Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
The Politics of systemd Part 3
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 10, 11, 12  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5079
Location: Removed by Neddy

PostPosted: Wed Jun 28, 2017 12:09 pm    Post subject: Reply with quote

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9445


Quote:
In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that's too small. A malicious DNS server can exploit this via a response with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that's too small, and subsequently write arbitrary data beyond the end of it.

_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39298
Location: 56N 3W

PostPosted: Wed Jun 28, 2017 1:11 pm    Post subject: Reply with quote

Continued from The Politics of systemd Part 2

The thread has been quiet for a few weeks so looks like a good place for a split
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 5969

PostPosted: Wed Jun 28, 2017 2:18 pm    Post subject: Reply with quote

NeddySeagoon wrote:
The thread has been quiet for a few weeks so looks like a good place for a split

yep, but starting new one with a CVE is evil :)
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 9576
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jun 28, 2017 2:33 pm    Post subject: Reply with quote

What? That's crazy talk. All other software is well known to be bug free!

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
gwr
Apprentice
Apprentice


Joined: 19 Nov 2014
Posts: 194

PostPosted: Wed Jun 28, 2017 6:04 pm    Post subject: Reply with quote

I will leave this right here...

Quote:
The process turns a request for binary DNS data into into XML, feeds it
into the sytemd/dus ecosystem, which turns it into binary DNS to send
it to the forwarder. The binary DNS answer then gets turned into XML
goes through systemd/dbus, then is turned back into binary DNS to feed
back into glibc. Apart from errors in this process, like last year's
CVE on cache poisoning attacks, this means the systemd people need to
very actively maintain their code whenever a new feature or RRTYPE is
added to the DNS protocol. Maintenance and bugfixes is not systemd's
strong point. This architecture is overly complex and unneccessary.


https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Wed Jun 28, 2017 7:54 pm    Post subject: Reply with quote

Just copy+paste the entire mail here, it's worth reading. Sounds like a total disaster.

________________________________________________________________
systemd-resolved requires a forwarder. It is not a full DNS recursive
server. So source port randomization is pretty useless as you are most
likely just doing DNS on the local network.

Also, "improve resilience against cache poisoning" is quite the weasel
wording. Especially since it trusts faster answers over slower ones over
different interfaces. The design is still horribly broken.

At devconf, the systemd people described the system to us. Things might
have changed since then and we should verify that. With that, let me
mention what I remember:

- It uses nsswitch to basically take over gethostbyname*() and
getaddrinfo(). This means any software using a DNS library like ldns,
unbound, bind, knot, etc bypasses this system and gets an inconsistent
DNS view from the rest of the system. It explictely does not support
those kind of applications. Due to its issues below, this is a problem
for applications insisting on DNSSEC answers (eg postfix). It does not
supply a "local DNS server" that those dns libraries could use to get
a consistent view.

- it fudges with /etc/resolv.conf, but it does not provide a DNS server.
So it cannot put 127.0.0.1 in resolv.conf. This means ANY application
using /etc/resolv.conf that does not use glibc is going to go around
systemd-resolvd. Yet systemd-resolvd messes with resolv.conf.

- The process turns a request for binary DNS data into into XML, feeds it
into the sytemd/dus ecosystem, which turns it into binary DNS to send
it to the forwarder. The binary DNS answer then gets turned into XML
goes through systemd/dbus, then is turned back into binary DNS to feed
back into glibc. Apart from errors in this process, like last year's
CVE on cache poisoning attacks, this means the systemd people need to
very actively maintain their code whenever a new feature or RRTYPE is
added to the DNS protocol. Maintenance and bugfixes is not systemd's
strong point. This architecture is overly complex and unneccessary.

- It won't work well with applications that have their own DNS code
itside. Such as browsers. This becomes worse when you think about
browsers supporting draft-shore-tls-dnssec-chain-extension.

- It is yet another program/daemon that runs races with other software
in controlling /etc/resolv.conf. Eg VPN software adding nameservers.

- There is no option to become a full recursive DNS server. It depends
on a forwarder being obtained via DHCP. This means any broken
forwarder leads to a broken setup. eg an upstream that strips DNSSEC.

- It accepts DNS forwarders for all its interfaces. That means if you
are on wifi and 3g, or ethernet and wifi, you have more than one
DNS server from logically different networks. With no way of
guaranteeing which logical network you asking.

- It sends out a DNS queries over all its obtained DNS servers all the
time. This means DNS queries for split-DNS view resources leak all
over the internet.

- It accepts the first valid answer. This could be an unsigned answer.
This means a local attacker (eg wifi hotspot) has an advantage over
the actual real DNS forwarders.

- It prefers an answer over an NXDOMAIN as workaround for the above.
So if some A record does not exist, the NXDOMAIN is ignored in
favour of a forged, or rogue wildcard type, answer.

