Bug#727708: systemd (security) bugs (was: init system question)

[Sergey B Kirpichev]

On Sun, Dec 01, 2013 at 09:50:49PM +, Ian Jackson wrote:
 If we were to adopt systemd as pid 1, which sections of the systemd
 source code would we probably want to adopt as well ?  Or to put it
 another way, which other existing programs would be obsoleted ?

Again, very good question.  And answer to this on the debate page is
very worrying, assuming that security concerns were unresolved yet.
(e.g.: CVE-2012-1101 or CVE-2013-4393 examples in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727708#583)

Personally, as maintainer of the monit package I have objections
against statement:
 Systemd’s service monitoring replaces most uses of daemontools,
 runit, monit, and maybe other similar packages.
This may be correct for daemontools/runit, but not for monit or any
other application-level utility (if failed port 80 protocol http and
request ... then restart) for proactive monitoring (for example,
zabbix has similar functional).

But systemd can cause conflicts (this depends on the adopted
systemd's default configuration) and so, can create hard-to-debug problems here.

Another questionable statement:
 Most of these bugs have been found by the Red Hat Product security
 team conducting an audit of the code as part of its inclusion in
 their enterprise distribution. Therefore, systemd's security record
 cannot reasonably be compared with implementations that didn’t
 undergo similar audits.

Both upstart and sysvinit were part of RHEL.  Please explain
the difference.

PS:
And just a side note.  It's only my own impression,
that there is too many hate/love around systemd?
Personally, during conversation with the systemd's
wiki page maintainer, I was impressed how many prejudments
he can made and how fast (already after the first letter).
This public disscussion is not an exception:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=727708#628

Why nginx author doesn't have any needs to explain why his
software is superior to apache/lighttpd/etc in vast range
of usecases and so on?  And this is not unusual for other
projects.  Why?

If this situation is so specific for systemd, we
should count this as an argument against.  Is there
any similar example from the debian history?


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20131203131454.ga6...@darkstar.order.hcn-strela.ru

Bug#727708: systemd (security) bugs (was: init system question)

[Moritz Muehlenhoff]

On Sun, Dec 01, 2013 at 12:11:11PM -0600, Steve Langasek wrote:
  More review and more usage will lead to more bugs being found, we should
  rather applaud Red Hat for investing resources and be diligent. After all
  Red Hat is the only distro staffing a proactive product security team
  (from which everyone is profiting outside of RH as well). I don't consider
  the lack of reported security issues for the contenders as a credible 
  indication of them being more secure.
 
 Red Hat shipped upstart as their init system in RHEL 6.  This did not result
 in any CVEs being issued for upstart.  What conclusions should we draw from
 this?

None. The RH Product Security Team didn't exist back then (founded 1.5 years 
ago).

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131203210029.ga24...@inutil.org

Bug#727708: systemd (security) bugs (was: init system question)

[Steve Langasek]

On Sun, Dec 01, 2013 at 11:11:43PM +0100, Sune Vuorela wrote:
 On Sunday 01 December 2013 21:50:49 Ian Jackson wrote:
  This leads me to a question which I find myself asking, after reading
  the systemd debate page:

  If we were to adopt systemd as pid 1, which sections of the systemd
  source code would we probably want to adopt as well ?  Or to put it
  another way, which other existing programs would be obsoleted ?

 logind is obsoleting consolekit and libpam-xdg. (Consolekit tracks wether
 or not a user is sitting on the physical console or logged in.  libpam-xdg
 ensures that XDG_RUNTIME_DIR is handled according to the spec).  Logind
 also ensures that a user session actually can be terminated when she logs
 out.

 Logind is the most important one, and within a year or two all desktop
 environments that wants to be slightly more advanced than TWM is going to
 need it.  Even Ubuntu is using logind and is iirc maintained there by
 Steve Langasek.

It's collectively maintained in Ubuntu; I do help with it, but Martin Pitt
does most of the routine maintenance for the systemd source package (udev,
logind).

 Beside that, there are among others:
 the timezoned is ensuring a common way that applications can get notified
 when the hosts timezone changes.  KDE does have something for that that
 would be obsoleted.  I think most other systems requires restart of
 applications or manual magic in each app.

'timedated'

 hostnamed is for notifying when hostname changes. KDE does have something
 for that.  I don't know who else.

 There are more parts, but that's where my research has ended so far. 

