New SystemD Vulnerability Discovered (theregister.co.uk)

← Back to Stories (view on slashdot.org)

New SystemD Vulnerability Discovered (theregister.co.uk)

Posted by EditorDavid on Saturday October 27, 2018 @08:34AM from the init-to-win-it dept.

The Register reports that a new security bug in systemd "can be exploited over the network to, at best, potentially crash a vulnerable Linux machine, or, at worst, execute malicious code on the box" by a malicious host on the same network segment as the victim. According to one Red Hat security engineer, "An attacker could exploit this via malicious DHCP server to corrupt heap memory on client machines, resulting in a denial of service or potential code execution." According to the bug description, systemd-networkd "contains a DHCPv6 client which is written from scratch and can be spawned automatically on managed interfaces when IPv6 router advertisements are received."

OneHundredAndTen shared this article from the Register: In addition to Ubuntu and Red Hat Enterprise Linux, systemd has been adopted as a service manager for Debian, Fedora, CoreOS, Mint, and SUSE Linux Enterprise Server. We're told RHEL 7, at least, does not use the vulnerable component by default.

Systemd creator Leonard Poettering has already published a security fix for the vulnerable component -- this should be weaving its way into distros as we type. If you run a systemd-based Linux system, and rely on systemd-networkd, update your operating system as soon as you can to pick up the fix when available and as necessary.

109 of 204 comments (clear)

Min score:

Reason:

Sort:

Really, is anyone surprised? by telek83 · 2018-10-27 08:37 · Score: 5, Insightful

This is what happens when you reinvent everything you possible can, just 'cuz' but to put the icing on the cake, you run everything as root when you do it...
1. Re:Really, is anyone surprised? by Anonymous Coward · 2018-10-27 08:58 · Score: 5, Insightful
  
  That's the thing, isn't it? The millionth windows vulnerability and still saying "well any code has bugs". Sure it does. But the rebuttal is essentially saying that all code is created equal. That's just not true. Some code is very much more equal than others.
  This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth. Next to his track record, there are multiple reasons why his code has more and more pernicious bugs than other code. One of the reasons is as GP says: The code tries to do too much and fails to make use of built-in fall-out protection, deliberately. That's just stupid. The guy has been told, and he still thinks it's a good idea. He really believes his shit does not stink. Ergo, the guy is stupid, as well as an asshole.
  If I get a choice at all, it is clear: I do not want any of his code running on my systems if I can at all help it.
2. Re:Really, is anyone surprised? by telek83 · 2018-10-27 08:58 · Score: 5, Insightful
  
  While no one writes perfect code, when rewriting code for no good reason either then wanting to, the code itself should have at least be as good as the previous implementation, and as it stands dhclient6 and isc-dhcp-server do not have this problem.
  I don't have a problem with SystemD, I have a problem with anyone who tries to modernize some software but doesn't take into account of why things were written the way they were in the fist place... it's like the DNS resolve bugs... had the developers even bothered to look into bind's history, they would have never made the same mistakes... why take 1 step forward and all the steps back, just to rewrite software that has worked in the first place? This goes for any project, not just SystemD, not just Wayland or any of the "next-generation"projects... all reincarnations of software should take into the account of the previous implementations bugs, doing anything else is completely irresponsible and childish on the developers part, it sends a massage of "I can write better code then you" while in reality making all the mistakes the previous implementation made and more.
  This whole "I am better then thou" s**t should end, it only makes people look like idiots
3. Re: Really, is anyone surprised? by Type44Q · 2018-10-27 09:21 · Score: 5, Funny
  
  No, don't you see??
  
  New SystemD Vulnerability Discovered...
  The vulnerability they discovered... was SystemD. It's recursive or a paradox or something. Either way, very fascinating...
4. Re:Really, is anyone surprised? by telek83 · 2018-10-27 09:28 · Score: 5, Informative
  
  Agreed, bind's configuration is obtuse and does need fixing, so rather then rewriting a completely different client with the same set of bugs that have already been fixed, why not fork bind, fix the configuration so it's something more sane and then if people like it, they will use it, or ISC will pull the forks changes back into the main fork of bind, if you look at the problems that need to be solved, most of the time there is no need to a complete rewrite, You can see this is true for most things out there, despite this, people almost always try to reinvent the wheel anyways.
5. Re:Really, is anyone surprised? by Anonymous Coward · 2018-10-27 09:29 · Score: 1
  
  They don't run the modules on privilege-separated processes with minimal privileges?!
6. Re:Really, is anyone surprised? by telek83 · 2018-10-27 09:37 · Score: 2
  
  SIOCSIFADDR SIOCSIFFLAGS SIOCSIFFLAGS and Opening a socket for LPF requires root... unless you do this "sudo setcap CAP_NET_BIND_SERVICE,CAP_NET_RAW=+ep" which no one does, because every upgrade they would have to reset the cap
  So yes the client and the server have to run as root, you would think because they are reinventing the wheel here, they would fix this so it can be run be a user with minimal privileges, so even if a bug like this does happen, they are still limited to what they can do.
7. Re:Really, is anyone surprised? by alvinrod · 2018-10-27 09:46 · Score: 4, Insightful
  
  This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth.
  All of that's a valid reason for not liking SystemD, and touches on my own dislike for it as well. However, the fact that it had a vulnerability in it isn't a good reason to dislike it for the sake of that reason alone, unless you're willing to dislike any other software that has had a vulnerability equally much. Don't conflate dislike of a thing for valid reasons with reasons that you wouldn't use or apply in other cases.
  
