Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday July 03 2017, @10:12PM   Printer-friendly
from the it's-a-feature dept.

Submitted via IRC for TheMightyBuzzard

A bug in Linux's systemd init system causes root permissions to be given to services associated with invalid usernames, and while this could pose a security risk, exploitation is not an easy task.

A developer who uses the online moniker "mapleray" last week discovered a problem related to systemd unit files, the configuration files used to describe resources and their behavior. Mapleray noticed that a systemd unit file containing an invalid username – one that starts with a digit (e.g. "0day") – will initiate the targeted process with root privileges instead of regular user privileges.

Systemd is designed not to allow usernames that start with a numeric character, but Red Hat, CentOS and other Linux distributions do allow such usernames.

"It's systemd's parsing of the User= parameter that determines the naming doesn't follow a set of conventions, and decides to fall back to its default value, root," explained developer Mattias Geniar.

While this sounds like it could be leveraged to obtain root privileges on any Linux installation using systemd, exploiting the bug in an attack is not an easy task. Geniar pointed out that the attacker needs root privileges in the first place to edit the systemd unit file and use it.

[...] Systemd developers have classified this issue as "not-a-bug" and they apparently don't plan on fixing it. Linux users are divided on the matter – some believe this is a vulnerability that could pose a serious security risk, while others agree that a fix is not necessary.

See, this is why we can't have nice init systems.

Source: http://www.securityweek.com/linux-systemd-gives-root-privileges-invalid-usernames


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Justin Case on Monday July 03 2017, @10:33PM (19 children)

    by Justin Case (4239) on Monday July 03 2017, @10:33PM (#534595) Journal

    "default value, root" pretty much explains everything that is defective in the brains of those behind systemd. Maybe it is not an easily exploitable bug (for now). But it is a cognitive bug that can only be fixed by replacing the people who think this is OK. Or, you know, by ignoring them and letting them spiral down to their own doom without me along for the ride.

    I recently tried Devuan 1.0 on my laptop. Aside from some minor installation bumps (similar to what others have reported) it is wonderful. Familiar and powerful Debian without the crap. I plan to convert my entire network when I can.

    Starting Score:    1  point
    Moderation   +4  
       Insightful=3, Interesting=1, Total=4
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0) by Anonymous Coward on Monday July 03 2017, @11:18PM

    by Anonymous Coward on Monday July 03 2017, @11:18PM (#534604)

    What do you mean? If you are devious and screw up a lot you gain power and privilege. That is exactly how the world works!

  • (Score: 5, Insightful) by fido_dogstoyevsky on Monday July 03 2017, @11:57PM (12 children)

    by fido_dogstoyevsky (131) <axehandleNO@SPAMgmail.com> on Monday July 03 2017, @11:57PM (#534615)

    "default value, root" pretty much explains everything that is defective in the brains of those behind systemd

    It only explains half that is defective. My son keeps telling me "don't ascribe to malice anything easily explained as incompetence" and "default value, root" is incompetence. As opposed to "make it big, all devouring and a moving target so that it's almost impossible to just replace", which is malice.

    I'm glad to see Devuan succeeding since Debian (Potato) was one of the first distros I tried.

    --
    It's NOT a conspiracy... it's a plot.
    • (Score: 5, Insightful) by vux984 on Tuesday July 04 2017, @12:56AM (4 children)

      by vux984 (5045) on Tuesday July 04 2017, @12:56AM (#534624)

      "don't ascribe to malice anything easily explained as incompetence" and "default value, root" is incompetence.

      default value, root is incompetence.
      marking it 'not-a-bug WONTFIX' after the issue is raised however... that rises beyond incompetence.

      • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @07:09AM

        by Anonymous Coward on Tuesday July 04 2017, @07:09AM (#534705)

        Whenever I've taken the time to report a problem with any open-source project, it gets ignored and then closed without any action taken. So this "wont-fix" is just the default, not necessarily anything to do with this specific bug.

      • (Score: 2) by turgid on Tuesday July 04 2017, @10:12AM (2 children)

        by turgid (4318) Subscriber Badge on Tuesday July 04 2017, @10:12AM (#534749) Journal

        Perhaps systemd is written by the people from the B Ark. I wonder if they've decided what colour it should be yet?

        • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @07:06PM (1 child)

          by Anonymous Coward on Tuesday July 04 2017, @07:06PM (#534893)

          The poor sanitary practices are reminiscent of those who stayed behind.