- It does not implement RFC-5011 properly. It might remove trusted keys
upon seeing the revoke bit instead of waiting the time period
specified in RFC-5011.

- I believe it does not support DNS-over-TLS

- I _believe_ it does not support network changes that requre a cache
flush, for instance a VPN network with an internal *.corp.company.com
whose entries need to be removed from the cache when the network is
lost.

- I _believe_ it does not handle trust anchors linked to DNS nameserver
IP addreses. Needed for DHCP servers relaying multiple domain names
for resolving and VPN situations like draft-pauly-ipsecme-split-dns-01

- I _believe_ it will not able to reconfigure forwarders on the fly.


I was told it was not a caching dns server. But that seems to be the
case now. Which in a way makes things worse, because hotspots could then
keep long lived forged records in my cache? Unless they flush all the
cache on any network interface change, which in itself would cause me
to leave my fingerprints all over the internet for pervasive monotiring
attacks.
__________________________________________________________________________
Back to top
View user's profile Send private message
Zucca
l33t
l33t


Joined: 14 Jun 2007
Posts: 957
Location: KUUSANKOSKI, Finland

PostPosted: Wed Jun 28, 2017 10:10 pm    Post subject: Reply with quote

gwr wrote:
I will leave this right here...

Quote:
The process turns a request for binary DNS data into into XML, feeds it
into the sytemd/dus ecosystem, which turns it into binary DNS to send
it to the forwarder. The binary DNS answer then gets turned into XML
goes through systemd/dbus, then is turned back into binary DNS to feed
back into glibc. Apart from errors in this process, like last year's
CVE on cache poisoning attacks, this means the systemd people need to
very actively maintain their code whenever a new feature or RRTYPE is
added to the DNS protocol. Maintenance and bugfixes is not systemd's
strong point. This architecture is overly complex and unneccessary.
It's like compressing base64 -encoded compressed file.
My mind is melting...
_________________
..: Zucca :..
This space is not for rent.
Back to top
View user's profile Send private message
tld
Veteran
Veteran


Joined: 09 Dec 2003
Posts: 1222

PostPosted: Thu Jun 29, 2017 12:31 am    Post subject: Reply with quote

Zucca wrote:
It's like compressing base64 -encoded compressed file.
My mind is melting...
I almost would have thought someone literally made up that little blurb as a parody. There are no words. I'm I reading that right, that there's XML parsing parsing overhead involved not once, but twice for every DNS query? Do they actually care about...OH I don't know...how "well" anything works?

EDIT: Just read the whole thing...for God's sake...guess that answers my question. Those folks are the kings of the "how difficult could it be?" mindset.

Tom
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1397

PostPosted: Thu Jun 29, 2017 5:13 am    Post subject: Reply with quote

The fun of it is, the systemd devs are going to complain that its too slow, so for another reason to put systemd in the kernel. All to make up for their inefficient code...
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 4816
Location: The Peanut Gallery

PostPosted: Thu Jun 29, 2017 6:49 am    Post subject: Reply with quote

ct85711 wrote:
The fun of it is, the systemd devs are going to complain that its too slow, so for another reason to put systemd in the kernel.
LOL.
I found this telling:
Paul Wouters wrote:
[That] in general was my problem when I met the systemd people to talk about this. My use cases were simply ignored as not relevant.
That sounds familiar.
Back to top
View user's profile Send private message
Dominique_71
Veteran
Veteran


Joined: 17 Aug 2005
Posts: 1589
Location: Switzerland (Romandie)

PostPosted: Thu Jun 29, 2017 11:50 am    Post subject: Reply with quote

rob_dot_p wrote:
Just copy+paste the entire mail here, it's worth reading. Sounds like a total disaster.
...
- It won't work well with applications that have their own DNS code
itside. Such as browsers. This becomes worse when you think about
browsers supporting draft-shore-tls-dnssec-chain-extension.


So the next step will be to integrate an internet explorer clone into systemd :lol:
_________________
[[[ To any NSA and FBI agents reading that text: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Back to top
View user's profile Send private message
Dominique_71
Veteran
Veteran


Joined: 17 Aug 2005
Posts: 1589
Location: Switzerland (Romandie)

PostPosted: Thu Jun 29, 2017 11:53 am    Post subject: Reply with quote

steveL wrote:
ct85711 wrote:
The fun of it is, the systemd devs are going to complain that its too slow, so for another reason to put systemd in the kernel.
LOL.
I found this telling:
Paul Wouters wrote:
[That] in general was my problem when I met the systemd people to talk about this. My use cases were simply ignored as not relevant.
That sounds familiar.


