Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.
At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.
Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.
(Score: 5, Insightful) by novak on Thursday November 13 2014, @03:38AM
Systemd hasn't had that many bugs, for how new it is, so I was prepared to not really bother mocking it for this one... But... Why does your init system have a DNS cache?! No, seriously, Why the FUCK would that ever be a thing? Please stop this monstrosity now.
I don't even know where to start with something like that, it is so wrong.
novak
(Score: 1, Insightful) by Anonymous Coward on Thursday November 13 2014, @03:44AM
Because systemD wants to be like svchost.exe in windows.
(Score: 1, Insightful) by Anonymous Coward on Thursday November 13 2014, @01:23PM
If I wanted Windows, I know where to get it.
(Score: 2, Insightful) by Whoever on Thursday November 13 2014, @03:45AM
FTFY.
Seriously, come back in 5 years and then look at bug statistics.
This is exactly why I am trying to stay away from systemd right now. So much new code, bound to be lots of bugs lurking there.
(Score: 3) by novak on Thursday November 13 2014, @03:54AM
That is a big part of why there are so few bugs. But that's not why I'm staying away. I'm staying away because of the laughable design choices.
This is a good example, a bug in a feature that should not even exist. It's not like systemd has to resolve domain names, there's any amount of other software which already does this. I prefer options, and one of those options is what DNS resolver/cache to run. I don't want RedHat or anyone else inventing the One True Software which has every subsystem tied together through a mystical API that changes whenever they want.
novak
(Score: 3, Insightful) by Anonymous Coward on Thursday November 13 2014, @03:58AM
That's also what makes it totally unsuitable for use in Debian. Debian is all about stability, reliability and security. Systemd just hasn't been proven to be good enough yet. This bug shows that it's way too immature to be part of Debian.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @04:48AM
"That's also what makes it totally unsuitable for use in Debian. Debian is all about stability, reliability and security. Systemd just hasn't been proven to be good enough yet. This bug shows that it's way too immature to be part of Debian."
But, but, features!
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @07:32AM
And way too immature for RedHat. And SUSE, and ...
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @07:43AM
Debian all about being a social progressive and supporting feminists lesbians and trannies actually. And policing speech. Code of conduct etc.
(Score: 1, Insightful) by Anonymous Coward on Thursday November 13 2014, @01:54PM
trannies
Hey, don't throw us in with the feminists. There are plenty of us who are equally pissed off at them. Probably moreso than you. Feminism is the systemd of gender equality. See the Michigan Womyn's Music Festival and wonderful people like Janice Raymond. Well, maybe Poettering might be worse than Raymond. At least you can ignore her.
Oh, why the hell am I wasting my time. Voting Libertarian? Got 1% or 2% of the vote at best. Waste of time. Arguing with MRAs who are delusional enough to believe that feminists approve of transsexuals or that being a transsexual makes one a socialist or a feminist? Equally a waste of item. Hoping some MRA gets his head out of his ass to see that there are a lot of transsexuals who lean libertarian. Impossible. Get it through your head: TRANSSEXUALS ARE NOT WELCOME IN FEMINIST GROUPS. FEMINISTS REGULARLY ATTACK TRANSSEXUALS. FEMINISTS LOVE "DOX"ing (I guess that's the right word) TRANSSEXUALS IN DEEP STEALTH. *breathes*
Why do you think anti-gamergate went after a group with a very inclusive policy for trans women? It doesn't matter that they used transphobia as a rallying cry. These people are con artists, and they'll say whatever they can to get support. Actions speak louder than words. Feminism continues to be about discrimination against trans women and the systematic privileging of the body part between the legs over the body part between the ears.
Fuck. People like you make me question why I support the Libertarian party.
What the hell is up with Soylent this morning?
--Velex's Ghost
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @09:24PM
It was a flamebait troll comment anyway. Don't take it too serious.
Politically I am a libertarian, but I am sad that so few people seem to actually want liberty.
(Score: 0) by Anonymous Coward on Friday November 14 2014, @02:54AM
"FEMINISTS REGULARLY ATTACK TRANSSEXUALS" says the transsexual attacking feminists. Talk about sectarian conflict. You do realise that feminists have the concept of intersectionality right? That feminists are by a large stripe LBGTQ* allies? That they don't believe that gender has ANYTHING to do with what's between your legs? I can't believe you are complaining about bigotry by being such a bigot.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @04:16AM
The init system does not have a dns cache. The project includes a totally separate daemon that does dns caching.
(Score: 1, Insightful) by Anonymous Coward on Thursday November 13 2014, @04:29AM
The init system does not have a dns cache. The init system includes a totally separate daemon that does dns caching.
FTFY. Now see how stupid it is? Why is this apparently necessary DNS subsystem not its own project?
Either systemd is an init system, or not. Either way, it's clearly the better half of an OS at this point.
(Score: -1, Troll) by Anonymous Coward on Thursday November 13 2014, @05:09AM
"Either systemd is an init system, or not."
It is not. The project includes an init system, but it is not only an init system. People's inability to grasp this simple concept is staggering.
(Score: 2) by zocalo on Thursday November 13 2014, @11:09AM
There are plenty of reasons to be railing against SystemD, but attempting to create a bundle of essential daemons that only implement the most commonly used functions of those daemons certainly isn't one of them.