  To put it another way, if you found out that a person you already disliked once ran over someone's dog, you might use that act itself to condemn them as a terrible person. However, it's unlikely that if your friend ran over someone's dog that you'd think using that act to condemn them as a terrible person would be justified. If you want to think less of a person for running over a dog, do it in equal amounts irrespective of how you felt about that person prior to them running over someone's dog.
  
  That's the thing, isn't it? The millionth windows vulnerability and still saying "well any code has bugs". Sure it does. But the rebuttal is essentially saying that all code is created equal.
  
  It obviously isn't, and I don't think anyone would honestly argue that all code (or designs, or programmers, etc.) is equal with a straight face. No one's forcing anyone to use crap code, especially in the open source community. If this were Windows, you'd just be stuck with it like all of the other crap that Microsoft has shoved off on people over the years.
8. Re:Really, is anyone surprised? by Lady+Galadriel · 2018-10-27 11:16 · Score: 1
  
  I am surprised!
  
  That this is not a weekly occurance. (Well, weekly Public occurance...)
  
  --
  Lady Galadriel
9. Re:Really, is anyone surprised? by Aighearach · 2018-10-27 11:17 · Score: 1
  
  This is what happens when you reinvent everything you possible can, just 'cuz' but to put the icing on the cake, you run everything as root when you do it...
  Just imagine what they'd say if it had 12 intentional exploits added! Planet Neckbeard would assplode, probably wipe out the entire Klingon-speaking population of this galaxy.
10. Re:Really, is anyone surprised? by gweihir · 2018-10-27 15:43 · Score: 4, Insightful
  
  The code tries to do too much and fails to make use of built-in fall-out protection, deliberately. That's just stupid. The guy has been told, and he still thinks it's a good idea. He really believes his shit does not stink. Ergo, the guy is stupid, as well as an asshole.
  All classical beginner's mistakes. This guy is not a beginner, but still makes bad beginner's mistakes. Because of his unlimited arrogance, he does not learn. Classical Dunning-Kruger sufferer. Now how anybody ever thought using code from this person was a good idea is beyond me.
  We can also expect this stuff to go bad exceptionally fast when Poettering loses interest, as the code is too complex and to badly documented to be maintainable.
  
  If I get a choice at all, it is clear: I do not want any of his code running on my systems if I can at all help it.
  Depending on the defaults, I either rip this crap out after installation or do not install it in the first place. My employer does the same as a matter of policy. Has not caused any problems so far and probably prevented a ton of them. Usually the problems with systemd start right after installation for me, as I do have a network-setup that is not quite standard. The only other system that has these problems is Windows, and it has it to a lesser degree these days.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
11. Re:Really, is anyone surprised? by Rockoon · 2018-10-27 17:00 · Score: 2
  
  This guy doesn't merely write crap code, he has a track record of not playing well with others, refusing to acknowledge bugs, expecting other software projects to work around and make up for his mistakes, and so on, and so forth.
  
  Exaggerations aside, the key point is that even the best programmers with the best intent cannot reinvent the wheel without consequences. The motivation for reinventing the wheel is that the current code is ugly and hard to maintain. So off they go writing the replacement temple. What happens is that all the stuff that they thought was ugly was a bugfix or in another way necessary. Their temple grows ugly. The bugs were reinvented too.
  
  --
  "His name was James Damore."
12. Re:Really, is anyone surprised? by Rockoon · 2018-10-27 17:04 · Score: 1
  
  Even better, dont fuck with bind, and simply invent a decent side language for producing bind configurations. This is how unix is supposed to stack up.
  
  --
  "His name was James Damore."
13. Re: Really, is anyone surprised? by Jane+Q.+Public · 2018-10-27 19:15 · Score: 1
  
  SystemD was a bad idea from the start.
  
  The majority opposition to it should have been a clue.
  
  Nothing at all surprising about this.
14. Re:Really, is anyone surprised? by thegarbz · 2018-10-27 22:44 · Score: 1
  
  This is what happens when you reinvent everything you possible can
  New software has bugs? ZOMG someone stop the presses, we need to tell EVERYONE.
  
  just 'cuz'
  
  just 'cuz' the old init system didn't meet the requirements set out by a modern OS and there have been no less than 15 other projects attempting to replace it already. But hey, one of them gained traction, so let's pick on that one.
15. Re:Really, is anyone surprised? by thegarbz · 2018-10-27 22:48 · Score: 1
  
  when rewriting code for no good reason either then wanting to
  You left out the bit where various distributions have been attempting to replace sysvinit with something workable for years due to its technical limitations.
  
