when I'm writing custom unit files for our company's services. No pressure!

Re:The second one

[dbIII]

We are discussing the opposite of containment - we are discussing a newbie mistake (design error not bug) and scope creep that allows escalation.
It's a bit more fundamental than "home written unit files".

Re:The second one

[phorm]

You don't need a home-written unit file, just some other issue that makes a user unavailable on a system (deleted, inaccessible to the underlying authentication mechanism, etc).

For example, a tomcat/apache/etc host where the tomcat or www-data user is missing.

Re:The second one

[dbIII]

Have you thought this through?
Which is better in your opinion, not starting a service if there is a problem with a service or running arbitrary code as root?


Can you see now why it is being called a newbie mistake?

Re:The second one

[phorm]

Not starting the service is the appropriate response in this case, I wasn't arguing that, but rather that it's not just homebrewed unit files that are at risk. A system unit file could also cause privilege escalation if there's issues with the underlying user.

I'd rather have my webserver crap out on startup than run with root privileges.

Re:The second one

[F.Ultra]

That is not how this bug works though. If the user in the unit file is valid from the viewpoint of systemd but no longer found on the system then the unit will not start:

Note that if you specify a valid user name but where the user doesn't exist, then we'll instead fail the service on start, because in that case there's not just something wrong with the syntax the service author used but actually something inconsistent on the system, and that should be considered fatal.

Re:The second one

[F.Ultra]

But this is not how it works, in your scenario the unit would not start.

Note that if you specify a valid user name but where the user doesn't exist, then we'll instead fail the service on start, because in that case there's not just something wrong with the syntax the service author used but actually something inconsistent on the system, and that should be considered fatal.

Re:The second one

[F.Ultra]

But it will only happen on home written unit files. If you where a maintainer and wrote a unit file with the intention of running under user X and #1 ignored the warning in the log and #2 didn't test if it really started as user X then you should think over if you should be a maintainer in the fist place. And with that said how many sysv scripts runs as non root? I would say none does, yes some daemons changes user once spawned if configure to do so but then they would do the very same under systemd regardless of this bug or not.

Re:The second one

[phorm]

Ah, I misunderstood the issue and thus stand corrected:

Unit file has invalid/missing user: breaks and won't start
Unit file has valid user (that it doesn't like): runs as root instead

Still kinda crappy but at least not as dangerous as the first scenario which I had mistakenly imagined might occur.

Thanks for correcting me.

Re:The second one

[F.Ultra]

I agree that it's crappy (just not as crappy as the millions of slashdot comments have made it out to be) and I do hope and think that this will be fixed. I.e I noticed that the bug on github was not closed but closed from public access which means that people within the systemd project can still discuss it internally and LP is not the systemd dictator since they have several maintainers now a days.

Re:The second one

[dbIII]

So? Isn't it better to have DNS or whatever not start than getting 0wned by a script kiddie?

Re:The second one

[F.Ultra]

Reading comprehension much? I did say that in his scenario the unit would not start. And btw good luck getting 0wned by a script kiddie due to this, if you are then you are the same with sysv since all sysv scripts runs as root.

Re:The second one

[dbIII]

There is an incredibly major difference between calling on a service to start as the proper user via a thing running as root and actually running the service as root like the systemD design fault does.
I've got no idea why you are defending this newbie mistake of not checking inputs. Even Lennart pointed out that it's not a good thing to happen - I quoted him in another thread where he was annoyed that a user creation "tool" was allowing such a name.

Re:The second one

[F.Ultra]

I'm not defending him, I'm just not trying to play this whole "systemd will eat your children and rape your pets" scheme that the lot of you are playing at the moment. And this is hardly a newbie mistake, the input is checked and acted upon, it's not a mistake but a deliberate design. In your eyes that might make this worse but the thing is that there will not be a single system 0wned due to this. There will not be a single unit file from any distribution with a username that starts with a zero.

