SoylentNews is people
SoylentNews
Whether you're running systemd happily or begrudgingly, it's best if you disable systemd-resolved as your DNS resolver for the time being. Reported today at seclists is a new DNS cache poisoning bug in systemd-resolved.
At its simplest, an attacker triggers a query to a domain he controls via SMTP or SSH-login. Upon receipt of the question, he can just add any answer he wants to have cached to the legit answer he provides for the query, e.g. providing two answer RR's: One for the question asked and one for a question that has never been asked - even if the DNS server is not authoritative for this domain.
Systemd-resolved accepts both answers and caches them. There are no reports as to the affected versions or how widespread the problem may be. Comments over at Hacker News suggests that it might not be widespread, most users would still be running the backported 208-stable while the DNS resolver was committed in 213 and considered fairly complete in 216, but that is if they enabled systemd-resolved in /etc/nsswitch.config.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @04:16AM
The init system does not have a dns cache. The project includes a totally separate daemon that does dns caching.
(Score: 1, Insightful) by Anonymous Coward on Thursday November 13 2014, @04:29AM
The init system does not have a dns cache. The init system includes a totally separate daemon that does dns caching.
FTFY. Now see how stupid it is? Why is this apparently necessary DNS subsystem not its own project?
Either systemd is an init system, or not. Either way, it's clearly the better half of an OS at this point.
(Score: -1, Troll) by Anonymous Coward on Thursday November 13 2014, @05:09AM
"Either systemd is an init system, or not."
It is not. The project includes an init system, but it is not only an init system. People's inability to grasp this simple concept is staggering.
(Score: 2) by zocalo on Thursday November 13 2014, @11:09AM
There are plenty of reasons to be railing against SystemD, but attempting to create a bundle of essential daemons that only implement the most commonly used functions of those daemons certainly isn't one of them.
UNIX? They're not even circumcised! Savages!
(Score: 3, Insightful) by arashi no garou on Thursday November 13 2014, @12:13PM
The problem isn't that systemd is both an init and a bundle of daemons. It's the trend towards requiring all of systemd (not just the init part, the whole shebang) to have a fully functional OS. If this trend keeps up, there won't be a choice when installing GNU/Linux for other daemons; you'll either install the systemd suite with all of its daemons and pieces, or you won't have a functioning system at all. That's the main reason I won't use it.
(Score: 4, Interesting) by zocalo on Thursday November 13 2014, @01:33PM
Similarly, SystemD's internal interdependancies between its modules are confusing a lot of people about just how modular it is. It's certainly not a monolithic single binary, yet many of the interdependencies between the various daemons are so tight that it might as well be (I can accept that SystemD daemons might require the PID1 component to work, but some of their inter-dependencies are specific to SystemD and don't exist between the daemons they replace). In theory, if SystemD were truly just a bundle of daemons then you would expect to be able to package up many, if not all, of those daemons into their own packages and optionally install either those or an alternative depending on your personal needs and preferences - and any specific application needs. I've not really looked, but I've not heard of a single distro that has even attempted to package SystemD up in a modular manner like this, yet doing so would wipe out a lot of the criticisms people commonly levelled at it. I'm looking particularly hard at Fedora here; SystemD is effectively a Red Hat sponsored project, Fedora is (esssentially) their test bed, and they been busy breaking up other packages into sub-packages in this manner for quite some time now. That SystemD hasn't got that treatment makes me think it might not actually be possible, or the dependencies are such that you are going to need all the modules anyway, neither of which really helps make the case for claims to modularity being much more than word games.
UNIX? They're not even circumcised! Savages!
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @03:35PM
Posting anon as I've already moderated. This to me is the crux of the whole systemd debate; it's an all-or-nothing approach. No Plan B. Not Invented Here syndrome taken to its logical absurd conclusion.
I think the best terms I saw in describing systemd (in comparison to the linux kernel which was also being described as a "monolithic blob" with the implication that it should be considered just as unpalatable as systemd) was the following:
* The linux kernel is a monolithic design, but a modular contrustion
* systemd is a modular design, but a monolithic construction
Point being that all the various components of systemd are so tightly coupled and interwoven that it's practically impossible to separate one from t'other. If I could, I would have absolutely no problem with it (nor with debian implementing it) - if I could install the parallel startup and event-driven initty bits, great, sure I could find a use for them somewhere. I could install the binary logging component whenever I thought my day didn't have enough brain haemmorhages but uninstall it from all my servers. Use the systemd NTP and DHCP gubbins on the client systems I don't really care about but keep crusty-old-ancient-stone-aged-but-works ntpdate and dhcpd on my servers. And so on and so forth. To me, that's the UNIX philosophy - keep things small and tightly focussed so they can be thrown out at the drop of a hat when something better comes along. I don't understand why, on both a technical and philosophical basis, this couldn't have been written in from the start.
But as it is, the construction doesn't seem to allow any of that, it's an all-or-nothing approach that, from my POV as a server admin, answer use cases that are of no interest to me. Does it make life easier for desktop users? Maybe. But I don't really care. All I see are decades of bug fixes being swept under the rug before the dubious vacuum of Progress comes along.
(Score: 0) by Anonymous Coward on Thursday November 13 2014, @09:08PM
Posting anon as I've already moderated
Currently, you can mod -first- then come back afterwards and post to the thread (signed in) without undoing your moderation.
This does NOT work that way on the other site.
-- gewg_
(Score: 0) by Anonymous Coward on Friday November 14 2014, @02:34AM
The funny part is that the same people who complain it is monolithic, then accuse the different modular parts of being the same. And, they don't even realize they're blaming the wrong thing for the wrong thing.
Yeah haters, if it was actually what you accuse it of being, it would obviously suck, and nobody would use it. The good news is, software works the same if you call it names and throw propaganda at it, or not. So none of the evil things can harm you, on account of being imaginary.
However, hatred of imaginary things is real, and is bad for your health. Don't hate. Systemd is one of the new things in the world, and it isn't going away. Don't let "I didn't want to choose that one" blind you from being a competent admin who knows how to use the tool. And for non sysadmins, don't let hatred of parts of the OS you don't even interact influence your view of distros.
(Score: 2) by jbernardo on Friday November 14 2014, @09:20AM
So, "lay back and enjoy", is that your argument to any criticism?