  This goes for any project, not just SystemD, not just Wayland or any of the "next-generation"projects... all reincarnations of software should take into the account of the previous implementations bugs
  And yet we are discussing a bug that is due to functionality that doesn't exist in other implementations. It's easy to criticise repeating mistakes of the past until you look closely and realise that quite often the mistakes of the past weren't repeated, but rather implemented in a completely different way under a different scenario.
16. Re:Really, is anyone surprised? by AmiMoJo · 2018-10-27 22:49 · Score: 2
  
  Although in this case the person responsible seems to be Patrik Flykt, who added the code with this commit about 4 years ago: https://github.com/systemd/sys...
  Poettering committed the fix.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
17. Re:Really, is anyone surprised? by Shaitan · 2018-10-28 01:16 · Score: 1
  
  I have a problem with the design philosophy around systemd. The entire one size fits all integrated rather than simple function specific tools concept has its strengths and its weaknesses but they belong on platforms which are not fundamentally built on a platform with the philosophy of small function specific tools. At least not at the system level.
  Systemd feels like a clone of what you find on some of the proprietary Unix systems like Solaris and while those systems do have some strengths they mostly are the giant pain in the backside that ensures you need to have an experienced Solaris guy on staff if you have Solaris running somewhere.
18. Re:Really, is anyone surprised? by tomtomtom · 2018-10-28 02:23 · Score: 1
  
  Which is why rewriting basic system utilities from scratch, repeatedly, instead of relying on the battle-hardened code which has already had its fair share of vulnerabilities exploited and patched over a long lifespan, is likely to increase the attack surface.
  systemd's apparent need to replace/rewrite basic system utilities which have worked for decades (in some cases) and don't need changing IS part of the problem.
19. Re:Really, is anyone surprised? by knorthern+knight · 2018-10-28 03:23 · Score: 1
  
  > Get me a poettering-free linux with a non-stupid X and a decent
  > browser. Can you do it with an established distribution at all or
  > is it linux-from-scratch time with a whole lot of work tacked on top?
  Gentoo https://gentoo.org/get-started... has systemd as an option, not a requirement. If that's too much like LFS for you, there's Devuan https://devuan.org/ which was forked from Debian. Like Debian, it is also the base for several specialized spin-offs https://devuan.org/os/partners...
  
  --
  
  I'm not repeating myself
  I'm an X window user; I'm an ex-Windows user
20. Re:Really, is anyone surprised? by fisted · 2018-10-28 11:11 · Score: 1
  
  Just one data point chiming in, I've been running Devuan at home and at work, as well on a few machines that I admin (friends, parents), it's solid.
  It's almost as if someone had taken Debian and removed systemd from it, as well as compiling out the systemd dependencies of a few packages. Oh wait.
  
  --
  CLI paste? paste.pr0.tips!
21. Re:Really, is anyone surprised? by strikethree · 2018-10-29 03:00 · Score: 1
  
  However, the fact that it had a vulnerability in it isn't a good reason to dislike it for the sake of that reason alone, unless you're willing to dislike any other software that has had a vulnerability equally much.
  I think you are missing that any vulnerability in SystemD is a root level vulnerability. That also goes for its "modules". The blindness and arrogance evident in the main component allows for misplaced trust in its modules, so if you can violate any of the "modules", you can violate the system as a whole.
  There is a reason organic life expresses great variation, even within species. But yeah, SystemD will be the one thing in the universe to find security without variation.
  
  --
  "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
First of many by ArchieBunker · 2018-10-27 08:41 · Score: 5, Insightful

This is the tip of the iceburg as more spaghetti code will be found. Tell me again why a startup manager also does DNS resolution?

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:First of many by 93+Escort+Wagon · 2018-10-27 08:53 · Score: 2
  
  I imagine, in Poettering’s long-term plan, systemd is eventually going to include its own X server and its own graphical desktop manager.
  Wish I was joking.
  
  --
  #DeleteChrome
2. Re:First of many by Anonymous Coward · 2018-10-27 09:24 · Score: 5, Informative
  
  It's worse than just doing DNS resolution.
  It has a hardcoded fallback to Google's servers:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
  In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.
3. Re:First of many by Calydor · 2018-10-27 11:11 · Score: 1
  
  Hi Poettering.
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
4. Re:First of many by mike2006 · 2018-10-27 12:47 · Score: 2
  
  It's worse than just doing DNS resolution.
  It has a hardcoded fallback to Google's servers:
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761658
  In spite of repeated explanations about why that is a horrid idea, the maintainers chose to ignore all the objections and proceed full steam ahead.
  It is mind blowing to read that to begin with but what was worse is reading the refusal to acknowledge the privacy issue and fix it.
5. Re:First of many by ArchieBunker · 2018-10-27 14:02 · Score: 1
  
  Silly me thinking the kernel handled network connections...
  
  --
  Only the State obtains its revenue by coercion. - Murray Rothbard
6. Re:First of many by gweihir · 2018-10-27 15:45 · Score: 2
  
  Because the designer is a smart moron that does not learn and never grasped why KISS is so essential to all good engineering. An amateur at work.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:First of many by gweihir · 2018-10-27 15:47 · Score: 5, Insightful
  
  Fascinating. Hardcoded defaults like that are a catastrophe in the making and are only done by complete and utter amateurs with no experience.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re: First of many by Provocateur · 2018-10-27 16:03 · Score: 1
  
  Found the Ubuntu release-namer reject.
  