The other one that GNOME uses, and that should be adopted, is localed.

But these dbus services (logind, timedated, hostnamed, localed) are things
that we should adopt, /independently/ of whether systemd is used as pid 1.

I don't know that there are any systemd services that we would want to adopt
IFF we switched to systemd for pid 1.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#727708: systemd (security) bugs (was: init system question)

[Steve Langasek]

On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
 On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
  All distributions care about not having security issues in their code, but
  that's not the same thing as actually doing the work to audit the code.  In
  practice this only happens when dedicated resources are turned on the code
  in question, and having more companies using the code does not magically
  make that happen.

 [I took care of the systemd DSA people are referring to]

 The issue people are talking about were discovered during a review of the
 Red Hat Product Security Team (most likely triggered by the inclusion of
 systemd into RHEL7).
 So in fact having more companies use the code exactly made that magically
 happen.

No, this is a function of one specific company having a proactive security
review policy (for which they should be commended).  It has nothing to do
with how many companies are using the software.

 More review and more usage will lead to more bugs being found, we should
 rather applaud Red Hat for investing resources and be diligent. After all
 Red Hat is the only distro staffing a proactive product security team
 (from which everyone is profiting outside of RH as well). I don't consider
 the lack of reported security issues for the contenders as a credible 
 indication of them being more secure.

Red Hat shipped upstart as their init system in RHEL 6.  This did not result
in any CVEs being issued for upstart.  What conclusions should we draw from
this?

 FWIW, the main reason I'm personally in favour of adopting systemd is
 precisely security (in terms of sandboxing and restricting services).  See
 http://0pointer.de/blog/projects/security.html for some pointers.

I think such built-in sandboxing features are interesting, but not decisive.
They represent an incremental improvement over the status quo for
sandboxing, and aren't anything that couldn't be delivered as a feature in
upstart, for example, if there were demand for it.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#727708: systemd (security) bugs (was: init system question)

[Sune Vuorela]

On Thursday 28 November 2013 13:43:27 Ian Jackson wrote:
  CVE summary Debian BTS  Redhat
  2012-0871   systemd-logind insecure file creation   ?   795853

 Furthermore, I think it is fair to look at bugs in non-pid-1 parts of
 the systemd codebase when assessing the likely code quality of the pid
 1 parts.

Note that the non-pid1-parts of systemd, like logind for example, are pieces 
we need no matter what init system we choose. The question is more if we can 
use them as provided by upstream or we need to adapt them in Debian.

/Sune
-- 
How to close the space bar?

First from the control drawer inside Office 8.7.5 you should ping the site of 
the controller for logging on a BIOS.


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2842538.jK1El20Jv4@dabney

Bug#727708: systemd (security) bugs (was: init system question)

[Raphael Hertzog]

Hi,

On Sun, 01 Dec 2013, Steve Langasek wrote:
  More review and more usage will lead to more bugs being found, we should
  rather applaud Red Hat for investing resources and be diligent. After all
  Red Hat is the only distro staffing a proactive product security team
  (from which everyone is profiting outside of RH as well). I don't consider
  the lack of reported security issues for the contenders as a credible 
  indication of them being more secure.
 
 Red Hat shipped upstart as their init system in RHEL 6.

The more interesting information in all this is why RHEL is switching over
from upstart to systemd?

I mean we have an incentive to switch to something else because we can't
reliably fix stuff with sysvinit. But if upstart was satisfactory at that
level, what are the reasons why RHEL is switching again?

Maybe the security features discussed here are part of the answer, I don't
know.

  FWIW, the main reason I'm personally in favour of adopting systemd is
  precisely security (in terms of sandboxing and restricting services).  See
  http://0pointer.de/blog/projects/security.html for some pointers.
 
 I think such built-in sandboxing features are interesting, but not decisive.
 They represent an incremental improvement over the status quo for
 sandboxing, and aren't anything that couldn't be delivered as a feature in
 upstart, for example, if there were demand for it.

I believe that those who need those features just decide to use systemd
and won't demand those features to the upstart upstreams. In particular
when those features are of particular interest to people who are building
heavily customized systems (think embedded devices) and are not wary of
diverging from the defaults.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Discover the Debian Administrator's Handbook:
→ http://debian-handbook.info/get/


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131201202247.gb15...@x230-buxy.home.ouaza.com

Bug#727708: systemd (security) bugs (was: init system question)

[Ian Jackson]

Sune Vuorela writes (Bug#727708: systemd (security) bugs (was: init system 
question)):
 Note that the non-pid1-parts of systemd, like logind for example, are pieces 
 we need no matter what init system we choose. The question is more if we can 
 use them as provided by upstream or we need to adapt them in Debian.

