'Severe' Systemd Bug Allowed Remote Code Execution For Two Years

ITWire reports: A flaw in systemd, the init system used on many Linux systems, can be exploited using a malicious DNS query to either crash a system or to run code remotely. The vulnerability resides in the daemon systemd-resolved and can be triggered using a TCP payload, according to Ubuntu developer Chris Coulson. This component can be tricked into allocating less memory than needed for a look-up. When the reply is bigger it overflows the buffer allowing an attacker to overwrite memory. This would result in the process either crashing or it could allow for code execution remotely. "A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it," is how Coulson put it.
Affected Linux vendors have pushed out patches -- but the bug has apparently been present in systemd code since June of 2015. And long-time Slashdot reader walterbyrd also reports a recently-discovered bug where systemd unit files that contain illegal usernames get defaulted to root.

The problem with systemd

[SharpFang]

That's a problem with Systemd. It's a pretty decent idea with a sub-par execution and a crappy way of dealing with an inherent problem.

Idea: centralized place to optimize startup, management and interconnectivity of all kinds of services.

Problem: some services in their standard form don't quite fit that model.

Solution: let's rewrite them and include as parts of systemd.

The crap part: while the originals were made by experts in that field, the replacements are made by a group of wannabe experts on everything ever, some with overinflated ego. This results in seriously inferior code replacing old 'tried and true' solutions.

At this point, the only real solution I can see is making a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size. If a service doesn't quite fit systemd, work on systemd until it fits, don't rewrite it!

Re:The problem with systemd

[dwywit]

"a fork of systemd, banning the current systemd creators from participating in it, and trimming it to size. If a service doesn't quite fit systemd, work on systemd until it fits, don't rewrite it!"

That's not a bad idea - meanwhile, Poettering's response (presumably): "Systemd is working as expected. This is a flaw in {bind/whatever}. Bug closed."

Re:The problem with systemd

[Viol8]

"Some of it is even insecure by design "

So because all software has bugs we should just say: "Meh, who cares if systemd is bloated, has monumental feature creep, an author with a serious ego problem who doesn't like fixing them and it replaced an init which, while a bit crusty did what it said on the tin, because, well, systemd." Right?

Wrong. Systemd, is a poor idea, poorly implemented in a project thats poorly managed. Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

Re:The problem with systemd

Systemd, is a poor idea, poorly implemented in a project thats poorly managed.

Yup.

Quite why redhat are in thrall to the arrogant little twerp in charge is anyones guess.

I don't know how he got a foot in the door, so all I have is my long-distance high-level. The short and sweet is "politics", and he's red hat's useful idiot in their war with oracle.

red hat tried to tighten up their business model by splitting red hat-the-distro into fedora and RHEL. The centos guys forced red hat to release RHEL anyway because GPL. oracle then copied the whole thing verbatim, minus the branding, and called it "unbreakable linux". This allowed them to piggyback on red hat's hard work including their knowledge base. Which is why red hat put that thing behind a paywall. So oracle is doing their level best to eat red hat's lunch and using red hat's own work to do it.

So, what can red hat still do? Well, they can become more proprietary, which is where systemd comes in. No, it's not closed source, but it sure is wilfully, deliberately, and very gratuitously, incompatible with everyone else. So if a big enough party like red hat pushes it into the market, then the rest (*cough* debian *cough*) feels they have to follow suit. That means a big boon in control for red hat. And that's what it ultimately is about.

Of course, you have to have some sort of story of benefit for people to go along with the gambit. But for many the sort of fine-grained control you lose by going systemd wasn't that important anyway, for the good and simple reason that throwing more virtualisation and more hardware at it seems faster and so more cost effective. It's the same sort of reason why virtualisation and massive hardware is so popular in the windows world. The big gain for red hat sure isn't technical, it's political. You can see this in the fact that many rebuttals to technical complaints about systemd are entirely non-technical. Any time a technical argument ends up full of bullshit and personal attacks it really isn't about the technical merits any more.

I doubt poettering himself understands his role in this, seeing his grasp of architecture, code quality, and so on, so that makes him a "useful idiot". He sure does have the personality to pull it off, though. Incompetent arrogance does go a long way, with the right backing.