Re:The second one

[dbIII]

I'm just not trying to play this whole "systemd will eat your children and rape your pets"

It's the exact opposite. Criticism, even mild criticism, even when the actual developers see it as a mistake is shouted down time after time by idiot fanboys blowing shit out of proportion. Are you going to act like one of those idiot fanboys or are you going to stop using lines like "systemd will eat your children and rape your pets" in response to a discussion about a real flaw that Lennert also sees as a real flaw?

the input is checked and acted upon

It should be but it is not - that is the problem here. Someone else above provided a link to the bug report. Perhaps you should take a look at it and catch up on the subject being discussed instead of some sort of uninformed rant.

Re:The second one

[F.Ultra]

It's the exact opposite. Criticism, even mild criticism, even when the actual developers see it as a mistake is shouted down time after time by idiot fanboys blowing shit out of proportion. Are you going to act like one of those idiot fanboys or are you going to stop using lines like "systemd will eat your children and rape your pets" in response to a discussion about a real flaw that Lennert also sees as a real flaw?

So you can actually find a single post to this article that contains "mild criticism"?

It should be but it is not - that is the problem here. Someone else above provided a link to the bug report. Perhaps you should take a look at it and catch up on the subject being discussed instead of some sort of uninformed rant.

And from the actual bug report: "The 7oz test was perfect. Clearly the issue is not missing validation - in fact, the safe_atou function does exactly what it should..." and "The real bug is that invalid User= directives are skipped rather than rejecting the whole unit."

Re:The second one

[dbIII]

So you can actually find a single post to this article that contains "mild criticism"?

I wrote several myself as did many others.
What is it with you fanboys?

Re:The second one

[F.Ultra]

So your claims of "full escalation" was "mild criticism"? Still no one have presented a single credible way to exploit this.

Re:The second one

[dbIII]

So your claims of "full escalation" was "mild criticism"

No, it's an term used for a bug where a process ends up running as root when it should not. (https://en.wikipedia.org/wiki/Privilege_escalation)
Why are you going on and on without even knowing what "full escalation" means? WTF is it with fanboys - get a clue before trying to "correct" people who dare to suggest the object of your fandom is less than perfect.

Re:The second one

[F.Ultra]

Because there have to be an active attack that does this for you in order for it to be full escalation, that you start a service as whatever user by mistake is not full escalation unless that mistake was due to some one tricking you into doing it.

Integrate the Linux kernel

[stooo]

>> Perhaps we need to get rid of Linux kernel as well.
Nooo, that's a bit over the top.
We only need to integrate the Linux kernel into Systemd.

Lennart Pottering

[Dunbal]

Guys, this is just part of using a modern operating system. You're just going to have to get used to getting your system pwned.

Meanwhile in Slackware land...

[Noryungi]

- "Uh? There has been another issue with systemd? Really?"
- "Yeah, but anyway, never mind, we have better things to do."
- "Okay."

Slackware: no systemd, sane defaults, no weirdo patches.

Yeah, it works.

Re:Meanwhile in Slackware land...

[slashways]

As a Slackware user myself; Slackware chooses the right path; and follow the good UNIX practices that gives us better securities expectations. Systemd users choose to follow the M$ model; A 'do everything', but a do everything without any concern for the implementation; and the ‘testability’ of the whole code. This gives us, tasks using useless 'root' privileges, functions that can’t be part of a ‘/bin/init’ but are added anyway to Systemd and so on The good move is to remove Systemd. Systemd has no added values and add only new issues.

Re:Meanwhile in Slackware land...

[jmccue]

As a Slackware user myself; Slackware chooses the right path; and follow the good UNIX practices that gives us better securities expectations.

As a Slackware user this is true. I need to use a systemd workstation at work and I get the benefit of random freezes, I cannot even ssh to it. Bringing back my "ptsd" from windows use ages ago :).

At home with Slackware (same hardware), no random freezes, my server only goes down when I loose power (I know, UPS blahblah, someday) and the desktop no issues either.