It remain me about old stories of audio desktop users being qualified as desktop haters. So the only thing these guys learned under all that time was to polite there language!
_________________
[[[ To any NSA and FBI agents reading that text: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Back to top
View user's profile Send private message
proteusx
Apprentice
Apprentice


Joined: 21 Jan 2008
Posts: 150

PostPosted: Thu Jun 29, 2017 12:17 pm    Post subject: Reply with quote

Criticizing (((systemd))) is hate speech.
Back to top
View user's profile Send private message
gwr
Apprentice
Apprentice


Joined: 19 Nov 2014
Posts: 194

PostPosted: Thu Jun 29, 2017 1:34 pm    Post subject: Reply with quote

proteusx wrote:
Criticizing (((systemd))) is hate speech.


Yes, it is. I am speaking about how much I hate it.
Back to top
View user's profile Send private message
depontius
Advocate
Advocate


Joined: 05 May 2004
Posts: 3250

PostPosted: Thu Jun 29, 2017 3:47 pm    Post subject: Reply with quote

steveL wrote:
ct85711 wrote:
The fun of it is, the systemd devs are going to complain that its too slow, so for another reason to put systemd in the kernel.
LOL.
I found this telling:
Paul Wouters wrote:
[That] in general was my problem when I met the systemd people to talk about this. My use cases were simply ignored as not relevant.
That sounds familiar.


NOTABUG WONTFIX, no doubt.

Either that or their solution will be "dbus-over-IP" and quit using port 53 for DNS queries - for starters.
(Sometimes it's fun to come up with the stupidest idea possible in a given setting, to either see who salutes it or to predict the actions of (insert noun here).
_________________
.sigs waste space and bandwidth
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Thu Jun 29, 2017 6:39 pm    Post subject: Reply with quote

The last week or so Lennart showed up at Reddit a couple of times and defended his projects.
Yesterday after someone shared the vulnerability, he went on a rant about how much systemd cares about security and how well they're actually doing in that area.
He disappeared again after somebody asked why systemd devs silently fix vulnerabilities.
If somebody is interested in what he has to say:

Quote:
So, here's how I would "spin this turd" if I was "Pottering".
I'd probably say, yeah, software has bugs! systemd has, the Linux kernel has, and so does Apache or NGINX. It's how things are, and if you do software you should know that.
Which hence raises the question: does systemd have more bugs per sloc than other software? I don't have numbers, but I am pretty sure we are actually pretty OK on that front, probably better than most other projects, simply because there are plenty eyeballs watching what we do, we do have a pretty tightly controlled commit regime, with reviews and CI and stuff (not saying we couldn't do better, but I am pretty sure we are probably better than average on this front, when it comes to Open Source software). But anyway, I'd be quite curious to see some stats of let's say CVEs per time and per slocs, not aware of any though. (And yeah, CVEs aren't a great metric, but I figure they are still better than nothing.)
And then, I'd probably point you to the fact that systemd actually does a lot, and really a lot, to systematically reduce the impact of such bugs, to minimize what you can do should you have managed to exploit some system service. systemd these days comes with a ton of sandboxing features, and for the service this CVE is about we make use of a lot of them:
https://github.com/systemd/systemd/blob/master/units/systemd-resolved.service.m4.in
Specifically, resolved runs in a file system sandbox where the host OS tree is mounted read-only in almost its entirety. The /dev it sees is unpopulated except for /dev/urandom, /dev/zero, /dev/null, and a few others, i.e. the UNIX pseudo devices that are API, but don't actually refer to a physical device. The /home directory it sees is entirely empty. It has a private instance of /tmp and /var/tmp. It can't create any kind of socket except AF_INET/AF_INET6, AF_UNIX and AF_NETLINK (for example no AF_PACKET), it runs with a pretty strict system call filter in effect, and a couple of other things. On top of that, what this unit file doesn't show: resolved drops the few remaining privs it has after initialization, then running as the "systemd-resolve" user. And here again, all of this put together is actually substantially more than most other projects implement when it comes to sandboxing their stuff.
Now, all of this is enabled for resolved, but most of it available pretty easily to other services too, it's just a matter of turning them all on (and before you ask, why is this opt-in, and not opt-out — the answer is compatibility: as we add sandboxing features we cannot break existing services).
So are we really that awful and bad? Nope, I don't think so.
And yeah, that's pretty much how I'd spin it, if I was "Pottering". Thankfully though I am not. I am just some guy by the name of "Poettering", who happens to be involved in the project.
Lennart

https://www.reddit.com/r/linux/comments/6jzz1g/ubuntu_security_notice_systemd_vulnerability/djixaui/
Back to top
View user's profile Send private message
zlg
Developer
Developer


Joined: 11 Sep 2012
Posts: 46
Location: United States

PostPosted: Thu Jun 29, 2017 8:21 pm    Post subject: Reply with quote

That's some high quality spinning. I hope he greased the bearings in his chair first. :P
Back to top
View user's profile Send private message
Dominique_71
Veteran
Veteran


Joined: 17 Aug 2005
Posts: 1589
Location: Switzerland (Romandie)

PostPosted: Fri Jun 30, 2017 8:55 am    Post subject: Reply with quote

Before to ask for the number of bugs per sloc, one have to ask if he/she really need the functionality and want the payload provided by that software. As each user case is different, we will get a lot of different answers.
_________________
[[[ To any NSA and FBI agents reading that text: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 39298
Location: 56N 3W

PostPosted: Fri Jun 30, 2017 9:44 am    Post subject: Reply with quote

... payload ...