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by arashi no garou on Thursday November 13 2014, @12:13PM
The problem isn't that systemd is both an init and a bundle of daemons. It's the trend towards requiring all of systemd (not just the init part, the whole shebang) to have a fully functional OS. If this trend keeps up, there won't be a choice when installing GNU/Linux for other daemons; you'll either install the systemd suite with all of its daemons and pieces, or you won't have a functioning system at all. That's the main reason I won't use it.
(Score: 4, Interesting) by zocalo on Thursday November 13 2014, @01:33PM
Similarly, SystemD's internal interdependancies between its modules are confusing a lot of people about just how modular it is. It's certainly not a monolithic single binary, yet many of the interdependencies between the various daemons are so tight that it might as well be (I can accept that SystemD daemons might require the PID1 component to work, but some of their inter-dependencies are specific to SystemD and don't exist between the daemons they replace). In theory, if SystemD were truly just a bundle of daemons then you would expect to be able to package up many, if not all, of those daemons into their own packages and optionally install either those or an alternative depending on your personal needs and preferences - and any specific application needs. I've not really looked, but I've not heard of a single distro that has even attempted to package SystemD up in a modular manner like this, yet doing so would wipe out a lot of the criticisms people commonly levelled at it. I'm looking particularly hard at Fedora here; SystemD is effectively a Red Hat sponsored project, Fedora is (esssentially) their test bed, and they been busy breaking up other packages into sub-packages in this manner for quite some time now. That SystemD hasn't got that treatment makes me think it might not actually be possible, or the dependencies are such that you are going to need all the modules anyway, neither of which really helps make the case for claims to modularity being much more than word games.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @03:35PM
Posting anon as I've already moderated. This to me is the crux of the whole systemd debate; it's an all-or-nothing approach. No Plan B. Not Invented Here syndrome taken to its logical absurd conclusion.
I think the best terms I saw in describing systemd (in comparison to the linux kernel which was also being described as a "monolithic blob" with the implication that it should be considered just as unpalatable as systemd) was the following:
* The linux kernel is a monolithic design, but a modular contrustion
* systemd is a modular design, but a monolithic construction
Point being that all the various components of systemd are so tightly coupled and interwoven that it's practically impossible to separate one from t'other. If I could, I would have absolutely no problem with it (nor with debian implementing it) - if I could install the parallel startup and event-driven initty bits, great, sure I could find a use for them somewhere. I could install the binary logging component whenever I thought my day didn't have enough brain haemmorhages but uninstall it from all my servers. Use the systemd NTP and DHCP gubbins on the client systems I don't really care about but keep crusty-old-ancient-stone-aged-but-works ntpdate and dhcpd on my servers. And so on and so forth. To me, that's the UNIX philosophy - keep things small and tightly focussed so they can be thrown out at the drop of a hat when something better comes along. I don't understand why, on both a technical and philosophical basis, this couldn't have been written in from the start.
But as it is, the construction doesn't seem to allow any of that, it's an all-or-nothing approach that, from my POV as a server admin, answer use cases that are of no interest to me. Does it make life easier for desktop users? Maybe. But I don't really care. All I see are decades of bug fixes being swept under the rug before the dubious vacuum of Progress comes along.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @09:08PM
Posting anon as I've already moderated
Currently, you can mod -first- then come back afterwards and post to the thread (signed in) without undoing your moderation.
This does NOT work that way on the other site.
-- gewg_
(Score: 0) by Anonymous Coward on Friday November 14 2014, @02:34AM
The funny part is that the same people who complain it is monolithic, then accuse the different modular parts of being the same. And, they don't even realize they're blaming the wrong thing for the wrong thing.
Yeah haters, if it was actually what you accuse it of being, it would obviously suck, and nobody would use it. The good news is, software works the same if you call it names and throw propaganda at it, or not. So none of the evil things can harm you, on account of being imaginary.
However, hatred of imaginary things is real, and is bad for your health. Don't hate. Systemd is one of the new things in the world, and it isn't going away. Don't let "I didn't want to choose that one" blind you from being a competent admin who knows how to use the tool. And for non sysadmins, don't let hatred of parts of the OS you don't even interact influence your view of distros.
(Score: 2) by jbernardo on Friday November 14 2014, @09:20AM
So, "lay back and enjoy", is that your argument to any criticism?
(Score: 3, Informative) by LoRdTAW on Thursday November 13 2014, @01:02PM
It's a chicken or the egg problem. As another poster mentioned, they are moving towards a managed service system like Windows svchost. The problem though, is if you make a switch to such a radically different service manager, where do the daemons come from?
And this is why systemd has to reinvent the wheel and reimplement so many services that already exist under linux. In order for there to be a useful systemd they have to write systemd services. Everyone still thinks it is simply trying to be a PID1 and init system, it isn't. It is a entire suite of replacement daemons and one process to rule them all.
A comparison: If you use Windows go to control panel and administrative tools. Then open services. Pretend services is systemd and all the services listed within are systemd-daemons. That is exactly what systemd is and what is wants to become.
Have a look at the opening summary for svchost on wikipedia (https://en.wikipedia.org/wiki/Svchost.exe [wikipedia.org]):
I am not pretending to be an OS expert, but just the opening of the article makes the idea of systemd sound silly.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @09:15PM
Those who don't understand UNIX^W Linux are doomed to re-invent it--poorly.
-- gewg_
(Score: 2) by LoRdTAW on Friday November 14 2014, @05:25PM
Actually, it should read:
Those who do not understand Windows are condemned to reinvent it, poorly.