And, of course, once they get off the ground, bad ideas are hard to kill.

Re: The problem with systemd

And, security problems + no logs = even bigger problem. Even if he doesn't get why logs are important for security, I wish he would get why they're needed for troubleshooting. It sucks managing a lot of special snowflake servers with systemd since so often error messages don't make it to the journal.

Re: The problem with systemd

It's worse than that. The community didn't have any say in it, it just got rammed down everyones throats; its revealed that linux has started to follow the cathedral model as vendors like Redhat gain more and more exclusive control over it. At this point its worth asking who controls linux, the community built out of tends of thousands of projects that come together, or a few corporate entities?

Re:The problem with systemd

[silas_moeckel]

The reason is simply every commercially used Linux distro switched to it. We're stuck going along for the ride.

Re:Time for tar and feathers?

Besides the author who suggests with the title that the bug resides in systemd itself rather than a project included under the systemd umbrella that's disabled by default on most distributions?

From all of us Linux greybeards:

[Gravis+Zero]

We told you so.

Even Windows isn't this bad

When I first read about systemd I thought it was a knock off of the NT service control manager. Except on Windows, that's all it does. It controls services. It starts and stops them. And manages dependencies. And that's it. It doesn't take over the fucking world and try to control everything in the OS. I think this is where systemd lost its way. It's a sad day when we look to Windows as the example of "does one thing and does it well" and not the whole fucking kitchen sink.

Old News

This is old news, why don't you publish that story how "Principal systemd developer refuses to acknowledge serious security vulnerability where processes that request to be run as unprivileged user, run as root because Lennyboi does NOT like them start with zeroes! And POSIX be damned, Lenny knows better!"

No, its not a pretty decent idea

[Viol8]

"centralized place to optimize startup, management and interconnectivity of all kinds of services."

Sorry, thats not how its done in Unix. We don't want a huge monolithic application as init since that brings a huge attack surface to the most important process in the OS, not to mention a bug in a service that doesn't belong there potentially bringing down the entire system.

Re:No, its not a pretty decent idea

systemd is modular.

Yes, so modular.

Re:not the init, and it doesn't affect Debian

[KiloByte]

On Debian, we don't even execute this code by default.

But Ubuntu does. And the other security hole mentioned in the article does apply to Debian.

As for systemd being more than just an init: the problem lies in it replacing a large set of modular projects with an entangled blob. For example, vdev is an (experimental for now) replacement for udev that fixes a number of design problems, yet good luck using it on a systemd system.

As for running systemd without it being init: systemd-shim is dead, and it was flaky to the point of uselessness even while it lived. You need to recompile the Utopia stack to enjoy basics we used to take for granted like being able to shutdown or suspend from a GUI.

People have tried carving out pieces of systemd to use them separately, like uselessd, yet all such attempts I know of ended in failure because of systemd's blobbiness.

Re:Time for tar and feathers?

[The123king]

I can't see how a tape archive could possibly help.

Re: Now it becomes clear...

See, this is textbook example of systemd apologists having zero clue about the software they praise.

Is the INIT part of systemd and PROCESS MANAGEMENT "simply better"? Maybe, probably (with the exception of it ignoring invalid values instead of failing to start, like this 0day issue).

But how on gods goddamned earth is reinventing a DNS recursor, which btw is not RFC compliant (per the developer's OWN words it might NEVER be compliant because that idiot has no clue what resolvers really are), any BETTER?!?! It is not better. It is far worse. They're reinventing something they do NOT properly understand and in the process introduce NEW bugs and insecurities, and reinvent OLD bugs that proper resolvers have gone through in the past decades.

Maybe if you would LEARN what systemd really is inside, maybe then you'd see it's a steaming pile of shit that has LONG gone beyond being an init replacement.

What a load of bollocks.

The design of systemd is that they all adhere together. Claiming this is somehow not systemd is only slightly less silly than claiming it's not systemd because it's in one of the source files not called "systemd.c".

Re:Better distro suggestions?

[fnj]

That's easy. FreeBSD! It is POSIX, UNIX philosophy through and through, and not only completely free of Poetteringitis; it's free of all immature and incompetent vanities and warped design crazes.

The second one

[sad_]

The second 'bug' mentioned is far more crazy. The unit file mentions a user that doesn't exist (well, in tfa it is wrongly parsed, even worse), so the default action is to continue as root (instead of supplied user). And this is a good idea because... ??

Why can't this unit action just fail? Wouldn't that be far far better then just deciding to use root, this might cause all kinds of problems. I wonder which other nice surprises and default fall-back action are encoded.

Re:Time for tar and feathers?

[KiloByte]

It was closed because it has already been discussed at length here:

6237 is about running services as the wrong user, 6259 is about usernames allowed by POSIX but not by systemd.

Do you actually have an argument against his logic here? As in a good reason to follow POSIX rules in this case when Linux in general, which is what systemd follows, does not.

Linux doesn't even know about usernames (just uids), you may at most discuss the behaviour of a particular userland program. And every program I know of (a bunch was tested by someone on IRC) except systemd handles ones starting with a digit correctly, as POSIX prescribes. For some reason, adduser (but not, eg, useradd) dislikes creating new accounts with such a name but all it takes is specifying an option when it relaxes the check from names merely discouraged to ones that are illegal only. No other account creation program complains.

The other reason is that you have to accept any legal external input, and input allowed by the standard is certainly legal. And you need to handle illegal input as well, at the very least by returning an error rather than giving full root access.

any actual argument beyond "he immediately closes bugs I think are obvious!"

That's Lennart's usual response to anything that's not obvious to him. Most of us try to at least research a bug or ask the reporter to explain.

"Intellectually dishonest"

[jgotts]

The last time I criticized systemd I was accused of being intellectually dishonest.

I'm not sure how being a Linux developer and sysadmin both in my personal life and as a paid employee since 1994 could possibly allow me to intellectually dishonest about any subject having to do with Linux. Dishonesty about Linux could not possibly benefit me in any way.

What I said is that systemd started out being very buggy. Admittedly, to paraphrase Linus Torvalds, they shook most of the bugs out and it works okay most of the time.

Except that systemd changed the way everything has worked for decades, and not for the better.

I could go into specific examples, but suffice it to say that virtually everything that systemd has taken over, it is doing that job poorly. Seeing why services didn't work and making them work has gone from a 5 minute job to something that can take hours. Troubleshooting system problems by looking at logs has become arduous in some cases compared to looking at /var/log/messages or typing dmesg and having your answer in 2 minutes.

systemd needs to slim down and focus on what it does well, initializing weird devices. systemd has no business monkeying around with DNS, and that is just the beginning of the list of things it needs to take a step back from.

Call me intellectually dishonest, but I've been working with Linux for 23 years now (I installed Slackware 2.0 in July of 1994 from a stack of floppy disks) and I haven't failed to learn a thing or two along the way.

Re:"Intellectually dishonest"

I started with Unix in 1982.

Systemd fails many of the basic Unix concepts. Small, interconnectable tools, text log files, human readable configurations.

Re:Time for tar and feathers?

[squiggleslash]

Not a Lennart critic in general (I usually defend systemd) but I think the GP has a point here.

- The first bug was closed immediately despite systemd treating what Lennart considers an error (debatable) in the worst way possible - escalating a process to root privileges when the user is clearly stating it shouldn't.
- The second bug is an attempt to say "OK, we'll play your game, if you're saying that's correct behavior because of {another issue}, then let's state that {another issue} is also a bug because that's not right either.

In both cases Lennart has immediately closed the ticket without waiting for discussion. He may or may not have reasonable reasons for initially opposing the tickets (he doesn't in the first ticket's case, he absolutely doesn't - root privileges because a username (which you're not even going to bother validating) doesn't look right?! - which is what the GP is complaining about.

This is, frankly, horrifying. systemd is a key part of the GNU/Linux infrastructure, and it exists for a reason: to remove the reliance on shitty, fragile, shell scripts that were all-too-easily made insecure through ignorance or haste. Those who develop it must, absolutely must, listen to and take seriously security concerns. Closing two tickets in a row, immediately, without discussion, concerning a major privilege escalation, still worse because of logic that ultimately boils down to "The user should be smart enough to know some username rules that some developer somewhere pulled out of their arse and which only one or two tools actually enforce", is ridiculously incompetent.

