A bug in Linux's systemd init system causes root permissions to be given to services associated with invalid usernames, and while this could pose a security risk, exploitation is not an easy task.
A developer who uses the online moniker "mapleray" last week discovered a problem related to systemd unit files, the configuration files used to describe resources and their behavior. Mapleray noticed that a systemd unit file containing an invalid username – one that starts with a digit (e.g. "0day") – will initiate the targeted process with root privileges instead of regular user privileges.
Systemd is designed not to allow usernames that start with a numeric character, but Red Hat, CentOS and other Linux distributions do allow such usernames.
"It's systemd's parsing of the User= parameter that determines the naming doesn't follow a set of conventions, and decides to fall back to its default value, root," explained developer Mattias Geniar.
While this sounds like it could be leveraged to obtain root privileges on any Linux installation using systemd, exploiting the bug in an attack is not an easy task. Geniar pointed out that the attacker needs root privileges in the first place to edit the systemd unit file and use it.
[...] Systemd developers have classified this issue as "not-a-bug" and they apparently don't plan on fixing it. Linux users are divided on the matter – some believe this is a vulnerability that could pose a serious security risk, while others agree that a fix is not necessary.
See, this is why we can't have nice init systems.
Source: http://www.securityweek.com/linux-systemd-gives-root-privileges-invalid-usernames
Cut as much of it out of your life as possible.
(Score: 0) by Anonymous Coward on Monday July 03, @10:20PM (1 child)
So how does this affect Tor [client only] users?
(Score: 0) by Anonymous Coward on Monday July 03, @10:45PM
You should only use Tor on Win10 then.
(Score: 2) by requerdanos on Monday July 03, @10:33PM
If you have to already have root to potentially later get root, there are much easier ways to do it than this. A single suid binary, for example.
(Score: 2) by Justin Case on Monday July 03, @10:33PM
"default value, root" pretty much explains everything that is defective in the brains of those behind systemd. Maybe it is not an easily exploitable bug (for now). But it is a cognitive bug that can only be fixed by replacing the people who think this is OK. Or, you know, by ignoring them and letting them spiral down to their own doom without me along for the ride.
I recently tried Devuan 1.0 on my laptop. Aside from some minor installation bumps (similar to what others have reported) it is wonderful. Familiar and powerful Debian without the crap. I plan to convert my entire network when I can.
Gentle reminder for those in advertising, marketing, sales, tracking, targeting etc.: it's time to set yourself on fire.
(Score: 2) by mendax on Monday July 03, @10:44PM (1 child)
It is a common practice that bugs that are of little risk never get fixed. No one ever said that good software has to be perfect. Now, of course, I'm not passing judgment on the value or quality of systemd. Leave me out of that nonsense!!!
It's really quite a simple choice: Life, Death, or Los Angeles.
(Score: 2) by Nerdfest on Monday July 03, @11:00PM
Part of the interest in this one is that Poettering was being his usual douchey self again on GitHub.
