SystemD and patching policy

Discussion topics, Linux related - not requests for help

Moderators: ChriThor, LXF moderators

SystemD and patching policy

Postby guy » Thu Jul 06, 2017 7:52 pm

Just bringing this to your attention: https://www.theregister.co.uk/2017/07/0 ... _accounts/

Somebody has found a new trick to fool most modern Linux distros into executing malicious code with root privilege even though they do not have it themselves. These are distros which have moved over to a monolithic initialisation utility called SystemD, which replaces a ruck of old UNIX-style "do one thing and do it well" tools. But SystemD will execute code belonging to an improperly named user and, worse, since there is no user account with associated privileges, SystemD defaults to running it with root privilege. Madness, you might think. But the chief code maintainer says that SystemD does what it is meant to do, so the vulnerability must be somebody else's problem. Yes, he apparently says that, really! If he sticks to his guns, I smell a fork coming on.

Meanwhile, if you think sticking to the old UNIX way is wiser, then Devuan Jessie is a fork of Debian Jessie which avoids SystemD.
"We don't need no frikkin' aliens, we c'n do this ourselves!" — anon.
guy
LXF regular
 
Posts: 1331
Joined: Thu Apr 07, 2005 12:07 pm
Location: Worcestershire

Re: SystemD and patching policy

Postby lok1950 » Thu Jul 06, 2017 11:33 pm

Expecting a told you so from Dutch_Master :wink: and as the article states a simple fix at the parser level is what is needed and the maintainer was voted down so there are some people awake on the list 8) but there indeed might be fork or a new maintainer :mrgreen:

Enjoy the Choice :)
my box:Q8200/Asus P5QDLX/8 Gb ram/WD 2Tb 2-500 G HD/GF GT640 2Gb Mint 17.2 Win 7 acer S243HL K222HQL
amd XP1800 on a asusA7N8x/ 789Mb ram/ sda 120 Gb ntfs sdb 80 Gb ext3 (fedora 10) gForce 6800 gt 128 Mb
lok1950
LXF regular
 
Posts: 1134
Joined: Tue May 31, 2005 5:31 am
Location: Ottawa

Re: SystemD and patching policy

Postby nelz » Thu Jul 06, 2017 11:35 pm

What is this monolithic utility you refer to? Systemd contains around forty separate binaries, each doing one job and doing it well - sound familiar?

However, the comments in the article that systemd should fall back to a restricted user (I'd use nobody) rather than root are good, but so is the point that you need root access to install a suitable unit file before you could gain root access.
"Insanity: doing the same thing over and over again and expecting different results." (Albert Einstein)
User avatar
nelz
Site admin
 
Posts: 9046
Joined: Mon Apr 04, 2005 11:52 am
Location: Warrington, UK

Re: SystemD and patching policy

Postby Dutch_Master » Fri Jul 07, 2017 12:06 am

lok1950 wrote:Expecting a told you so from Dutch_Master :wink:

Your words, not mine! ;)

I'd also recommend using OpenRC as alternative to systemd. I installed Devuan Jessie on my file server (it was still running Squeeze) but it looks as they do at least support systemd in the repo's. So far, Devuan is stable enough for non-commercial server use, uptime is 36+ days now.
Dutch_Master
LXF regular
 
Posts: 2589
Joined: Tue Mar 27, 2007 1:49 am


Return to Discussion

Who is online

Users browsing this forum: No registered users and 0 guests

cron