Whether Debian' uses something is a lot more granular than that.
It seems to me that there are plenty of systems which could do without
logind, at least if we're not using systemd as pid 1.

This leads me to a question which I find myself asking, after reading
the systemd debate page:

If we were to adopt systemd as pid 1, which sections of the systemd
source code would we probably want to adopt as well ?  Or to put it
another way, which other existing programs would be obsoleted ?

This is important for two reasons that I can think of:

Firstly, it is touted as an advantage of systemd that it provides in a
good and proper way this other functionality; it seems that the
systemd designers consider that these other ad-hoc programs or
facilities are crufty and in need of replacement.  So I would like to
know which these other facilities are, that are going to be improved.

Secondly, if we are, for example, to compare the total LOC count, or
the bug list, or the CVE history, of systemd, with that of a
non-systemd system, we need to know which parts of the old system are
replaced.

Ian.


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/21147.44857.90778.20...@chiark.greenend.org.uk

Bug#727708: systemd (security) bugs (was: init system question)

[Sune Vuorela]

On Sunday 01 December 2013 21:50:49 Ian Jackson wrote:
 This leads me to a question which I find myself asking, after reading
 the systemd debate page:
 
 If we were to adopt systemd as pid 1, which sections of the systemd
 source code would we probably want to adopt as well ?  Or to put it
 another way, which other existing programs would be obsoleted ?

logind is obsoleting consolekit and libpam-xdg. (Consolekit tracks wether or 
not a user is sitting on the physical console or logged in. libpam-xdg ensures 
that XDG_RUNTIME_DIR is handled according to the spec). Logind also ensures 
that a user session actually can be terminated when she logs out.

Logind is the most important one, and within a year or two all desktop 
environments that wants to be slightly more advanced than TWM is going to need 
it. Even Ubuntu is using logind and is iirc maintained there by Steve 
Langasek.

Consolekit was written by the same people as involved in systemd and is now 
hopefully getting it right. Consolekit is abandoned upstream a couple of years 
ago. Libpam-xdg was written by Steve Langasek for Ubuntu and has since been 
abandoned in in Ubuntu favour of the systemd bits .

Beside that, there are among others:
the timezoned is ensuring a common way that applications can get notified when 
the hosts timezone changes. KDE does have something for that that would be 
obsoleted. I think most other systems requires restart of applications or 
manual magic in each app.

hostnamed is for notifying when hostname changes. KDE does have something for 
that. I don't know who else.

There are more parts, but that's where my research has ended so far. 

/Sune
-- 
How to cancel a mailer to the proxy from Flash and from the folder inside DOS 
97?

You must log on a driver to debug a monitor.


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/2815230.1zOzeelhbH@dabney

Bug#727708: systemd (security) bugs (was: init system question)

[Josselin Mouette]

Le vendredi 29 novembre 2013 à 17:55 +0100, Josselin Mouette a écrit : 
 Indeed, systemd has not been written with security in mind.

Obviously, such a subjective judgment of valor does not mean the same to
me as to other developers. It is easy to quote it out of context and say
“oh, look! some systemd advocate said that it is insecure! of course MY
init system of choice is more secure!”, but it is merely a fallacy since
we are not talking about the same thing.

Therefore, I have to retract this statement. 

-- 
 .''`.  Josselin Mouette
: :' :
`. `'
  `-


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1385801042.26957.30.camel@tomoyo

Bug#727708: systemd (security) bugs (was: init system question) [and 1 more messages]

[Michael Stapelberg]

Hi Ian,

Ian Jackson ijack...@chiark.greenend.org.uk writes:
 My point was that someone who is writing an init system for concurrent
 startup and dynamic service management needs to have a good
 understanding of concurrent system design, and in particular of race
 hazards.  I wouldn't expect a person or people who had such an
 understanding to make many mistakes of the kind seen here.
Neither do I, but there is no evidence for _many_ of these problems.

 Personally, I don’t know about every little detail in fd passing
 either. If I read you correctly, you seem to be saying one needs to be
 an expert in a given area before being allowed to write code in it. I
 think it works the other way around: by writing code in that area, you
 become an expert in it.

 What a startling statement.  This is not some desktop toy we are
 talking about; this is critical core system infrastructure.

 I would prefer my pid 1 to have been written by experts.  It appears
 that you are saying that systemd wasn't and that this isn't important!
To clarify: I do think (most?) systemd authors are experts. I am also
saying that experts can make mistakes, and that having the expectation
that software has 0 bugs is unreasonable.

I also stand by my statement that one cannot be an expert in a subject
area before having experience in that subject area. Sure, one can
prepare, but there is the proverb “practice makes perfect”.

 Instead of focusing on the actual security issues, what I’d much rather
 look at is the process with which such bugs are fixed. I.e. are security
 problems acknowledged as such, are they fixed clearly and in a timely
 manner? Are there enough eyes looking at the project to uncover, report
 and collaborate in fixing the issues?

 I don't think having a functioning security response process is a
 substitute for good system design, and a high initial code quality.
No argument there. I think having all three of them is better, and
that’s my opinion of systemd, at least of pid 1, which I have looked at
more closely than at the other parts of the larger system.

 Also, and I think that should go without saying, if this branch of the
 discussion is considered as reasoning against systemd in the decision
 process, I’d like to see similar data on the other init systems :).

 You are of course welcome to go and find that information.
I may be misunderstanding how this works, but I strongly believe that if
the ctte looks at the security track record of systemd, it MUST also
look at the security track record of the other contenders. I.e., I
consider it unfair to say “we’re not using systemd because it had
security bugs, we’ll chose X instead, but we didn’t look at its security
at all”.

That said, I’d love to help, but I don’t have the time to look at the
security track record of other init systems in detail. Sorry.

-- 
Best regards,
Michael


--
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/x6iova9mt0@midna.lan

Bug#727708: systemd (security) bugs (was: init system question)

[Moritz Mühlenhoff]

On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
 All distributions care about not having security issues in their code, but
 that's not the same thing as actually doing the work to audit the code.  In
 practice this only happens when dedicated resources are turned on the code
 in question, and having more companies using the code does not magically
 make that happen.

[I took care of the systemd DSA people are referring to]

The issue people are talking about were discovered during a review of
the Red Hat Product Security Team (most likely triggered by the inclusion
of systemd into RHEL7).
So in fact having more companies use the code exactly made that magically
happen.

For every complex code base a thorough review will unveil security-related
implementation bugs and the ones found for systemd are not exactly earth-
shattering.

More review and more usage will lead to more bugs being found, we should
rather applaud Red Hat for investing resources and be diligent. After all
Red Hat is the only distro staffing a proactive product security team
(from which everyone is profiting outside of RH as well). I don't consider
the lack of reported security issues for the contenders as a credible 
indication of them being more secure.

FWIW, the main reason I'm personally in favour of adopting systemd is precisely 
security (in terms of sandboxing and restricting services). See
http://0pointer.de/blog/projects/security.html for some pointers.

[EOD from me due to a lack of time, but that needed to be said]

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131130150714.GA4204@pisco.westfalen.local

Bug#727708: systemd (security) bugs (was: init system question)

[Lars Wirzenius]

On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
 [EOD from me due to a lack of time, but that needed to be said]

And thank you for saying it.

-- 
http://www.cafepress.com/trunktees -- geeky funny T-shirts
http://gtdfh.branchable.com/ -- GTD for hackers


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131130151840.GZ4662@holywood

Bug#727708: systemd (security) bugs (was: init system question)

[Josselin Mouette]

Le jeudi 28 novembre 2013 à 13:43 +, Ian Jackson a écrit : 
 In summary, I agree with Andrew Kanaber's view that the security and
 bug history of systemd is worrying.

Personally, I find the flow of bugs (including security bugs) for
moderately recent software the sign of a healthy project. A simple look
at a few packages in the BTS will show that packages with lots of
reported bugs are packages with lots of users and features, regardless
of the quality of their code: Linux, X, Iceweasel, GNOME, KDE all come
to mind as being full of bugs, including security bugs.

Indeed, systemd has not been written with security in mind. Neither have
sysvinit nor upstart, AFAICT. Yes, it would be better if *all*
developers had a better grasp of secure programming, but on the other
hand, asking the first people to use some advanced kernel interfaces to
understand all their security implications is unfair. Just like we don’t
hold the Mozilla developers responsible for security issues in brand-new
Javascript engines that maybe 10 developers in the world could
understand.