  --
  WARNING: Smartphones have side effects--most of them undocumented.
9. Re:First of many by Barsteward · 2018-10-27 21:55 · Score: 1
  
  They are still finding security issues with X even after all this time and yet no-one whines like an ignorant anti-systemd poster. https://www.theregister.co.uk/...
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
10. Re:First of many by thegarbz · 2018-10-27 22:51 · Score: 1
  
  are only done by complete and utter amateurs with no experience.
  Idiots, maybe. Reckless people, definitely. But calling the person whose code has for many years now underpinned core functionality of multiple distributions "amateur with no experience" is a self defeating insult.
11. Re:First of many by gweihir · 2018-10-28 11:24 · Score: 2
  
  The thing about Poettering is apparently that he has not acquired any experience in all these years and still only qualifies as an amateur. It is pretty surprising how somebody can be that resistant to learning. So, no, not "self defeating", just accurate in describing his capabilities, if not his history.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
12. Re: First of many by gweihir · 2018-10-28 11:25 · Score: 2
  
  I was commenting on demonstrated skill-level, not employment history. I am well aware were he works.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
13. Re:First of many by gweihir · 2018-10-28 11:26 · Score: 2
  
  I think it strongly implies something very specific. But good to know, so I will continue to ignore Docker.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
14. Re: First of many by gweihir · 2018-10-28 11:28 · Score: 1
  
  Fascinating. That is probably the most stupid thing I have heard in some time with regards to security.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
15. Re:First of many by thegarbz · 2018-10-28 22:27 · Score: 1
  
  The thing about Poettering is apparently that he has not acquired any experience in all these years and still only qualifies as an amateur.
  On account of the fact that he is both paid for his work and continues to do it your insult remains self-defeating. Common pick something more appropriate.
16. Re:First of many by Anonymous Coward · 2018-10-28 23:51 · Score: 1
  
  There is a HUGE difference between a *remotely* exploitable vulnerability of a critical system service and a optional software that is locally exploitable..
  From the link:
  
  If a vulnerable version of X.org runs on a system as setuid root, it can be abused by normal logged-in users to gain administrator-level control over the machine. That would allow a miscreant to tamper with files, install spyware, and so on. Some Linux distros don't use X.org with elevated privileges, or are otherwise immune – such as CentOS; check for security updates anyway.
  The distribution has a security-issue when running X.org as root.. So don't run things as root... I would consider this to be a bug in X.org that is turned into a security-issue by the distributions that choose to run it as root.
  SystemD on the other hand is not optional, and has remote-exploit after remote-exploit published... Such a fundamental service should not talk to things on the network. (DNS/MDNS/DHCP/LMMNR etc)
  Another issue with SystemD is that there is no shared project on CVE-details so keeping track of what issues exists or affects you is a bit of a hassle.
  https://duckduckgo.com/?q=site%3Awww.securityfocus.com+systemd&t=h_&ia=web
  Done right SystemD could have become a welcome thing... But it should not try to replace basically every system-service without supporting the previous functionality that was there...It should also try to reuse existing code that has been running for many years, and that have had loads of security-fixes applied.
  SystemD is a badly written, badly introduced, hack of "good to have" things that sort of works most of the time and that you are unable to disable or add to without writing code that you then have to maintain since only widely used features, that fit into Pottering's agenda, are accepted.
Slackware: not affected. by sombragris · 2018-10-27 08:42 · Score: 5, Insightful

Slackware does not use systemd and therefore is not affected by this vulnerability.
At least in this case, the KISS philosophy paid well.

--
-- Look to the Rose that blows about us--"Lo, Laughing," she says, "into the World I blow..."
1. Re: Slackware: not affected. by Anonymous Coward · 2018-10-27 08:51 · Score: 4, Funny
  
  It's a relief to hear that all four of you are safe.
2. Re: Slackware: not affected. by Anonymous Coward · 2018-10-27 09:01 · Score: 4, Funny
  
  I'm offended, there are six of us.
3. Re: Slackware: not affected. by mark-t · 2018-10-27 10:50 · Score: 1
  
  Redhat uses systemd too, actually. In fact, I think that's where it started.
  
  --
  File under 'M' for 'Manic ranting'
4. Re:Slackware: not affected. by ortholattice · 2018-10-27 11:20 · Score: 5, Informative
  
  I used Debian for over a decade before systemd and loved it. I'm not qualified to judge the merits of systemd, but when it was brought into Debian many things I was used to were suddenly different, with knowledge I learned over the years no longer of value. I don't mind learning new things, but I don't like them foisted on me gratuitously for no reason, especially since I had a lot more important stuff going on at the time.
  I switched my server to Devuan and am extremely happy with it. It was a breath of fresh air to see what I thought of as "Debian" back again. So far I've had zero problems, from installation to daily use, and I don't expect I will use Debian again.
5. Re:Slackware: not affected. by TeknoHog · 2018-10-27 11:22 · Score: 1
  
  Gen too.
  
  --
  Escher was the first MC and Giger invented the HR department.
6. Re:Slackware: not affected. by gweihir · 2018-10-27 15:49 · Score: 2
  
  I am currently still with Debian and just rip out the cancer. When that stops working, I will move to Devuan.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:Slackware: not affected. by RuiFRibeiro · 2018-10-27 16:47 · Score: 1
  
  AntiX is doing a much better job of keeping SystemD at bay. i am using it on my corporate desktop.
8. Re:Slackware: not affected. by Rockoon · 2018-10-27 17:06 · Score: 1
  
  The BSD's are avoiding this nightmare also.
  
  --
  "His name was James Damore."
9. Re:Slackware: not affected. by Barsteward · 2018-10-27 21:57 · Score: 1
  
  Nor does opensuse use this particular module as its very very optional
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
10. Re:Slackware: not affected. by thegarbz · 2018-10-27 22:59 · Score: 1
  
  Slackware does not use systemd and therefore is not affected by this vulnerability.
  Ubuntu uses systemd and like all other reasonable distributions patched the bug straight away and is therefore not affected by this vulnerability.
11. Re:Slackware: not affected. by schweini · 2018-10-28 06:36 · Score: 1
  
  As someone whose servers updated to Debian-with-systemd: is it possible to migrate to a systemd-free Debian (Devuan or some other) without re-installing, in a safe way?
Laughs by Billly+Gates · 2018-10-27 08:49 · Score: 2

Goes back to working on some FreeBSD vms.

--
http://saveie6.com/
1. Re:Laughs by Ol+Olsoc · 2018-10-27 09:04 · Score: 2
  
  Goes back to working on some FreeBSD vms.
  I'll just leave this here https://www.cvedetails.com/vul...
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
2. Re:Laughs by syzler · 2018-10-27 09:50 · Score: 1
  
  *Laughs* Goes back to working on some 300+ Slackware VMs.
  BTW, the site only lists 2 vulnerabilities for CentOS since 2012, so I don't think it uses as complete a dataset as you think. As an example there has been at least 10 high severity OpenSSL vulnerabilities which affected CentOS since 2012 and neither of the 2 CentOS vulnerabilities listed on site you provided are for OpenSSL packages.
3. Re:Laughs by Ol+Olsoc · 2018-10-27 13:22 · Score: 1
  
  *Laughs* Goes back to working on some 300+ Slackware VMs.
  BTW, the site only lists 2 vulnerabilities for CentOS since 2012, so I don't think it uses as complete a dataset as you think. As an example there has been at least 10 high severity OpenSSL vulnerabilities which affected CentOS since 2012 and neither of the 2 CentOS vulnerabilities listed on site you provided are for OpenSSL packages.
  Whoosh. Your "Ermagherd. I use FreeBSD so I am superior and safe" is just the opposite side of the coin of the Windows fanbois who strut around like cock-a-whoops when some other OS has any vulnerability at all, as if a few is somehow the equivalent of the hella batch of Windows problems.
  So anyhow, if you want to believe that you are immune from the problems that us Proles have, by all means, crack open a cold one, and toast your wisdom in picking the system that is safe. Laugh away.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
4. Re:Laughs by bgalbrecht · 2018-10-27 13:25 · Score: 1
  
  None of the vulnerabilities listed which are against currently supported versions of FreeBSD allow the attacker to gain access level, unlike this SystemD bug.
5. Re: Laughs by Anonymous Coward · 2018-10-27 15:22 · Score: 1
  
  An APC can be compromised, but I'd still rather be travelling in one through the war zone that is the internet than Systemd's bright red plastic tonka car.
6. Re: Laughs by Ol+Olsoc · 2018-10-28 13:06 · Score: 1
  
  We feel superior because we fucking are.
  Now I can laugh.
  
  Our code is hardened and written with security in mind. Can you say that about your OS?
  You and your attitude of imperviousness would get your ass fired if you worked for me. Not that you'd care - a superior being like yourself will be commanding 8 or more figures since you use an impervious OS.
  Meanwhile - thanks for the LuLz Coward!
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
7. Re:Laughs by Ol+Olsoc · 2018-10-29 03:29 · Score: 1
  
  Just an FYI, any system that can be coded, can be compromised. All it takes is the will and some time.
  
  --
  The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
Devuan! by Anonymous Coward · 2018-10-27 09:26 · Score: 2, Informative

one more reason to run Devuan!
Oh Pottering. by 0100010001010011 · 2018-10-27 09:34 · Score: 5, Interesting

I am not sure I'd consider this much of a problem. Yeah, it's a UNIX pitfall, but "rm -rf /foo/.*" will work the exact same way, no?
tmpfiles: R! /dir/.* destroys root

Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.
So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but still: the username is clearly not valid.
systemd can't handle the process previlege that belongs to user name startswith number, such as 0day
I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.
How did anyone that lacked that much understanding about UNIX get in charge of the init system?
1. Re:Oh Pottering. by cats-paw · 2018-10-27 11:59 · Score: 1
  
  how is it that many of the major Linux distributions picked up systemd?
  Not only was it a terrible idea, but people who should know better put it into their systems knowing it was a terrible idea.
  
  --
  Absolute statements are never true
2. Re:Oh Pottering. by Gravis+Zero · 2018-10-27 12:45 · Score: 5, Informative
  
  Yes, as you found out "0day" is not a valid username.
  I tested Ubuntu, Debian, FreeBSD, and OpenSolaris, 0day is a perfectly valid username.
  Oh it's more than just that, I checked the POSIX standard and this rule of his is entirely invented.
  per the POSIX standard:
  
  A string that is used to identify a user; see also User Database. To be portable across systems conforming to POSIX.1-2017, the value is composed of characters from the portable filename character set. The <hyphen-minus> character should not be used as the first character of a portable user name.
  
  so what's the portable filename character set?
  
  A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9 . _ -
  
  What's this mean? On POSIX your username can be "007", "4-8_" or "._-" if you want it to be.
  Lennart is full of shit and cannot admit he didn't even consider the standard when designing systemd.
  
  --
  Anons need not reply. Questions end with a question mark.
3. Re: Oh Pottering. by Anonymous Coward · 2018-10-27 15:39 · Score: 1
  
  The bigger mystery is why he felt the need to enforce arbitrary rules on the string at all. Pass it to getpwnam_r(), job done. Validating username format should not be duplicated or the responsibility of a badly written jumped up process manager. That guy is a fascistic idiot
4. Re:Oh Pottering. by Opportunist · 2018-10-27 16:50 · Score: 1
  
  This is actually the question that's asking for an answer.
  People develop shabby software for Linux all the time. That happens daily, multiple times. For every good project there's at least 100 crappy ones. So it should be no surprise that there is of course also a crappy init process.
  The actual question is why it became the go-to init process for all major distributions.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You can have my Devuan.... by Indy1 · 2018-10-27 09:36 · Score: 1

when you pry it out of my cold dead hands.
So glad I ditched SystemD distros for my servers....

--
Lawyers, MBA's, RIAA? A jedi fears not these things!
Re: When was last time by jd · 2018-10-27 09:39 · Score: 1

The best possible/the most secure - these are relative concepts, not absolute.
Besides, systemd is no more Linux than Emacs or KDE.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re: This is why ipv6 should be disabled by default by jd · 2018-10-27 09:40 · Score: 2

IPv6 should be the only protocol running. Your router can transparently convert to legacy formats.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re:Leonard? by ArchieBunker · 2018-10-27 09:42 · Score: 2, Funny

I pronounce it as "shit head".

--
Only the State obtains its revenue by coercion. - Murray Rothbard
SystemD reminds me of all the old Emacs jokes by jd · 2018-10-27 09:46 · Score: 1

Emacs was said to be a perfectly good OS with built-in text editor.
When handling modular software, one module should do one thing and do it well, but the framework is responsible for ensuring deadlocks, crashes and security defects are confined to the module suffering them. Do that and it doesn't matter how buggy a component is, there's no contagion.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Give OpenBSD a shot! by localgh0st · 2018-10-27 09:49 · Score: 2

I was turned off by systemD and the direction Linux distros taking by adopting it as it seems a departure from the Unix philosophy. I was also turned off by the restrictive communication/behaviour rules forced upon the FreeBSD community. So I decided to give OpenBSD a shot and was pleasantly surprised. You can perform a lot of server functions with just the base system, working with it is intuitive, and it's surprisingly up-to-date.
1. Re:Give OpenBSD a shot! by Anonymous Coward · 2018-10-27 10:16 · Score: 1
  
  One of the less appreciated aspects of OpenBSD is the quality of its documentation. They spend an enormous amount of effort to make the manual pages a complete, definitive, and readable reference for the system.
  Countless times I've solved a problem or performed a new task in OpenBSD only by consulting manpages, where in other systems I would be searching stackoverflow, reading an out of date random howto, or checking some shitty web forum. Until you've experienced it you don't know how much time that saves.
2. Re:Give OpenBSD a shot! by TeknoHog · 2018-10-27 11:33 · Score: 1
  
  Let me tell you about our Good Lord Gentoo. In his infinite wisdom, he combined the best of BSD with the hardware compatibility of the Linux kernel and the exquisite kindness of the GNU userland. The private keys to his kingdom are just an emerge away, or about seven days of compiling. (If you're going to say something clever about it, please redirect your laughs at the BSD crowd, because that's where we got the idea.)
  
  --
  Escher was the first MC and Giger invented the HR department.
Inteded behavior by Anonymous Coward · 2018-10-27 10:06 · Score: 1

Won't fix. Just like all other systemd bugs.
1. Re:Inteded behavior by sgage · 2018-10-27 10:08 · Score: 2
  
  Won't use. I do not want to have anything to do with systemd, or Lennart Poettering, if I can help it. I am very happy with Devuan.
2. Re: Inteded behavior by dryeo · 2018-10-27 18:27 · Score: 1
  
  Because gnome practically requires it at this point. Several distros tried various workarounds to stay systemd free, but Gnome went out of their way to break them. Eventually the distros gave in because it was too hard, but they wanted gnome support to avoid pissing off users.
  Which just raises the question of why Gnome wanted systemd
  
  --
  https://en.wikipedia.org/wiki/Inverted_totalitarianism
3. Re: Inteded behavior by hierofalcon · 2018-10-28 06:39 · Score: 1
  
  Cause Red Hat is a big benefactor.
I figured it out. by ckatko · 2018-10-27 13:16 · Score: 1

It's not re-inventing that they keep doing.
It's laziness.
"Why do I have to READ someone ELSE's manual and learn some large API I can't easily understand... when I could do something FUN like parse XML's using regular expressions!"
1. Re:I figured it out. by gweihir · 2018-10-27 15:53 · Score: 2
  
  The hallmark of utter amateurs. All great engineers stand on the shoulders of giants. These here crawl in the mud while congratulating themselves how great they are.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
2. Re:I figured it out. by Rockoon · 2018-10-27 17:14 · Score: 1
  
  If you think that you've solved a problem using regex, I'm here to inform you that you now have two problems.
  
  --
  "His name was James Damore."
3. Re:I figured it out. by ckatko · 2018-10-28 13:10 · Score: 1
  
  That was the joke. :P
Re:I love it! by DavidRawling · 2018-10-27 14:45 · Score: 1

If your measure for quality is the amount spent to design it and the number of customers, you must love Windows 10.
I used to recommend GNU/Linux by Hallux-F-Sinister · 2018-10-27 14:57 · Score: 1

I find that I cannot do that anymore, conscionably. Sadly, it would seem that security is as bad or worse than competitors, and best practices have been thrown away in favor of rapid release cycles and whiz-bang, bleeding-edge bullshit. They may have attracted new fans, but old supporters are going to be obliged to switch to something else... perhaps a BSD variant.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
1. Re:I used to recommend GNU/Linux by rl117 · 2018-10-27 21:49 · Score: 1
  
  While I have some criticisms of FreeBSD, pkgng isn't one of them. It had some teething troubles to be sure, as did apt-get in its day, but today it seems pretty solid and I've not encountered any bugs in the dependency solver for a good couple of years now. What's conceptually so bad about packaging up the base system? freebsd-update is quite dated, and more fragile. Downloading and applying patches rather than pulling a few packages with atomic updates and rollbacks. I see that as bringing the system up to the level of Debian for robustness and ease of management.
Re: This is why ipv6 should be disabled by default by gweihir · 2018-10-27 15:51 · Score: 1

Alternatively, I can still just give the finger to IPv6 and block it completely and be rid of the complexity it brings. Yes, I have several static IPv4 addresses.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re: This is why ipv6 should be disabled by defaul by jd · 2018-10-27 16:11 · Score: 1

How is it a security nightmare? It's simpler and more secure. I should know, I was one of the earliest adopters.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re: This is why ipv6 should be disabled by defaul by jd · 2018-10-27 16:47 · Score: 1

There is no extra complexity.
Fields are properly aligned and have fixed meaning, making processing easier.
Routing is strictly hierarchical, so only four bytes need ever be examined - same as IPv4.
The header has a much simpler structure.
Addresses are (protocol):(location):(unique identifier). How much simpler can you get? Technically, all you have is the identifier, which you can take between ISPs that have IPv6 correctly configured. This guarantees mobility between ISPs without losing connection.
Configuring an IPv6 network? Radvd works fine. Don't need DHCP just DDNS. That's less complexity.
Address length? Who cares, it's only visible in misconfigured networks. Besides, because of the way it is composed and because of the express mobility, a full address doesn't mean anything except for fixed servers.
Correctly-configured IPv6 suffers no fragmentation, simplifying firewalls. It supports misconfigured systems, because admins are lazy, but you don't need stateful firewalls in IPv6.
Addresses are transient, only names are permanent, which means only machines deal with addresses.
Router protocols are simpler under IPv6 because the design is simpler. Latency is reduced, too.
Because the prefix identifies protocols, your stack doesn't need to check if you're in the unicast or multicast range, it checks one byte against a case statement.
Any options in the IPv4 header that were rarely used got moved to option headers. This means you've a modular design (cleaner), you don't need to process information you probably aren't going to use, and you can often ignore the extra headers anyway. Even if you don't, it invites cleaner, simpler, code.
Sorry, whoever told you IPv6 was more complex was full of it.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re: This is why ipv6 should be disabled by defaul by jd · 2018-10-27 16:50 · Score: 1

I should add I've also several static IPv4 addresses, but also several IPv6 addresses since 1996. Please play again.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re: This is why ipv6 should be disabled by defau by jd · 2018-10-27 17:00 · Score: 1

If you have IPv6 correctly installed, all reconfiguration is strongly authenticated.
If you don't have it correctly installed, sounding like a defeated Joker won't fix your problems.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
use www.devuan.org by what+about · 2018-10-27 18:45 · Score: 2

It has been done to avoid all of this.
Support and donate, otherwise the systemd cancer will kill Linux
This was the plan all along
1. Re:use www.devuan.org by Anonymous Coward · 2018-10-28 10:39 · Score: 1
  
  apt-get upgrade'ing did not fix this bug until yesterday. ... and it will not fix the other bugs not yet uncovered, that exist there today. Any software has bugs, but systemd almost certainly has more of them, that have not been discovered and worked out yet.
  Use Devuan - the systemd-free Debian.
Re: This is why ipv6 should be disabled by default by Barsteward · 2018-10-27 22:00 · Score: 1

you should really go back to using slate and chalk.

--
"The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
Re: This is why ipv6 should be disabled by defaul by gweihir · 2018-10-27 22:58 · Score: 1

If that is your level of insight, I should probably give you the finger as well....

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Why... by jaredm1 · 2018-10-28 00:13 · Score: 1

I don’t get one thing. Pottering is obviously is challenged when it comes to writing defensive code, listening to others, etc. How on earth did he get so major Linux distro maintainers convinced of systemd? One subpar human shouldn’t have been able to dupe so many. Anyone got an explanation for that?
1. Re:Why... by iggymanz · 2018-10-28 02:28 · Score: 1
  
  The problem started with a group of SJW feminazis on Debian that couldn't code, that were given a megaphone. You can see how everything went downhill from there.
Re: This is why ipv6 should be disabled by defau by Anonymous Coward · 2018-10-28 00:16 · Score: 1

Different AC here, jiust pointing out that you failed to carry the argument when you called IPv6 simpler. Nobody, and I mean absolutely nobody, believes this, you lost your audience. I'd also note that any protocol that is insecure and only secure when configured "just so", and relies on the No True Scotsman security defense has failed as a standard.
Easy fix by Shaitan · 2018-10-28 01:08 · Score: 1

Stop shoving systemd down our throats.
Re: This is why ipv6 should be disabled by default by gweihir · 2018-10-28 02:07 · Score: 1

Only the utterly dumb equal "newer" with "better"...

