Systemd Named 'Lamest Vendor' At Pwnie Security Awards

Long-time Slashdot reader darkpixel2k shares a highlight from the Black Hat USA security conference. The Register reports: The annual Pwnie Awards for serious security screw-ups saw hardly anyone collecting their prize at this year's ceremony in Las Vegas... The gongs are divided into categories, and nominations in each section are voted on by the hacker community... The award for best server-side bug went to the NSA's Equation Group, whose Windows SMB exploits were stolen and leaked online this year by the Shadow Brokers...

And finally, the lamest vendor response award went to Systemd supremo Lennart Poettering for his controversial, and perhaps questionable, handling of the following bugs in everyone's favorite init replacement: 5998, 6225, 6214, 5144, and 6237... "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message," reads the Pwnie nomination for Systemd, referring to the open-source project's allergy to assigning CVE numbers. "But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
CSO has more coverage -- and presumably there will eventually be an official announcement up at Pwnies.com.

Already been closed

[NoNonAlphaCharsHere]

Marked NOTLAME, WONTACCEPT, closed.

Also, lameness filter.

Re:Already been closed

[AmiMoJo]

I know I've defended Poettering in the past, but lately I've come to think that he is a right pillock. systemd badly needs somehow who understands security and who can get these issues the attention they deserve.

Re:Already been closed

Too bad there isn't some other init system that has been tested for decades and is rock solid we could use instead... Wait! there is!

Misleading title

[markdavis]

>"Systemd Named 'Lamest Vendor' At Pwnie Security Awards"

I have no great love of Systemd, but that headline is misleading. The award was the "lamest vendor RESPONSE." But, you know, it is all the rage to have intentionally misleading headlines to grab even more attention than deserved.

Re: Misleading title

[whitlocktj]

To be honest, not much of a difference in this case. When someone epically falls on multiple accounts with their response to horrendous bugs, I'd consider them to be the 'lamest vendor' Your post is overrated in that you're distinguish between something that has very little difference in this case.

Re: Misleading title

Remote root compromise isn't serious? I have never, I mean ever, seen anyone hunker down and suck so quickly and enthusiastically as Zero__ does on Poettering, and I'm homosexual.

And yes, that is one of the four bugs listed. Any confusion in linking the bugs to the appropriate CVE is, again, entirely Poetterings fault and part of the reason he got the award.

No words.

[0100010001010011]

You have got to be fucking kidding me: systemd can't handle the process previlege that belongs to user name startswith number, such as 0day #6237

And what's worse is Pottering's complete lack of UNIX awareness.

Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.

Somehow FreeBSD doesn't have an issue:

[root@freenas2 ~]# adduser
Username: 0day
Full name: 0 Day
Uid (Leave empty for default):
Login group [0day]:
Login group is 0day. Invite 0day into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash git-shell netcli.sh ksh93 mksh zsh rzsh scponly nologin) [sh]: bash
Home directory [/home/0day]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]: no
Lock out the account after creation? [no]: no
Username : 0day
Password :
Full Name : 0 Day
Uid : 8001
Class :
Groups : 0day
Home : /home/0day
Home Mode :
Shell : /usr/local/bin/bash
Locked : no
OK? (yes/no): yes
adduser: INFO: Successfully added (0day) to the user database.
Add another user? (yes/no): no
Goodbye!
[root@freenas2 ~]# su - 0day
[0day@freenas2 ~]$ id 0day
uid=8001(0day) gid=8001(0day) groups=8001(0day)

His failure to understand POSIX has shown up in the past as well: tmpfiles: R! /dir/.* destroys root #5644 with Pottering's amazing comment of:

I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?

It's not like you couldn't take 5 seconds to test that:

root@m6700:~# mkdir /foo
root@m6700:~# touch /foo/.test
root@m6700:~# mkdir /foo/.test2
root@m6700:~# ls -lah /foo/
total 12K
drwxr-xr-x 3 root root 4.0K Jul 29 14:04 .
drwxr-xr-x 25 root root 4.0K Jul 29 14:04 ..
-rw-r--r-- 1 root root 0 Jul 29 14:04 .test
drwxr-xr-x 2 root root 4.0K Jul 29 14:04 .test2
root@m6700:~# rm -rf /foo/.*
rm: refusing to remove '.' or '..' directory: skipping '/foo/.'
rm: refusing to remove '.' or '..' directory: skipping '/foo/..'
root@m6700:~# ls -lah /foo/
total 8.0K
drwxr-xr-x 2 root root 4.0K Jul 29 14:04 .
drwxr-xr-x 25 root root 4.0K Jul 29 14:04 ..