          • (Score: 0) by Anonymous Coward on Wednesday July 05 2017, @01:43PM

            by Anonymous Coward on Wednesday July 05 2017, @01:43PM (#535167)

            Are you suggesting a lush poopoo brown?

    • (Score: 2) by kaszz on Tuesday July 04 2017, @02:55AM

      by kaszz (4211) on Tuesday July 04 2017, @02:55AM (#534656) Journal

      Worse than incompetence which usually can be cured with education. This is as another one put it cognitive inability and which explains why experience hasn't cured this. This instance of carbon based life form is defect and needs urgent removal from influencing important operations.

    • (Score: 2, Funny) by khallow on Tuesday July 04 2017, @03:44AM (5 children)

      by khallow (3766) Subscriber Badge on Tuesday July 04 2017, @03:44AM (#534674) Journal
      Don't ascribe to incompetence that which can be explained by self-interest.
      • (Score: 2) by mcgrew on Tuesday July 04 2017, @05:31PM (4 children)

        by mcgrew (701) <publish@mcgrewbooks.com> on Tuesday July 04 2017, @05:31PM (#534848) Homepage Journal

        Original source of that quote: me. Glad to see it being used!

        --
        Free Martian whores! [mcgrewbooks.com]
        • (Score: 1) by khallow on Wednesday July 05 2017, @04:36AM (3 children)

          by khallow (3766) Subscriber Badge on Wednesday July 05 2017, @04:36AM (#535055) Journal
          I heard the saying from Baldrson [slashdot.org] (of Slashdot fame) around 2001-2003 when I roomed with him. We were trying out some cell automata-based prisoners' dilemma games at the time (bottom line: the more mobile the automata, the more advantage that defection has over cooperation). I gather it's likely an independent coining of the term.
          • (Score: 2) by mcgrew on Wednesday July 05 2017, @02:48PM (2 children)

            by mcgrew (701) <publish@mcgrewbooks.com> on Wednesday July 05 2017, @02:48PM (#535206) Homepage Journal

            That was shortly after I said it, and yes, it was on slashdot. I call it "mcgrew's razor" although I should probably misspell "mcgrew", because Hanlon's Razor is allegedly from a Robert Heinlein story.

            --
            Free Martian whores! [mcgrewbooks.com]
            • (Score: 1) by khallow on Friday July 07 2017, @03:40AM (1 child)

              by khallow (3766) Subscriber Badge on Friday July 07 2017, @03:40AM (#535993) Journal
              Then he may well have heard it from you. My take is that he has been obsessed with these ideas since the late 70s or early 80s, and has read a fair bit of Heinlein in his youth. So I can't rule out an independent coining of the term.
  • (Score: 2) by Runaway1956 on Tuesday July 04 2017, @07:00AM

    by Runaway1956 (2926) Subscriber Badge on Tuesday July 04 2017, @07:00AM (#534701) Homepage Journal

    +4 insightful already, and I'll add one to it. Defaulting to root is about as stupid as stupid gets, FFS.

    --
    "no more than 8 bullets in a round" - Joe Biden
  • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @07:03AM

    by Anonymous Coward on Tuesday July 04 2017, @07:03AM (#534703)

    This is not a bug, it is a requirement of a certain TLA.

  • (Score: 5, Insightful) by maxwell demon on Tuesday July 04 2017, @08:14AM (1 child)

    by maxwell demon (1608) Subscriber Badge on Tuesday July 04 2017, @08:14AM (#534724) Journal

    Actually, you already get a whole bunch of failures when quoting the complete sentence:

    It's systemd's parsing of the User= parameter that determines the naming doesn't follow a set of conventions, and decides to fall back to its default value, root

    This is wrong in the following ways:

    1. First, it is wrong to enforce a set of conventions for user names here. If the user name is possible, the parser should look it up, without second-guessing whether it is valid. If it is invalid, the lookup will return no user.
    2. Second, even when deciding to disallow certain user names, it is wrong to just assume a default user if the user name is found to be invalid. Instead it should be a hard error.
    3. And third, even when you decide to disallow certain user names, and use a default user for user names that don'tfollow that convention, you don't use root as default. Instead, you use the least powerful user possible.

    So the whole issue is stacking three terrible decisions on top of each other.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 0) by Anonymous Coward on Tuesday July 04 2017, @03:17PM

      by Anonymous Coward on Tuesday July 04 2017, @03:17PM (#534808)

      Came here to say the exact same thing!