SoylentNews is people
SoylentNews
Submitted via IRC for TheMightyBuzzard
A bug in Linux's systemd init system causes root permissions to be given to services associated with invalid usernames, and while this could pose a security risk, exploitation is not an easy task.
A developer who uses the online moniker "mapleray" last week discovered a problem related to systemd unit files, the configuration files used to describe resources and their behavior. Mapleray noticed that a systemd unit file containing an invalid username – one that starts with a digit (e.g. "0day") – will initiate the targeted process with root privileges instead of regular user privileges.
Systemd is designed not to allow usernames that start with a numeric character, but Red Hat, CentOS and other Linux distributions do allow such usernames.
"It's systemd's parsing of the User= parameter that determines the naming doesn't follow a set of conventions, and decides to fall back to its default value, root," explained developer Mattias Geniar.
While this sounds like it could be leveraged to obtain root privileges on any Linux installation using systemd, exploiting the bug in an attack is not an easy task. Geniar pointed out that the attacker needs root privileges in the first place to edit the systemd unit file and use it.
[...] Systemd developers have classified this issue as "not-a-bug" and they apparently don't plan on fixing it. Linux users are divided on the matter – some believe this is a vulnerability that could pose a serious security risk, while others agree that a fix is not necessary.
See, this is why we can't have nice init systems.
Source: http://www.securityweek.com/linux-systemd-gives-root-privileges-invalid-usernames
(Score: 5, Insightful) by Justin Case on Monday July 03 2017, @10:33PM (19 children)
"default value, root" pretty much explains everything that is defective in the brains of those behind systemd. Maybe it is not an easily exploitable bug (for now). But it is a cognitive bug that can only be fixed by replacing the people who think this is OK. Or, you know, by ignoring them and letting them spiral down to their own doom without me along for the ride.
I recently tried Devuan 1.0 on my laptop. Aside from some minor installation bumps (similar to what others have reported) it is wonderful. Familiar and powerful Debian without the crap. I plan to convert my entire network when I can.
(Score: 0) by Anonymous Coward on Monday July 03 2017, @11:18PM
What do you mean? If you are devious and screw up a lot you gain power and privilege. That is exactly how the world works!
(Score: 2) by MichaelDavidCrawford on Monday July 03 2017, @11:40PM
Software failure is fundamentally a human problem, not a technical one. Purely technical solutions fail to effect truly meaningful and lasting change. [warplife.com]
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Insightful) by fido_dogstoyevsky on Monday July 03 2017, @11:57PM (12 children)
It only explains half that is defective. My son keeps telling me "don't ascribe to malice anything easily explained as incompetence" and "default value, root" is incompetence. As opposed to "make it big, all devouring and a moving target so that it's almost impossible to just replace", which is malice.
I'm glad to see Devuan succeeding since Debian (Potato) was one of the first distros I tried.
It's NOT a conspiracy... it's a plot.
(Score: 5, Insightful) by vux984 on Tuesday July 04 2017, @12:56AM (4 children)
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @07:09AM
Whenever I've taken the time to report a problem with any open-source project, it gets ignored and then closed without any action taken. So this "wont-fix" is just the default, not necessarily anything to do with this specific bug.
(Score: 2) by turgid on Tuesday July 04 2017, @10:12AM (2 children)
Perhaps systemd is written by the people from the B Ark. I wonder if they've decided what colour it should be yet?
I refuse to engage in a battle of wits with an unarmed opponent [wikipedia.org].
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @07:06PM (1 child)
The poor sanitary practices are reminiscent of those who stayed behind.
(Score: 0) by Anonymous Coward on Wednesday July 05 2017, @01:43PM
Are you suggesting a lush poopoo brown?
(Score: 2) by kaszz on Tuesday July 04 2017, @02:55AM
Worse than incompetence which usually can be cured with education. This is as another one put it cognitive inability and which explains why experience hasn't cured this. This instance of carbon based life form is defect and needs urgent removal from influencing important operations.
(Score: 2, Funny) by khallow on Tuesday July 04 2017, @03:44AM (5 children)
(Score: 2) by mcgrew on Tuesday July 04 2017, @05:31PM (4 children)
Original source of that quote: me. Glad to see it being used!
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1) by khallow on Wednesday July 05 2017, @04:36AM (3 children)
(Score: 2) by mcgrew on Wednesday July 05 2017, @02:48PM (2 children)
That was shortly after I said it, and yes, it was on slashdot. I call it "mcgrew's razor" although I should probably misspell "mcgrew", because Hanlon's Razor is allegedly from a Robert Heinlein story.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 1) by khallow on Friday July 07 2017, @03:40AM (1 child)
(Score: 2) by mcgrew on Friday July 07 2017, @03:53PM
Yes, that's certainly possible.
mcgrewbooks.com mcgrew.info nooze.org
(Score: 2) by Runaway1956 on Tuesday July 04 2017, @07:00AM
+4 insightful already, and I'll add one to it. Defaulting to root is about as stupid as stupid gets, FFS.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @07:03AM
This is not a bug, it is a requirement of a certain TLA.
(Score: 5, Insightful) by maxwell demon on Tuesday July 04 2017, @08:14AM (1 child)
Actually, you already get a whole bunch of failures when quoting the complete sentence:
This is wrong in the following ways:
So the whole issue is stacking three terrible decisions on top of each other.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Tuesday July 04 2017, @03:17PM
Came here to say the exact same thing!