That sounds like a virus.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
P.Kosunen
Apprentice
Apprentice


Joined: 21 Nov 2005
Posts: 177
Location: Finland

PostPosted: Sat Jul 01, 2017 5:17 pm    Post subject: Reply with quote

NeddySeagoon wrote:
That sounds like a virus.


Quote:
Trojan, is a malicious computer program which is used to hack into a computer by misleading users of its true intent. It works in system’s background and performs harmful actions there. Having it installed on your system means a great security risk for your PC and all the data, which is stored on it.


Sounds like trojan horse to me.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2038
Location: Illinois, USA

PostPosted: Sat Jul 01, 2017 5:25 pm    Post subject: Reply with quote

A virus that installs a trojan.
Back to top
View user's profile Send private message
rob_dot_p
n00b
n00b


Joined: 28 Jan 2017
Posts: 30

PostPosted: Sun Jul 02, 2017 1:08 pm    Post subject: Reply with quote

https://github.com/systemd/systemd/issues/6237#issue-239378060

Quote:
Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.

systemd will validate all configuration data you drop at it, making it hard to generate invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.

So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but still: the username is clearly not valid.

I hope that makes sense?


Quote:
poettering added the not-a-bug label 3 days ago


NOT

A

BUG
Back to top
View user's profile Send private message
R0b0t1
Apprentice
Apprentice


Joined: 05 Jun 2008
Posts: 218

PostPosted: Sun Jul 02, 2017 8:05 pm    Post subject: Reply with quote

rob_dot_p wrote:
https://github.com/systemd/systemd/issues/6237#issue-239378060

Quote:
Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.

systemd will validate all configuration data you drop at it, making it hard to generate invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.

So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but still: the username is clearly not valid.

I hope that makes sense?


Quote:
poettering added the not-a-bug label 3 days ago


NOT

A

BUG


It's quite unfortunate that discussions on GitHub can be moderated in the ways they can be. The systemd developers seem to be using the moderation to insulate themselves from perfectly valid criticism. If they had to interact with each comment individually I think popular sentiment would be harder to ignore. It seems like most of the comments they claim are by trolls are actually topical.

Most systemd bugs seem to be closed with some explanation of what the bug is, conflating that explanation for a valid justification for the behavior. This one is particularly bad because relying on strtoul's return code for input validation is a particularly sophomoric trick that has no place in any program, and that's ignoring the fact they're making up standards to adhere to as they go along.
Back to top
View user's profile Send private message
helecho
Apprentice
Apprentice


Joined: 26 Dec 2016
Posts: 238

PostPosted: Sun Jul 02, 2017 8:15 pm    Post subject: https://github.com/systemd/systemd/issues/6237#issue-2393780 Reply with quote

It is not a bug. Indeed, the process of verifying the configuration is in line with their expectations:
  • An invalid identifier is ignored;
  • an invalid configuration will be rejected.

In other words, only a (authentic) compliant service is authorized by systemd.

Poettering wrote:
In systemd we generally follow the rule that when we encounter a unit setting that does not validate syntax-wise we'll log about it and ignore it, for compat reasons.

Poettering wrote:
systemd will validate all configuration data you drop at it, making it hard to generate invalid configuration.


In practice, the potential vulnerability would be related to the executed service and not to the configuration file scan.


Last edited by helecho on Sun Jul 02, 2017 8:17 pm; edited 1 time in total
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 11431

PostPosted: Sun Jul 02, 2017 8:17 pm    Post subject: Reply with quote

For the benefit of people who do not follow the link provided by rob_dot_p (or if the thread is later edited, since Github permits that):

A user reported a bug where systemd was given a .service file that specified to run the process as the unprivileged user 0day. Contrary to user expectations, systemd ran the program as root. The systemd maintainer rejected the report as not-a-bug. In my opinion, systemd found the one unacceptable solution out of the possible ways to handle this:
  1. Run the program with an account other than specified in the systemd service file
  2. Run the program as the specified user
  3. Refuse to run the program, citing an error in the configuration.
Option (a) is dangerous if the program is not meant to run with privilege and the user does not notice the problem. Option (b) would be nice, but not strictly required since that is not a well-formed username (according to man useradd). Option (c) would be good because it would force the user to address the issue, either by renaming the account or by running the program as some other user.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3 ... 10, 11, 12  Next
Page 1 of 12

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum