Slashdot Mirror

← Back to Stories (view on slashdot.org)

Systemd Named 'Lamest Vendor' At Pwnie Security Awards (theregister.co.uk)

Posted by EditorDavid on from the init-to-win-it dept.

Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports: The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.

10 of 436 comments (clear)

  1. No words. by 0100010001010011 · · Score: 5, Insightful

    You have got to be fucking kidding me: systemd can't handle the process previlege that belongs to user name startswith number, such as 0day #6237

    And what's worse is Pottering's complete lack of UNIX awareness.

    Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.

    Somehow FreeBSD doesn't have an issue:

    [root@freenas2 ~]# adduser
    Username: 0day
    Full name: 0 Day
    Uid (Leave empty for default):
    Login group [0day]:
    Login group is 0day. Invite 0day into other groups? []:
    Login class [default]:
    Shell (sh csh tcsh bash rbash git-shell netcli.sh ksh93 mksh zsh rzsh scponly nologin) [sh]: bash
    Home directory [/home/0day]:
    Home directory permissions (Leave empty for default):
    Use password-based authentication? [yes]: no
    Lock out the account after creation? [no]: no
    Username : 0day
    Password :
    Full Name : 0 Day
    Uid : 8001
    Class :
    Groups : 0day
    Home : /home/0day
    Home Mode :
    Shell : /usr/local/bin/bash
    Locked : no
    OK? (yes/no): yes
    adduser: INFO: Successfully added (0day) to the user database.
    Add another user? (yes/no): no
    Goodbye!
    [root@freenas2 ~]# su - 0day
    [0day@freenas2 ~]$ id 0day
    uid=8001(0day) gid=8001(0day) groups=8001(0day)

    His failure to understand POSIX has shown up in the past as well: tmpfiles: R! /dir/.* destroys root #5644 with Pottering's amazing comment of:

    I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?

    It's not like you couldn't take 5 seconds to test that:

    root@m6700:~# mkdir /foo
    root@m6700:~# touch /foo/.test
    root@m6700:~# mkdir /foo/.test2
    root@m6700:~# ls -lah /foo/
    total 12K
    drwxr-xr-x 3 root root 4.0K Jul 29 14:04 .
    drwxr-xr-x 25 root root 4.0K Jul 29 14:04 ..
    -rw-r--r-- 1 root root 0 Jul 29 14:04 .test
    drwxr-xr-x 2 root root 4.0K Jul 29 14:04 .test2
    root@m6700:~# rm -rf /foo/.*
    rm: refusing to remove '.' or '..' directory: skipping '/foo/.'
    rm: refusing to remove '.' or '..' directory: skipping '/foo/..'
    root@m6700:~# ls -lah /foo/
    total 8.0K
    drwxr-xr-x 2 root root 4.0K Jul 29 14:04 .
    drwxr-xr-x 25 root root 4.0K Jul 29 14:04 ..

    1. Re:No words. by Anonymous Coward · · Score: 5, Insightful

      It is almost as if the concept of "be conservative in what you do, be liberal in what you accept" is useful in graceful handling of errors. I mean, not as if someone said it in the past who had any importance.

    2. Re: No words. by aardvarkjoe · · Score: 5, Insightful

      Except of course that this very bug has been fixed for weeks now, as havevall tje other bugs listed.

      Yes and no. They did fix the security problem by having the unit file error out if the username starts with a digit. So at least they're no longer randomly running things as root.

      But they still haven't fixed the problem that systemd won't accept valid usernames. As far as I can tell, that is 100% an ego thing -- they won't admit that having systemd have its own username validation rules is a mistake.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
  2. Re: Misleading title by whitlocktj · · Score: 5, Insightful

    To be honest, not much of a difference in this case. When someone epically falls on multiple accounts with their response to horrendous bugs, I'd consider them to be the 'lamest vendor' Your post is overrated in that you're distinguish between something that has very little difference in this case.

  3. Re: How does Debian justify using this?! by Anonymous Coward · · Score: 5, Insightful

    Not only that but the vote for Systemd in Debian was a 2-2 tie and had to be overruled. Hardly a "everyone wanted Systemd" that a lot of the pro-systemd people like to suggest.

  4. Re:Already been closed by Anonymous Coward · · Score: 5, Insightful

    Too bad there isn't some other init system that has been tested for decades and is rock solid we could use instead... Wait! there is!

  5. Re:How does Debian justify using this?! by rainer_d · · Score: 1, Insightful

    Not using systemd would have made them irrelevant.

    Not that this isn't going to happen anyway, as RedHat absorbs more and more of the Linux-world and it will be increasingly difficult to do anything on Linux "un-RedHat-edly" in the coming years.

    As such it has to be seen how much of a differentiation-factor an installer and some default-settings are - together with the complete lack of any kind of enterprise-features that RedHat offers. Because that's what I think Debian et.al are going to end-up being. Because I believe they're even going to adopt the package-format (RPM) and the installer.

    If I need something without systemd, I just use FreeBSD. It doesn't do some things, but what it does, it does it very, very well.

    --
    Windows 2000 - from the guys who brought us edlin
  6. Re: Misleading title by Anonymous Coward · · Score: 4, Insightful

    Remote root compromise isn't serious? I have never, I mean ever, seen anyone hunker down and suck so quickly and enthusiastically as Zero__ does on Poettering, and I'm homosexual.

    And yes, that is one of the four bugs listed. Any confusion in linking the bugs to the appropriate CVE is, again, entirely Poetterings fault and part of the reason he got the award.

  7. Re:Already been closed by Anonymous Coward · · Score: 2, Insightful

    Seriously though, why the Debian tag? Surely Redhat would be more appropriate in the circumstances?

  8. Re:Thus Spake Poettering .. by dindinx · · Score: 3, Insightful

    If you don't compile network support into the kernel, no http servers can work. If you don't compile cgroup support into the kernel, systemd is the only init system that can't start. Every other init starts with no problems.

    See the différence?

    --
    DindinX