Re:No words.

It is almost as if the concept of "be conservative in what you do, be liberal in what you accept" is useful in graceful handling of errors. I mean, not as if someone said it in the past who had any importance.

Re: No words.

[aardvarkjoe]

Except of course that this very bug has been fixed for weeks now, as havevall tje other bugs listed.

Yes and no. They did fix the security problem by having the unit file error out if the username starts with a digit. So at least they're no longer randomly running things as root.

But they still haven't fixed the problem that systemd won't accept valid usernames. As far as I can tell, that is 100% an ego thing -- they won't admit that having systemd have its own username validation rules is a mistake.

How does Debian justify using this?!

How can Debian's developers justify using systemd, considering all of these unbelievably unjustifiable problems with it? Why have they subjected Debian and its users to these flaws? Is it really just a result of the best Debian users having long ago moved to FreeBSD, leaving around only users who don't know any better?

Re:How does Debian justify using this?!

It was shoved down Debian's throat by the technical committee in a first ever usurp of power from the developers to the committee. There was not consensus on this change at all.

Re: How does Debian justify using this?!

Not only that but the vote for Systemd in Debian was a 2-2 tie and had to be overruled. Hardly a "everyone wanted Systemd" that a lot of the pro-systemd people like to suggest.

Re: How does Debian justify using this?!

[Tenebrousedge]

Rating: pants on fire.

I seem to remember Miguel de Icaza ...

[HBI]

Back in the days when Mono was considered a submarine way to give Microsoft control over Linux, there was such universal hate then.

With all this hate...

[Kokuyo]

I've been considering switching from Ubuntu to something without Systemd. But what would that be? Slackware is a bit hardcore and frankly, I'm really scared I won't get my server functional ever again if I start from scratch...

Re:With all this hate...

[sconeu]

What about Devuan?

Re:With all this hate...

[aardvarkjoe]

Most of those who oppose systemd are pining for the Good Old Days of loading the boot target using bat-handle toggle switches on the front of their IMSAI.

We're mostly pining for the Good Old Days when you could trust your init system to do what it was supposed to do.

Re:Why not OpenBSD?

Different goals of the platforms.
FreeBSD wants to be a well-rounded general usage OS
OpenBSD wants to be the pinnacle of security and is willing to throw everything out to achieve that goal
NetBSD wants to be ultra-portable
Dragonfly wants to be a high performance highly scalable and even distributed OS

Re:Why not OpenBSD?

[Curupira]

OpenBSD is undoubtedly safer, but FreeBSD is generally considered to be updated more often and better to use as a desktop/laptop OS. In fact, there is TWO desktop-centric operating systems based on FreeBSD: TrueOS (formerly PC-BSD) and DesktopBSD. So, if your intent is to use it in a desktop/workstation, FreeBSD is probably a better fit.

Thus Spake Poettering ..

[khz6955]

Systemd dies if there is no cgroup support in the kernel.

Poettering: "To make this work we’d need a patch, as nobody of us tests this"

R! /dir/.* destroys root.

Poettering: "I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?"

Processes owned by a user with a leading zero in the name are started with root privilege..

Pottering: "I don't think there's anything to fix in systemd here"

Systemd kill background processes after user logs out.

Poettering: "In my view it was actually quite strange of UNIX that it by default let arbitrary user code stay around unrestricted after logout."

'I have an issue with journal corruptions and need to know what is the accepted way to deal with them.'

Poettering: "Yupp, journal corruptions result in rotation, and when reading we try to make the best of it. they are nothing we really need to fix hence."

'Poettering locked and limited conversation to collaborators on 17 Apr'

Re:Fuck linux and systemd

[fnj]

What the fuck are you babbling about, schmuck? FreeBSD has an excellent binary package system with automatic dependency resolution: pkg. The user doesn't need to compile source from ports except if he wants something to be built with unusual options (same as linux, incidentally). All you need is "pkg install foo" and it will fetch the package foo and all its dependencies from the repo and install it.

Re:Xinuos OpenServer 10

[unixisc]

Actually no! Tarantella was acquired by Sun shortly after it spun off SCO, and it didn't have the OSs - it had some utilities like IIRC OpenVision and some NFS like software.

Xinuos was the successor company to SCO, Inc, after it filed Chapter 7. They inherited whatever legacy assets SCO had, as well as any customers, but started w/ a FreeBSD fork for enterprises. No idea whether their management has anything in common w/ that of SCO, Inc.