The 2017 Pwnie winner for lamest vendor response goes to Lennart Poettering for systemd. According to CSO which has reported on it, the Pwnie winners which were announced a few days ago, the summary for Lennart and systemd reads as follows:
The most spectacular mishandling of a security vulnerability by a vendor ended up winning a Pwnie for Lennart Poettering due to SystemD bugs 5998, 6225, 6214, 5144, 6237. The nomination reads: "Where you are dereferencing null pointers, or writing out of bounds, or not supporting fully qualified domain names, or giving root privileges to any user whose name begins with a number, there's no chance that the CVE number will referenced in either the change log or the commit message. But CVEs aren't really our currency any more, and only the lamest of vendors gets a Pwnie!"
(Score: 1, Disagree) by pvanhoof on Monday July 31 2017, @01:37PM (13 children)
I see it the same way. But the group of people who yell and dramatise and call for the assassination of Poettering have scared all the sensible, reasonable people away. Poettering even acknowledges they made a misjudgement. He just doesn't want CVE's to be used politically (ie. against systemd).
To be honest, I also don't see the "really big serious" security issue here. If you can make unit files, you were root. That means the system was already compromised. It's bad that systemd can't deal with strange input coming from its own configuration files. But no dramaqueen had to be slaughtered for that. So why is everybody yelling and dramatising?
Politics, and anti-systemd hate. That's why. Sensible people are ignoring it since years now. Because of that the dramaqueens are rampant in all debates.
(Score: 0) by Anonymous Coward on Monday July 31 2017, @02:09PM (2 children)
If Poettering would have just been a competent leader and made competent desiccations no drama would be there to exploit. Unfortunately he has a really shitty attitude and therefore deserves the award he got.
If Systemd would have listened to all the blowback people gave it from the beginning and would have constructively taken it into account to improve their code none of this drama and shit flying everywhere would have happened.
Whenever a group of coders do not take a constructive attitude about their code baby ,and what it might not handle perfectly, combined with a spokesperson/head administrator who makes really bad calls when it comes to how to administer bugs you will run into situations were these kind of awards are warranted and deserved.
(Score: 2) by pvanhoof on Monday July 31 2017, @03:04PM (1 child)
Not saying anything about the award. I'm sure Poettering gets the joke. I am referring to the drama people say about Poettering and systemd here. I've actually seen calls to assassinate him. Also on this site.
That's absurd.
(And, may I say, illegal in some countries. As this call for assassination is hatespeech and calling for violence. And no it's not funny or "just a joke")
(Score: 2) by MichaelDavidCrawford on Monday July 31 2017, @08:19PM
I've been arrested for it twice.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by digitalaudiorock on Monday July 31 2017, @03:00PM (3 children)
So it's somehow not an issue when the end user themselves creates a unit file with user 0day and systemd quietly "sanitizes" the "input"...that is, it ignores the user, and quietly runs as root? Apparently LP agrees with you, and that's the problem. This shows that they put NO thought at all into the ramifications of their error handling. That sort of shit isn't even programming 101, it's just common sense for most of us. The only sane options where were to either a) accept the user if it was a valid user, or b) hard fail and refuse to start the service due to an invalid configuration...NOT to quietly use root.
This is just as stupid as the DNS issue where they were stripping underscores from DNS names because they "shouldn't be there". Again...blindly "sanitizing" the input thus guaranteeing that they were attempting to look up an incorrect name. These people are provably clueless. The scary part is that their basic design concepts from the beginning about about 1000 times worse than their clueless execution.
(Score: 2) by pvanhoof on Monday July 31 2017, @03:16PM (2 children)
Relax. You are throwing a lot of stupid here and about about 1000 worse than clueless this and that. With that communicationstyle, you're not helping yourself making your (probably reasonable) argument.
I'm sure the idea was that a init system cannot make worse choices like not booting the system in case of a misconfiguration. Because then the system is broken beyond repair (since init 1 or init single from GRUB might also no longer work, you'd have to do something like init sh=/bin/sh and mount the FS writable yourself and stuff like that).
Maybe they should indeed in the unit files have something like "This is a boot critical service that should, if the user doesn't exist, fall back to root user". I'm not a systemd developer nor a init expert. But I can certainly imagine that just refusing to start the service can be the wrong choice, too. Because them deleting a user can mean that the system no longer boots.
I wonder what inetd and xinetd do in this situation. Do they fall back to root too?
(Score: 3, Insightful) by sjames on Monday July 31 2017, @04:49PM
So not at all beyond repair then.
Running as root when explicitly told not to is just plain wrong and dangerous. The correct answer is don't run that service at all and move on. Next best (a distant second) would be run as nobody and hope for the best.
(Score: 2) by Gaaark on Tuesday August 01 2017, @02:16PM
Not fully up on this (my memory is failing me.... tired beyond belief), but shouldn't it fall back to root LOGIN instead of root logged in?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Insightful) by digitalaudiorock on Monday July 31 2017, @03:23PM (4 children)
Anyone with a clue knows it's actually quite the opposite...sensible people have long since ignored the pro-systemd trolls trying portraying everything as "anti-systemd hate"...you know...sort of like you are now.
(Score: 2) by pvanhoof on Monday July 31 2017, @03:53PM (3 children)
Sure. If you think that. Meanwhile I'll followup on who is actually writing code here.
(Score: 2) by digitalaudiorock on Monday July 31 2017, @04:11PM
What's that supposed to mean? You know nothing about me. I'm the creator / lead developer of an enterprise class piece of software running in hundreds of data centers around the world at companies you've definitely heard of. How about you quit trolling the thread and go fuck yourself.
(Score: 0) by Anonymous Coward on Monday July 31 2017, @09:00PM
Woopty woo we've got a meritocratic person here who thinks that someone in a position of power must obviously have gotten their by their inherent superiority. It is like Trump supporters, he says he's rich so he must be a smart amazing person. Looooooooooooool
Systemd is a cancer, only blind MORONS can't see that. Either your brain is not very good, or you've swallowed some idea about the world being a nice place where people aren't corrupt tools. Either way you're a moron falling for Poettering's bullshit.
Someone said not to debate you, you're just a shill trying to legitimize systemd and make people doubt the nay sayers. Hopefully you're not actually a shill and you can grow beyond your naive viewpoint, but if you are a shill then please evaluate your life choices. They are not good.
(Score: 0) by Anonymous Coward on Wednesday August 16 2017, @07:02PM
So what works best, 10000 lines of dumb code, or 1 line of thoughtful code?
(Score: 4, Informative) by kaszz on Monday July 31 2017, @04:41PM
Just get this:
* systemd is shit. And lack input validation like sane software.
* Poettering is arrogant and incompetent. And if he is competent, he surely doesn't show it where it counts.
* RedHat is Poetterings master.
* Poettering and RedHat should be made to suffer the cost they try to externalize, not be assassinated.
* CVE is about security problems. systemd is a security problem. So is the author of it and the company the author works for.
* Security is a serious issue these days. So any move to compromise it by design will have their personal flame festival.