[systemd-devel] Github systemd issue 6237

Kai Krakow hurikhan77 at gmail.com
Fri Jul 7 19:55:28 UTC 2017


Am Tue, 4 Jul 2017 21:23:01 +0000 (UTC)
schrieb Alexander Bisogiannis <alexixor at gmail.com>:

> On Tue, 04 Jul 2017 17:21:01 +0000, Zbigniew Jędrzejewski-Szmek wrote:
> 
> > If you need root permissions to create a unit, then it's not a
> > security issue. An annoyance at most.  
> 
> The fact that you need to be root to create a unit file is irrelevant.
> 
> Systemd is running a service as a different user to what is defined
> in the unit file. 
> This is a bug and a local security issue, especially because it will
> run said service as root.
> 
> It might not warrant a CVE, although in my line of work this is 
> considered a security issue, but it is a bug and needs fixing.
> 
> The fix is to refuse to run the service, period.

There's nothing to fix because it already works that way: If you give
it a valid user name that does not exists, the system refuses to start
the unit with "user not found".

If you give it an invalid user name (leading digits, disallowed
characters), then it complains with a warning and continues to run as
if you specified no user (thus it runs as root).

The bug here is that a leading number will "convert" to the number and
it actually runs with the UID specified that way: 0day = 0, 7days = 7.
But this is not really a security concern as only root can create units
that contain a user - except you open exploits for that: But then you
have other problems then that.

Conclusion: Not a security issue. If you trick an admin into accepting
unit files without validating the contents, you are having other issues
than an issue with systemd.


> Is there any other place I can go to open a bug, or do I need to go
> to the upstream "vendor" bugzila?

Maybe open a new issue and suggest that the current "conversion" should
be upgraded from a warning to a fatal error. Give examples of behavior
you get and behavior you expect. Also give counter examples of behavior
that works as you expect. Don't try to troll, after all it's the
developers forum and it only works if people stay with the facts.
Otherwise it becomes unusable, nobody wants that.

Best way to get it into one of the next releases is to prepare a pull
request that fixes the issue.


-- 
Regards,
Kai

Replies to list-only preferred.




More information about the systemd-devel mailing list