As Michael mentioned, systemd has a broader scope than alternatives.
You’d have to use a system providing similar features as a basis for a
fair comparison, and such a system doesn’t really exist in the Unix
world. If you only take into account the features that are also provided
by upstart or sysvinit/insserv, you won’t find that many of these bugs
apply. Compare that to the number of unfixable bugs in sysvinit due to
broken design. 

Cheers,
-- 
 .''`.Josselin Mouette
: :' :
`. `'
  `-


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1385744139.24216.1151.camel@dsp0698014

Bug#727708: systemd (security) bugs (was: init system question)

[Ian Jackson]

Josselin Mouette writes (Bug#727708: systemd (security) bugs (was: init system 
question)):
 Personally, I find the flow of bugs (including security bugs) for
 moderately recent software the sign of a healthy project. A simple look
 at a few packages in the BTS will show that packages with lots of
 reported bugs are packages with lots of users and features, regardless
 of the quality of their code: Linux, X, Iceweasel, GNOME, KDE all come
 to mind as being full of bugs, including security bugs.

All of those components are to a greater or lesser extent optional.
What we are being asked is to make use of systemd mandatory.

 Indeed, systemd has not been written with security in mind.

What an alarming comment on a program which has ultimate privilege, is
intended to be universally deployed even in the most demanding
security environment, crosses security boundaries (without, IMO, a
sufficient justification), and is being touted as the single
systemwide manager for security features like cgroups !

 Neither have sysvinit nor upstart, AFAICT.

I will leave the upstart maintainers to comment on this in more
detail, but sysvinit has had remarkably few security bugs for a
program of its vintage.  This is because it has very few, and very
restricted, interfaces to untrusted parts of the system.

  Just like we don’t hold the Mozilla developers responsible
 for security issues in brand-new Javascript engines that maybe 10
 developers in the world could understand.

The security record of web browsers is indeed atrocious.  It is the
result of a persistent swamp of bad design decisions, hideous
overcomplexity, plain bad code, and lack of attention to mitigation
measures.  Google's efforts in this area are to be applauded, even
though I have serious privacy problems with Google.

It is very alarming that web browsers are being presented as the
security benchmark for our new init system.

Ian.


--
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/21144.51928.798814.268...@chiark.greenend.org.uk

Bug#727708: systemd (security) bugs (was: init system question)

[Steve Langasek]

On Fri, Nov 29, 2013 at 05:55:39PM +0100, Josselin Mouette wrote:
 Indeed, systemd has not been written with security in mind. Neither have
 sysvinit nor upstart, AFAICT.

I wouldn't presume to say whether the systemd authors had security in mind
while writing it.  But I will stand by the overall security design of either
sysvinit or upstart, namely that the user-accessible interfaces are kept as
small as possible to make them as auditable as possible.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#727708: systemd (security) bugs (was: init system question)

[Josselin Mouette]

Le vendredi 29 novembre 2013 à 17:11 +, Ian Jackson a écrit : 
 Josselin Mouette writes (Bug#727708: systemd (security) bugs (was: init 
 system question)):
  Personally, I find the flow of bugs (including security bugs) for
  moderately recent software the sign of a healthy project. A simple look
  at a few packages in the BTS will show that packages with lots of
  reported bugs are packages with lots of users and features, regardless
  of the quality of their code: Linux, X, Iceweasel, GNOME, KDE all come
  to mind as being full of bugs, including security bugs.
 
 All of those components are to a greater or lesser extent optional.

Linux is optional?
X is optional? Not for everyone. (X is a bad example anyway, because,
unlike the rest, it *has* a bad security design.)

 What we are being asked is to make use of systemd mandatory.

It doesn’t mean that all of systemd’s features should be enabled on all
machines. The reason why embedded manufacturers are sponsors for
systemd’s development is that it means less code, and therefore less
bugs (security or not), than alternatives.

  Indeed, systemd has not been written with security in mind.
 
 What an alarming comment on a program which has ultimate privilege, is
 intended to be universally deployed even in the most demanding
 security environment, crosses security boundaries (without, IMO, a
 sufficient justification), and is being touted as the single
 systemwide manager for security features like cgroups !

Only an extreme minority of Debian packages have been written with
security in mind. Not all packages can be OpenSSH or Postfix, and we
have to live with that fact, because we need the features in other
packages (starting with a kernel and libc).

  Neither have sysvinit nor upstart, AFAICT.
 
 I will leave the upstart maintainers to comment on this in more
 detail, but sysvinit has had remarkably few security bugs for a
 program of its vintage.  This is because it has very few, and very
 restricted, interfaces to untrusted parts of the system.

And of course, there has never been any buggy init script.

Again, your comparison doesn’t make any sense since you don’t compare
similar functionality scopes.

   Just like we don’t hold the Mozilla developers responsible
  for security issues in brand-new Javascript engines that maybe 10
  developers in the world could understand.
 
 The security record of web browsers is indeed atrocious.  It is the
 result of a persistent swamp of bad design decisions, hideous
 overcomplexity, plain bad code, and lack of attention to mitigation
 measures.  Google's efforts in this area are to be applauded, even
 though I have serious privacy problems with Google.

I’m afraid you don’t entirely understand why the security record of web
browsers looks atrocious. Because of a swamp of bad decisions *from web
developers and designers*, backed by users, browsers have to cover a
functional scope that far exceeds in complexity any other kind of
software. A typical browser has to include several virtual machines,
graphical/layout toolkits, JIT compilers, advanced cryptographic
software, all of which have to work with heaps of untrusted data. When
taking all of that into account, as much as I hate dealing with them, I
have to admit the security record for several browsers is good, and it’s
because they *are* developed with security in mind.

 It is very alarming that web browsers are being presented as the
 security benchmark for our new init system.

It is quite alarming that a member of the Technical Committee
demonstrates lacks in security knowledge while at the same time using
security bugs as a measure for comparing solutions.


This “security” discussion has nothing to do with the case in point,
though. If you have specific points you want addressed by the systemd
position (like how systemd’s upstream designs user interfaces to avoid
security bugs, or handles security alerts), please state them clearly
and I will do my best to gather information for you and answer them.

-- 
 .''`.Josselin Mouette
: :' :
`. `'
  `-


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/1385749113.24216.1192.camel@dsp0698014

Bug#727708: systemd (security) bugs (was: init system question)

[Paul Tagliamonte]

On Fri, Nov 29, 2013 at 05:11:52PM +, Ian Jackson wrote:
 It is very alarming that web browsers are being presented as the
 security benchmark for our new init system.

So, I tend to agree with Joss here - Web browsers is the biggest attack
surface that we have today, bar none. I don't think anyone really
disputes this.

The safety of modern web browsers is (well, minus a qualifier below), frankly,
shockingly good.

The amount of exploits from JS is crazy low for something that's able to
do so much (store data locally, use WebGL / 3D rendering, play audio),
it is shockingly hard to exploit.

When you look at the entire stack (CSS parsers / evaluators, HTML
parsers  evaluators, JS parsers and evaluators), the only disaster
would be stuff like ActiveX. I'm not sure of it's state, since I've
never run a platform that supports it, but I hear it's getting better.

So, yes, browsers are a cespool, but it's one that runs complete garbage
on the internet.

I'd be stunningly happy to see an init system that can handle as much
pure crap as browsers have to put up with :)


More on-topic, I do think that the systemd bugs are more likely because
people are playing with the code, exploring it for holes, and pushing
them, which is healthy. I'm sure if you poked hard enough, most systems
would show such bugs. (as has been already said, really)


Cheers,
  Paul

-- 
 .''`.  Paul Tagliamonte paul...@debian.org
: :'  : Proud Debian Developer
`. `'`  4096R / 8F04 9AD8 2C92 066C 7352  D28A 7B58 5B30 807C 2A87
 `- http://people.debian.org/~paultag


signature.asc
Description: Digital signature

Bug#727708: systemd (security) bugs (was: init system question) [and 1 more messages]

[Uoti Urpala]

On Fri, 2013-11-29 at 12:37 +, Ian Jackson wrote:
 Uoti Urpala writes (Bug#727708: systemd (security) bugs (was: init system 
 question)):
  My guess is that most people do not consider that exciting or really
  care - thinking of system states in terms of runlevels is mostly
  obsolete, and the flaws do not bother many people in the cases where
  backwards compatibility is still needed.
 
 Statements like this are part of what make me think this might be a
 fundamental problem.  When a systemd proponent tells me that a
 particular use pattern is unimportant or wrongheaded, I tentatively
 infer that systemd cannot support it properly.

