SoylentNews

Linux systemd Gives Root Privileges to Invalid Usernames

posted by Fnord666 on Monday July 03 2017, @10:12PM   
from the it's-a-feature dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

A bug in Linux's systemd init system causes root permissions to be given to services associated with invalid usernames, and while this could pose a security risk, exploitation is not an easy task.

A developer who uses the online moniker "mapleray" last week discovered a problem related to systemd unit files, the configuration files used to describe resources and their behavior. Mapleray noticed that a systemd unit file containing an invalid username – one that starts with a digit (e.g. "0day") – will initiate the targeted process with root privileges instead of regular user privileges.

Systemd is designed not to allow usernames that start with a numeric character, but Red Hat, CentOS and other Linux distributions do allow such usernames.

"It's systemd's parsing of the User= parameter that determines the naming doesn't follow a set of conventions, and decides to fall back to its default value, root," explained developer Mattias Geniar.

While this sounds like it could be leveraged to obtain root privileges on any Linux installation using systemd, exploiting the bug in an attack is not an easy task. Geniar pointed out that the attacker needs root privileges in the first place to edit the systemd unit file and use it.

[...] Systemd developers have classified this issue as "not-a-bug" and they apparently don't plan on fixing it. Linux users are divided on the matter – some believe this is a vulnerability that could pose a serious security risk, while others agree that a fix is not necessary.

See, this is why we can't have nice init systems.

Source: http://www.securityweek.com/linux-systemd-gives-root-privileges-invalid-usernames

---

Original Submission

• Re:It's the politics, stupid (a bit meta) (Score: 4, Informative) by digitalaudiorock on Tuesday July 04 2017, @02:39PM

  by digitalaudiorock (688) on Tuesday July 04 2017, @02:39PM (#534802) Journal

  They're not wrong though, and as someone who *does* do admin stuff (though nothing that involves fucking around with unit files or shell scripts), I can tell you I *really* do not like the systemd way. It almost feels like Powershell, which I hate with all my heart, and it has the same corporate "not for you to know, skeptic!" attitude to it as Windows, almost.

  I'd say it's way more than almost, from the binary logs to the whole "nothing simple can ever be good" mindset it seems indistinguishable from the Windows approach to everything. Check out this [dns-oarc.net] regarding how systemd-resolved handles DNS queries:

  The process turns a request for binary DNS data into into XML, feeds it into the sytemd/dus ecosystem, which turns it into binary DNS to send it to the forwarder. The binary DNS answer then gets turned into XML goes through systemd/dbus, then is turned back into binary DNS to feed back into glibc. Apart from errors in this process, like last year's CVE on cache poisoning attacks, this means the systemd people need to very actively maintain their code whenever a new feature or RRTYPE is added to the DNS protocol. Maintenance and bugfixes is not systemd's strong point. This itecture is overly complex and unneccessary.

  How do they not see the potential to send your computer back to like 1990 due to slow DNS response? No reason to be concerned with, you know writing things that "work" "well". There seems to be an actual disdane for the simple an elegant frankly.

  Parent

  Starting Score:	1		point
  Moderation		+2
  Interesting=1, Informative=1, Total=2
  Extra 'Informative' Modifier		0
  Karma-Bonus Modifier		+1
  Total Score:		4