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
QA nightmare by gosand · 2018-10-28 02:40 · Score: 1

This is the tip of the iceburg as more spaghetti code will be found. Tell me again why a startup manager also does DNS resolution?
I've been in software QA since '93 and a *nix user just as long... here's where there is real danger in systemd. Because the more complex, intertwined, and less elegant the codebase, the more likely fixing bugs will introduce or uncover more. People have always ignored this aspect of the *nix philosophy, or rather maybe just inherently understood it. I don't know how many times over the years I have seen a bugfix cause havoc in a monolithic spaghetti codebase. Then of course, you try to quickly fix those "new" bugs, which also causes issues you may or may not find immediately.
Phrases like "it's a one line code change" or "it should just flow right through" or "you don't need to test that, this fix won't affect it" always put me on alert.
I'm not saying the sky is falling for systemd. I'm just saying that there should be a fallback option to it, and there is not. Considering the staggering number of servers running Linux in the world, it's simply a risk that should be considered.

--

My beliefs do not require that you agree with them.
martin f krafft has some crazy ideas by CanadianMacFan · 2018-10-28 02:50 · Score: 1

I was reading through the discussion on the Debian bug site and Martin has some crazy ideas. He thinks that eventually the default mail router should be gmail and that /etc/resolv.conf will be removed.
Re: This is why ipv6 should be disabled by defaul by headbulb · 2018-10-28 05:29 · Score: 1

This is one of the things that drives me nuts about IPv6 proponents. They go all crazy defensive if you criticize anything about their protocol, even when the criticism is fair. I haven't seen anything from you that isn't fair and I have seen the opposite from jd.
It's a fact that IPv6 is much more complicated than IPv4.I would have just made a new protocol that corrected IPv4's mistakes, addresses would be 64bit long and used CIDR notation. Broadcast would have been kept since it's stupid simple to use the last address, with all FF's for the MAC. DHCP would still exist and would be the main way for a dynamic addresses would be assigned Dhcpv6 has a cool feature, a router can request to get a routable subnet.
IPv6 has two main mistakes. Trying to do too much for the layer it is in the network stack, and not learning from past mistakes.
Re:Spelling by hierofalcon · 2018-10-28 06:43 · Score: 1

Cause it wasn't quite bad enough for systemF.
Close - but not quite there... yet.
Re:Please stop maligning amateurs by gweihir · 2018-10-28 11:29 · Score: 1

My apologies. I will instead call him an utter incompetent then. Better?

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re: This is why ipv6 should be disabled by defaul by gweihir · 2018-10-28 11:43 · Score: 1

This is one of the things that drives me nuts about IPv6 proponents. They go all crazy defensive if you criticize anything about their protocol, even when the criticism is fair. I haven't seen anything from you that isn't fair and I have seen the opposite from jd.
Thanks.

It's a fact that IPv6 is much more complicated than IPv4.I would have just made a new protocol that corrected IPv4's mistakes, addresses would be 64bit long and used CIDR notation. Broadcast would have been kept since it's stupid simple to use the last address, with all FF's for the MAC. DHCP would still exist and would be the main way for a dynamic addresses would be assigned Dhcpv6 has a cool feature, a router can request to get a routable subnet.
IPv6 has two main mistakes. Trying to do too much for the layer it is in the network stack, and not learning from past mistakes.
Indeed. Beginners mistakes. Brooks calls this "The Second System Effect". We are seeing a lot of that on the IT world.
They should basically just have extended the address range and kept everything essentially as it is with IPv4, as IPv4 is not broken.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re: This is why ipv6 should be disabled by defaul by headbulb · 2018-10-28 15:39 · Score: 1

Exactly ipv4 needed address extension and simplification. People have a hard enough time understanding VLANs and subnets. Let alone trying to figure out how to calculate how much I can works.
Re: This is why ipv6 should be disabled by defau by jd · 2018-10-28 19:11 · Score: 1

I'm atheist and don't give a damn about protocol religion.
Only thing that matters is facts. Fact is, it is simpler. The primary header has word-aligned headers with simpler semantics, and none of the semantics that complicates things about IPv4. One word does one thing and does it well.
You've offered no contradiction to this, just some mysticism. IPv6 is simpler because each piece does less and there are fewer mandatory pieces.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re: This is why ipv6 should be disabled by defaul by jd · 2018-10-28 19:22 · Score: 1

How is it not CIDR?
Name a complexity added.
You claim he's being reasonable but all I see is hand-waving, abuse and mysticism. Offer something solid or admit you can't.
I use the protocol. I use both. I have experience where all you offer is allegation. You want me to take you seriously? Offer a reason for your claim. A real reason.
Extended IPv4 was rejected for many good reasons. You never bothered to look them up, I see. I tend to listen to those who bother. Even if I disagree, I'll listen to those who bother.
Bit aligned fields are not simple.
Fragmentation is not simple.
IPv4 multicast is complicated.
IPv4 anycast doesn't exist.
IPv4 MobileIP is complicated.
IPv4 DHCP is complicated, insecure and unreliable.
IPv4 routing is slow and memory hungry.
These are reasons.

--
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Re: This is why ipv6 should be disabled by defaul by gweihir · 2018-10-28 19:57 · Score: 1

I don't think you are quipped to understand my reasons. Sorry, KISS is for advanced players only. And no, experience does not make you an advanced player, what you learn from experience may or may not make you one. Hence I will not waste time on this and you get the satisfaction to cry "But you do not have any actual arguments!" loudly. I do not really care.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
A Scotty Quote Comes to Mind by Sol+Rosinberg · 2018-10-30 01:49 · Score: 1

"The more they overthink the plumbing, the easier it is to stop up the drain." SystemD is undoubtedly severely overthought plumbing. I don't know why someone thought they could improve on SysVInit with start-stop-daemon, but they were quite badly mistaken.