At least here this logic led you to the wrong conclusion, so you might
want to reconsider it.

 It seems to me that the difficulties with the runlevel emulation are
 likely to affect other similar use patterns too.  The problems don't
 seem specific to the nature of runlevels.  Perhaps they are specific
 to the way runlevels are emulated by systemd but in that case that
 emulation should surely be fixed.

The issue was legacy runlevel changes being simply mapped to isolate
new_runlevel, which does not have quite the same semantics as sysvinit
runlevel changes (most importantly, it stops everything not in the
new_runlevel target, without limiting to only things that were part of
original runlevel target). There's no reason why the set of services to
stop could not be calculated in a way closer to sysvinit semantics. But
there's little reason to deal with runlevels at all when using
systemd, and it seems most people don't. So while the backwards
compatibility support could be improved (probably rather easily), I
think it's clear why this has not been a priority for either developers
or users.


 More importantly it is one which is exploitable only as a consequence
 of the questionable design decision to expose pid 1 to ordinary users.

I think there are good reasons to allow querying status directly. One
sanity check that IMO should be kept in mind for perspective when
considering any even one DoS issue in PID 1 is a catastrophe arguments
is that Debian will always require running a kernel, and there have been
lots of DoS or worse issues there. Unless you expect the majority of
Debian users to move to minimal microkernels in the near future, there
is little basis to demand an absolutely minimal init process when the
kernel contains much more code in a more critical role.

The same applies to this:
 and is being touted as the single systemwide manager for security
 features like cgroups !

Parts of the implementation for this are on the kernel side, parts on
the systemd side. I see no reason to think that the systemd side would
be the more problematic one.


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1385755769.13584.51.camel@glyph.nonexistent.invalid

Re: Bug#727708: systemd (security) bugs (was: init system question)

[Steven Chamberlain]

As a system administrator, the idea of a 'kitchen sink' init system
terrifies me.  I would need exceptionally high confidence in its authors
and design principles before allowing it to run as root on my systems
and depend on it to boot even to single user.  I wouldn't even invest
much time enquiring into this, if I knew I could manage with something
simpler having less scope for security/reliability bugs.

OTOH I would be much more forgiving if this were being used for, say,
employees' own desktop machines in a protected corporate IT environment.
 Lots of systemd's features seem particularly convenient for that use
case.  And security is enforced in other ways there (the only people
with access at all, know they risk getting fired for trying to escalate
privileges or DoS).

Adopting systemd may have been much simpler if it had been separate from
and launched by the simple init, starting only the services that have
unit files because they really require its functionality.  If no
installed software on that system needs it, it wouldn't even need to be
installed.

But otherwise I think there are GNU/Linux users who want the choice of
using systemd or being able to use something else.  Preferably without
having to switch a different distro or third-party derivative.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/5298f9d0.8000...@pyro.eu.org

Bug#727708: systemd (security) bugs (was: init system question)

[Ian Jackson]

A friend of mine mentioned to me in the pub that he had seem alarming
reports of systemd security bugs.  Naturally I asked for more
information and he promised me an email with some references.

So, here's what Andrew sent me.  Thanks to Andrew for doing this
legwork.

I'll reply substantively in a moment.

---BeginMessage---
Hi Ian,

Here's the email about systemd security holes that I kept forgetting to send
you. I hope it's (still) useful.

The debian-devel post I was thinking of is 
441543.92540...@smtp118.mail.ir2.yahoo.com
but it actually only mentions three vulnerabilities, there's a more complete
list of the ones that have affected Debian at
 https://security-tracker.debian.org/tracker/source-package/systemd

Here's a short summary along with the redhat bug numbers (since the redhat BTS
seems to be the place to go for systemd information)

CVE summary Debian BTS  Redhat
2012-0871   systemd-logind insecure file creation   ?   795853 
2012-1101   DoS from systemctl status   662029  799902
2012-1174   TOCTOU deletion race in systemd-logind  664364  803358
2013-4327   insecure use of polkit  723713  1006680
2013-4391   systemd journald integer overflow   725357  859051
2013-4392   TOCTOU race updating file perms 725357  859060
2013-4393   systemd journald DoS725357  859104
2013-4394   improper sanitization of XKB layouts725357  862324

I think the really bad one to do with remote connection the guy on
debian-devel was thinking of is CVE-2013-4391 which mentions possible
arbitrary code execution from a specially crafted packet but I'm not sure
under what conditions it would be triggerable over IP, I guess you might have
had to set up your system as a remote journald server.