Re:Time for tar and feathers?

[aardvarkjoe]

So specifically what part of his argument makes you think he doesn't understand this? Because he seems to have addressed your points directly and with reasonable, factually and logically correct arguments.

Well, let's look at his arguements:
First, he said:

Yes, as you found out "0day" is not a valid username.

Which is really damn obviously false, because the relevant standards permit it and various Linux systems permit it. It's only "not valid" as defined by systemd.
Then he says:

1. systemd is not the one coming up with the restrictions on user names, and while some distributions are less restrictive, many do enforce the same restrictions as we do. In order to make systemd unit files portable between systems we'll hence enforce something that resembles more the universally accepted set, rather than accept the most liberal set possible.

Making things "portable" by restricting the configurations that systemd will work with? On what planet does that make any sense at all? It's not like correctly handling user names that Poettering doesn't use is going to break things on his computer; he just doesn't want to make a simple change to fix something because of his ego.

2. User= in unit files is about system users, not regular users, and I am pretty sure we should enforce a stricter regime about system users than regular users.

Since systemd doesn't get to dictate valid usernames, this isn't a reasonable argument.

3. In systemd we generally follow the rule that when we encounter a unit setting that does not validate syntax-wise we'll log about it and ignore it, for compat reasons. We do the same for User= here as for all other options. Note that if you specify a valid user name but where the user doesn't exist, then we'll instead fail the service on start, because in that case there's not just something wrong with the syntax the service author used but actually something inconsistent on the system, and that should be considered fatal.

This just demonstrates a lax attitute towards security. If the unit file specifies a "User=" line, then they obviously want to set a particular user to run the service, and unexpectedly running it as root is a security hole. The fact that Poettering can't see that after 10 seconds of thinking about it tells me that I wouldn't want his code anywhere near my system.

MS Windows attitude

[dbIII]

With one of those links Lennart wrote:

Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place ... So, yeah, I don't think there's anything to fix in systemd here.

It's things like this that remind us that Lennart is even now still a newbie who thinks in terms of MS Windows. The tool that could create such a username is any text editor, which is something nearly every sysadmin and nearly any long term user of *nix could have told him.

Who the fuck are you?!

[GeekWithAKnife]

Tarring and feathering would indeed be good -- especially that Lennart as usual insta-closes an obvious and nasty security bug[1] as "non-bug". And when presented with standards documents, he says they don't apply to him [github.com]. Seriously, can someone buy this guy an "Unix for dummies" book? While we don't exactly suffer from a dearth of kooks, this particular kook enjoys having his employer promote his masterpieces even when totally inadequate. The world would be so much better without systemd, PulseAudio and avahi.

Actually nevermind, here's root access.

Re:Time for tar and feathers?

[squiggleslash]

One of us has this backwards... It looks to me like in both cases Lennart is saying that systemd follows the Linux standard, not POSIX. Under the Linux rules on usernames they can't start with a number, so using "0day" as a username is invalid and the service won't start because the user doesn't exist.

Neither of us have it backwards. First ticket is Lennart essentially saying "It's OK for systemd to run an application as root when a user specifies an username beginning with a digit because I (Lennart) think the user has made an error, a username shouldn't begin with a digit (his justification being what you're saying.) The second is saying "We shouldn't treat a username beginning with a digit as an error".

It's debatable it is a "Linux" standard to begin with. Only one of the two command line tools to add users actually enforces this supposed rule. Literally nothing else does. The kernel is agnostic. And the command line tools aren't Linux, they're GNU. So what we're looking for is evidence that (1) RMS or an officer blessed by RMS has declared this to be a standard and (2) No declaration since has placed POSIX compatibility ahead of legacy GNU functionality.

Both tickets are entirely reasonable and not one of them should have been closed without discussion. Actually, let me correct that, the first should have been closed with just a note along the lines of "Fuck me! You're right! Personally I think {Inserts personal beliefs about "Linux"'s username policy here} so I'll just have it output an error message and not start the daemon", not "Ha, user is an idiot! LOL ROLF APK!! EVERYONE knows usernames begin with letters LOL! Root privileges for everyone!"