So that indicates something in the 'systemd' workstation is a bit off.

Re:Meanwhile in Slackware land...

[strikethree]

Slackware was my second distro. My first distro, Red Hat, lasted about two weeks before I had to blow it away (long but interesting story which fits right in with the current dislike of SystemD).

I tried Slackware again in 2013. Still same ncurses issues that existed back in 1997. Installing 32 bit capable software on the 64 bit version of Slackware is... an interesting exercise.

Long story short, I have VERY fond memories of Slackware but it is not a reasonable distribution for me. If/when Slackware dies, I may actually cry. It is the only "pure" Linux distribution left.

Why does Red Hat allow damage to its reputation?

[Futurepower(R)]

Quotes, with minor modifications to make comments more readable, and some text in bold:

"Systemd is a poor idea, poorly implemented, in a project that's poorly managed."

"... sure is wilfully, deliberately, and very gratuitously, incompatible with everyone else. ... That means a big boon in control for Red Hat.

"I doubt Poettering himself understands his role in this, seeing his grasp of architecture, code quality, and so on, so that makes him a 'useful idiot'. He sure does have the personality to pull it off, though. Incompetent arrogance does go a long way, with the right backing."

Systemd, and the poor way it has been presented, had been damaging to Red Hat's reputation ("Dead Hat"). Why did Red Hat management allow that? Is it because Red Hat makes money providing consulting services, and wants Linux configuration to be difficult so that the company will make more money?

Re:Software is shite

[segedunum]

Cognitive dissonance translation: You're stuck with it.

"Intellectually dishonest"

[jgotts]

The last time I criticized systemd I was accused of being intellectually dishonest.

I'm not sure how being a Linux developer and sysadmin both in my personal life and as a paid employee since 1994 could possibly allow me to intellectually dishonest about any subject having to do with Linux. Dishonesty about Linux could not possibly benefit me in any way.

What I said is that systemd started out being very buggy. Admittedly, to paraphrase Linus Torvalds, they shook most of the bugs out and it works okay most of the time.

Except that systemd changed the way everything has worked for decades, and not for the better.

I could go into specific examples, but suffice it to say that virtually everything that systemd has taken over, it is doing that job poorly. Seeing why services didn't work and making them work has gone from a 5 minute job to something that can take hours. Troubleshooting system problems by looking at logs has become arduous in some cases compared to looking at /var/log/messages or typing dmesg and having your answer in 2 minutes.

systemd needs to slim down and focus on what it does well, initializing weird devices. systemd has no business monkeying around with DNS, and that is just the beginning of the list of things it needs to take a step back from.

Call me intellectually dishonest, but I've been working with Linux for 23 years now (I installed Slackware 2.0 in July of 1994 from a stack of floppy disks) and I haven't failed to learn a thing or two along the way.

Re:"Intellectually dishonest"

I started with Unix in 1982.

Systemd fails many of the basic Unix concepts. Small, interconnectable tools, text log files, human readable configurations.

Re:"Intellectually dishonest"

[F.Ultra]

How are the unit files not "human readable configurations", especially when compared with the old sysv init scripts?

Re:"Intellectually dishonest"

[drinkypoo]

How are the unit files not "human readable configurations", especially when compared with the old sysv init scripts?

Because virtually all of the behavior was in the init scripts where you could read it, whereas most of systemd's behavior is in the various daemons, where you have to be able to understand the code to understand what it's going to do when you feed it a simple unit file.

Of course, in order to understand what an init script does, you have to understand shell scripting; but shell scripting is a central feature of Unix which you should understand anyway as an admin, no matter what you are doing with it. Users aren't expected to understand unit scripts any more than they are expected to understand init scripts.

Unfortunately, understanding what systemd is going to do at any given time requires understanding quite a lot of code because of the way it is interconnected, and everyone and their mom has complained about the poor quality of the code and the even poorer quality of its documentation.

init does one simple job. If you need complexity, you can get it in the script, and you can look right at it. If you need more complexity that it is convenient to look at, then you can abstract it away into a script library.

Unit files are human-readable, but they don't tell the whole story of what is happening. It's like trying to understand the deep cultural ramifications of the way language is used in a book by reading the cliff notes.

Re:"Intellectually dishonest"

[F.Ultra]

You make it out to be far more complicated that it really is. Things only get close to complicated if the unit adds dependencies to other events and if that happens then whoever wrote the unit file did so on purpose, and boy o boy would a corresponding sysv script be a mess.

And the code comments I cannot take seriously since the "everyone and their mom" seams to be people who actually never looked at the code nor know how code looks like. I've cloned the git repository and looked at the code when I was wondering a specific thing and had no problem following the logic, but if that makes me some wizard coder then I'm all for it :)

Linux Bad Press..

[sqorbit]

All this negative information about Linux is totally going to kill it as the desktop choice for a majority of users. There goes 2017 as a year of the Linux desktop.

Re:Linux Bad Press..

[Misagon]

Oh, the GNOME 3 developers already did that years ago.

Not only did they foul up GNOME itself, they also took it on themselves to foul up the mainline GTK+ 3.0 toolkit which thousands of non-GNOME 3 applications use.
On the surface, many widgets work really weird compared to how they used to do on GTK+ 2.0 (and how they do on Windows and MacOS as well). For instance, sliders and scroll bars are now practically unusable (for those who still use them with mice and not just scroll wheel).
When you look deeper you will find that they have introduced API changes on minor version numbers without pushing different dynamically linked libraries, thus making programs written for earlier revisions of the library crash or behave in weird ways. Seriously, that is a cardinal sin.
It is as if some other OS vendor had paid them to do as much damage as they can.

Poettering & co. are achieving their goals

[OneHundredAndTen]

Which consist of making Linux more and more similar to Windows, including the presence of serious bugs for years.

What does it matter?

[pellik]

Why does it matter how long the remote code executed for? It's just as dangerous to allow remote code to run once as it is to allow it to run for two years.

Re:What does it matter?

[dbIII]

Why does it matter how long the remote code executed for?

It matters because it gives us a little bit of insight into the testing and development process (and the low priority of security).

Re: Now it becomes clear...

[lucm]

It's just a matter of time before we get kernelctl. Then Linux will be perfect since the whole ecosystem will have been "improved" to work with systemd. No more discrepancies between distributions; just one big binary file.

When this is done, maybe The Hero could go and save other things, like smartphones and IoT devices.

Corps control Linux, not hobbyists

[perpenso]

At this point its worth asking who controls linux, the community built out of tends of thousands of projects that come together, or a few corporate entities?

For a while now, the corps. Whoever is paying the salaries of developers is in control. Look at the concept of budgeting. Its not necessarily about how to wisely spend money, its also about control. Control by determining how much in the way of resources get allocated to some idea. To prioritize idea. To ensure that work is following the plan developed by senior management, not some plan developed by a consensus of engineers.

Didn't some analysis of commits a while back show most Linux development is corporate funded? Thus corps are in control.

Moved goalposts

[dbIII]

It is in SystemD, an expanded init system. Written by SystemD developers. Pretending that it's not a SystemD problem because it's a different subsystem to the main thread is somewhat misleading IMHO so please don't insult the intelligence of readers.
If you are going to have a sig like yours you should probably try to live up to the standards of what you advocate.

MS Windows attitude

[dbIII]

With one of those links Lennart wrote:

Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place ... So, yeah, I don't think there's anything to fix in systemd here.

It's things like this that remind us that Lennart is even now still a newbie who thinks in terms of MS Windows. The tool that could create such a username is any text editor, which is something nearly every sysadmin and nearly any long term user of *nix could have told him.

Who the fuck are you?!

[GeekWithAKnife]

Tarring and feathering would indeed be good -- especially that Lennart as usual insta-closes an obvious and nasty security bug[1] as "non-bug". And when presented with standards documents, he says they don't apply to him [github.com]. Seriously, can someone buy this guy an "Unix for dummies" book? While we don't exactly suffer from a dearth of kooks, this particular kook enjoys having his employer promote his masterpieces even when totally inadequate. The world would be so much better without systemd, PulseAudio and avahi.

Actually nevermind, here's root access.

Remind me

[jon3k]

Remind me again, how many remote remote code execution bugs were in sysvinit? I can't remember.

Re: Now it becomes clear...

[gweihir]

The systemd fanatics are mostly authoritarian followers, i.e. they care very much about following the "right" (i.e. most powerful) religion, but not at all what it actually says or entails.

a bug?

[ooloorie]

In a bloated, poorly written piece of software like systemd? You don't say!

Re:in before

[Opportunist]

You're WAY too late for this.

I have this feeling he wrote a trigger for blame shifting.

Re:Why does Red Hat allow damage to its reputation

Why did Red Hat management allow that? Is it because Red Hat makes money providing consulting services, and wants Linux configuration to be difficult so that the company will make more money?

By George, I think he's got it!

Re:The real problem is systemd haters

[Opportunist]

Funny enough, a lot. Though it's not a matter of left or right, liberal or conservative. No such petty things. This is about corporations and control of the OSS market.

Thanks Team Devuan

[HalAtWork]

Not affected here, thanks Team Devuan. Maintaining a complete GNU/Linux distro that is not reliant on systemd is extremely responsible and valuable.

not your father's least surprise

[epine]

It requires existing root access in order to create a new user. So if someone exploits it, you are already fucked.

You must be new here. The Doctrine of the Useful Idiot is referenced these days almost hourly. Hence, you must be really new here.

In this case the "useful idiot" is the trusted repository administrator, who permits a package to be hosted from upstream because it doesn't look suspicious in any way (unless the obscure rule about user accounts with leading digits is top of mind—as if every project doesn't have at least one wonky anomaly, most of which, if pursued, turn out to accord with "who knew?"—and Poettering-appropriate paranoia level is set to deep fat fry).

The trusting user will run the package installer from the trusted repository using "sudo". There's your TRANSITORY, apparently harmless root. No weird system calls. No overt fingerprint of escalation. Mission accomplished. Tick, tick, tick ...

Under Poettering, the principle of least surprise is obeyed by allowing any departure from convention, no matter how thinly understood on the ground where it matters, to lead to an unchecked root escalation.

This was not your father's principle of least surprise.

The long cascade of trusted upstream is become our new Leviathan. Can one even finish a review of inbound patches any more before the next batch arrives?

Work started in 2002 to repaint the bridge fully for the first time in its history, in a L130 million contract awarded to Balfour Beatty.

Up to 4,000 tonnes of scaffolding was on the bridge at any time, and computer modelling was used to analyse the additional wind load on the structure.

The bridge was encapsulated in a climate controlled membrane to give the proper conditions for the application of the paint.

All previous layers of paint were removed using copper slag fired at 200 miles per hour, exposing the steel and allowing repairs to be made.

The paint, developed specifically for the bridge by Leigh Paints, consisted of a system of three coats derived from that used in the North Sea oil industry.

240,000 litres of paint was applied to 255,000 square metres of the structure, and it is not expected to need repainting for at least 20 years.

The top coat can be reapplied indefinitely, minimising future maintenance work

Software security engineers, eat your heart out. The veritable mascots of unfinishable business sit there drinking tea, while we double down on making things worse.

For the record, Trump is also making a good case for himself as the President of Least Surprise.

This, too, was not your father's least surprise.

The hard dependency is FAKE

Because systemd is now a hard dependency of the Gnome desktop, which a lot of distros want to ship.

Yes, and as the Gentoo spinoff Funtoo (forked by Gentoo's original author) shows, this "hard dependency" is bullshit. They maintain a patch that removes the dependency, allowing Gnome (for those masochistic enough to want to use it) to work just fine on a non-systemd distro.[1]

[1]Funtoo, like default Gentoo, uses openrc instead.

Is there a replacement for systemd?

[Qbertino]

This is a serious question. Yes I know there's init, but systemd must have something going for it, otherwise it wouldn't be the default of just about all distros on the planet. ... Faster boot times come to mind.

So, is there an alternative to systemd since everybody seems to be bickering about it? What about a Linux that boots in under 10 seconds? If systemd is so shitty, what's holding people back from developing a system that is better and faster?

Thanks for any input on this.

Re:Is there a replacement for systemd?

[boudie2]

OpenRC. This is the alternative that works perfectly fine for me https://en.wikipedia.org/wiki/...

Re:Is there a replacement for systemd?

[silverdirk]

There are quite a few small projects that aim to do service monitoring "better", but none of them is a complete solution. They are all designed as building blocks (the way they should) but nobody has gone through the effort to build the missing pieces that would let you run i.e. Gnome3 desktop on them.

https://skarnet.org/software/s...

I even wrote my own, though it needs a "version 2" before it will really be ready for prime-time.

http://www.nrdvana.net/daemonp...

I only use these service monitors for embedded systems and minimalist systems. All my desktops are running systemd simply because it came with the distro and I don't want to spent the time learning to make Gnome3 run on a more minimal tool. I really hate Gnome's design, but I like having a desktop that looks and feels modern.

tool creating the user ?

[bingoUV]

the tool creating the user

Ok, consider this :

1. [root@localhost ~]# adduser ii
2. [root@localhost ~]# sed -i 's/ii/8i/g' /etc/passwd
3. [root@localhost ~]# su 8i

So "sed" is the tool "creating" the user, at least it (re)defines the user name. It could have been some text editor, or "echo", or someone could mount the filesystem with /etc/passwd file in some other operating system and edited in a million ways imaginable.

Do you propose sed and all software directly or indirectly used for text editing under any operating system "validate" user names ? How about direct access to storage device with a magnet or firmware interface to storage device ?

Re:tool creating the user ?

[AmiMoJo]

I actually posted elsewhere that I think there is a good case to be made for checking. On the other hand... If you are root you accept some responsibility, like not deleting important stuff or misconfiguring things.

But year, on balance probably best to check. My point was that few people argued that point, they just made ad hominem attacks.

Re:tool creating the user ?

[bingoUV]

My point was not about checking at all. As the changed subject indicates, I was talking about an extremely surprising statement from you about a "tool" that creates the user, which can be dreamt of as possibly responsible for validating the name of the user.

I still don't understand which "tool" you are talking about that has any say in the name of the user, unless the tool is physics and "validation" is prayer. In which case I apologize while mildly irritated at your unusual language.

Re:tool creating the user ?

[dbIII]

Don't blame the poster for the stupid phrase since the "tool" bit is a quote from Lennart.

Lennart P: "Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place"

The stupidity of the the whole thing is of course something I totally agree with.

Re:Time for OpenBSD

[HiThere]

I might well if OpenBSD supported ext4 in read/write mode. As it is I can't test it out without trashing my files.

Dear Lord,

[TheDarkener]

Please give us back Ian Murdock.

In exchange we will give you Lennart Pottering.

Thanks in advance. Amen.

Now You've Done it ! Next is systemd.adduser !

[kjhambrick]

Hoo Boy ...

I can see it now ... systemd.adduser is coming right up because All'Y'All are stupid -- everyone knows UserNames do not begin with Digits !

-- kjh

The definition of anti-unix..

[CptLoRes]

Is changing something that is not broken, just so that you can experience the old bugs anew again.

Re:Software is shite

[shoor]

Not quite. It's something I learned as (Theodore) Sturgeon's law, though the wikipedia calls it Sturgeon's revelation because Sturgeon himself deemed something else as his 'law' Anyway, the relevant revelation goes something like this:
90% of Science Fiction is crud, but then 90% of everything (including in this case software) is crud.

Prime deterent to new code

[Lady+Galadriel]

This is a prime example of why systemd is the annoyance it is, new code is never bug free.

I prefer the older init systems that at least have modular designs and tend to be less buggy.

Null in username

[aberglas]

So, how does it behave if we put a Null in a username. A good way to break most C grade programs. (Sure, not supposed to be allowed, but if an upstream process has a bug that lets it through, the world should not collapse.)

Re:Null in username

[TemporalBeing]

So, how does it behave if we put a Null in a username. A good way to break most C grade programs. (Sure, not supposed to be allowed, but if an upstream process has a bug that lets it through, the world should not collapse.)

If the username is not found, then no UID will be located and the program will fail to start. That is how every administrator expects things to work; not to be handed full root access. Doesn't matter whether it's because of a NULL in the username or otherwise.

Re:Null in username

[aberglas]

Yes, but what part of the username? The bit before the null or the whole lot. What if someone creates a user rootstuff, and has the password for the full name but not for root?

This sort of thing was used to break certificate processing in a number of implementations, due to inconsistent handling of nulls.

Re:Null in username

[aberglas]

That was root[null]stuff.

Re:Null in username

[TemporalBeing]

Yes, but what part of the username? The bit before the null or the whole lot. What if someone creates a user rootstuff, and has the password for the full name but not for root?

This sort of thing was used to break certificate processing in a number of implementations, due to inconsistent handling of nulls.

Usernames are quite well defined in Linux as only being those in /etc/passwd - which is a pure text file and thereby a NULL wouldn't be allowable in there. Good luck trying to match a username with a null in it it (root\0stuff) against anything in that file, or /etc/shadow.

Now where it would get complex would be if an external auth provider (e.g LDAP), but even then the tools would add the user locally and thereby end up in the same pattern. Often integration tools (f.e Samba) provide mappings when they support different kinds of usernames than are locally allowed; but then a NULL would be of issue in most protocols unless it was escaped.

All that to say - using a NULL in a string is a bit of an absurdity for this; and that's not even relevant to the original issue which was valid textual strings that have historically been allowed - and nearly all tools allow - only because an idiot overseeing a system that is getting into the ecosystem by fiat - not technical merit - has decided he doesn't like it.

Re:Null in username

[aberglas]

There is no reason that a "text file" cannot have a null In it. Just open an editor and put one there.

What the effect of that is depends on how the C code happened to be written. If, for example, it scans for new lines, and ":"s, it will just happily include the null in the string. But then some strlen function will truncate it.

Most programmers will make the same assumption that you did. Namely that nulls should not be there, and will therefor ignore the problem.

This type of attack is not theoretical, it was used to break Certificates.

Re:Null in username

[TemporalBeing]

There is no reason that a "text file" cannot have a null In it. Just open an editor and put one there.

What the effect of that is depends on how the C code happened to be written. If, for example, it scans for new lines, and ":"s, it will just happily include the null in the string. But then some strlen function will truncate it.

Most programmers will make the same assumption that you did. Namely that nulls should not be there, and will therefor ignore the problem.

This type of attack is not theoretical, it was used to break Certificates.

Exactly. No, I didn't ignore that they *couldn't* be in a text file; only that the normal tooling - all of it - won't do that. So if it's there it's there from a nefarious actor.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Should I say, "I told you so?"

[petrus4]

I know I will get hate for this, but I stopped using Linux when systemd was forcibly and mysteriously rammed down almost everyone's throat. I've always known that systemd is to Linux what UEFI is to the PC itself; an abstraction layer allowing control for the intelligence community.

Call me a troll, scream at me as much as you like; but if as a Linux user, you support systemd, you are a traitor. It is extremely simple.

Let's ask Linus to make an init.

[cryptogranny]

Let's make a petition for Linus to ask him to write a small init. What would be better then correct integration of kernel and init.