[systemd-devel] Github systemd issue 6237

Reindl Harald h.reindl at thelounge.net
Sat Jul 8 02:43:22 UTC 2017



Am 07.07.2017 um 21:55 schrieb Kai Krakow:
> Am Tue, 4 Jul 2017 21:23:01 +0000 (UTC)
> schrieb Alexander Bisogiannis <alexixor at gmail.com>:
> 
>> On Tue, 04 Jul 2017 17:21:01 +0000, Zbigniew Jędrzejewski-Szmek wrote:
>>
>>> If you need root permissions to create a unit, then it's not a
>>> security issue. An annoyance at most.
>>
>> The fact that you need to be root to create a unit file is irrelevant.
>>
>> Systemd is running a service as a different user to what is defined
>> in the unit file.
>> This is a bug and a local security issue, especially because it will
>> run said service as root.
>>
>> It might not warrant a CVE, although in my line of work this is
>> considered a security issue, but it is a bug and needs fixing.
>>
>> The fix is to refuse to run the service, period.
> 
> There's nothing to fix because it already works that way: If you give
> it a valid user name that does not exists, the system refuses to start
> the unit with "user not found"

and if you give a invalid username it has to do the same - PERIOD

systemd is directly after the kernel the most important and lowest level 
stuff on a setup and hence can't be handeled like some random stuff


More information about the systemd-devel mailing list