The bug I mentioned one where bad data in its binary log files causes journald
to go mad and eventially fill up /var with junk is
https://bugzilla.redhat.com/show_bug.cgi?id=974132
and is apparently still not fixed.

Generally the RedHat BTS at
https://bugzilla.redhat.com/buglist.cgi?quicksearch=Component:systemd
and 
https://bugzilla.redhat.com/buglist.cgi?quicksearch=Component:systemd+Status:CLOSED
make alarming reading

Hope this helps,

Andrew
---End Message---

Bug#727708: systemd (security) bugs (was: init system question)

[Ian Jackson]

Andrew Kanaber akana...@chiark.greenend.org.uk:
 The debian-devel post I was thinking of is 
 441543.92540...@smtp118.mail.ir2.yahoo.com
 but it actually only mentions three vulnerabilities, there's a more complete
 list of the ones that have affected Debian at
  https://security-tracker.debian.org/tracker/source-package/systemd

In summary, I agree with Andrew Kanaber's view that the security and
bug history of systemd is worrying.


 Here's a short summary along with the redhat bug numbers (since the
 redhat BTS seems to be the place to go for systemd information)
 
 CVE   summary Debian BTS  Redhat
 2012-0871 systemd-logind insecure file creation   ?   795853 
 2012-1101 DoS from systemctl status   662029  799902
 2012-1174 TOCTOU deletion race in systemd-logind  664364  803358
 2013-4327 insecure use of polkit  723713  1006680
 2013-4391 systemd journald integer overflow   725357  859051
 2013-4392 TOCTOU race updating file perms 725357  859060
 2013-4393 systemd journald DoS725357  859104
 2013-4394 improper sanitization of XKB layouts725357  862324

It isn't always 100% clear to me from reading these which of them
apply to systemd's init replacement.  But reading the systemd debate
page makes it clear that the other components in the systemd upstream
package are seen by systemd proponents as part of their offering, and
indeed reasons to pick systemd.  Integration between the different
parts of the systemd package is touted as an advantage.  For example,
journald is mentioned in the 2nd bullet point under Functionality.  So
I think it it is sensible to look at security or other significant
bugs, even in those other systemd components.

Furthermore, I think it is fair to look at bugs in non-pid-1 parts of
the systemd codebase when assessing the likely code quality of the pid
1 parts.

I should say that it is hard to write code with no security bugs at
all.  But I think our benchmark for security bugs in our init system
ought to be very few, particularly if we are making a specific
implementation effectively mandatory.  And I don't think I would like
to accept justifications (for a large bug count) along the lines of
but systemd does so much more; I think the security bugs that come
with a large codebase, or having more functionality exposed to
ordinary users, are a direct and very relevant downside to such a
large codebase or large attack surface.


I went and looked at the security bugs Andrew lists:

There are a couple of filesystem races (CVE-2012-1174, CVE-2013-4392)
which I think a concurrent init system author ought really to be
competent to avoid.  (And the system should be designed, so far as
possible, to reduce the opportunity for such races.)

The systemctl status resource usage DoS (CVE-2012-1101) is an
understandable resource leak, given systemd's design.  But for me it
raises this question: why is the system designed in such a way that
the critical pid 1 is required to implement functionality (and
unprivileged-facing interfaces) in which such a resource leak is (a) a
likely programming error and then (b) exposed so as to be exploitable.

AIUI the journald integer overflow (CVE-2013-4391) is a remotely
exploitable bug, if you have configured journald to allow remote
logging.  (I assume this isn't the default configuration but haven't
checked.)

The other journald one (CVE-2013-4393) seems to stem from a poor
design decision: journald expects to be given an fd and then reads
from it.  The authors of this obviously-security-critical code failed
to appreciate the variety of exciting things that can happen to the
recipient of an fd.  I wonder even whether the code change
  
http://cgit.freedesktop.org/systemd/systemd/commit/?id=1dfa7e79a60de680086b1d93fcc3629b463f58bd
which is supposed to fix the bug is sufficient.  Even if it does it
certainly isn't pretty.  But also it is concerning that people who
have decided to make extensive use of advanced features of the Linux
system call interface apparently aren't aware of important and
hopefully well-known dangers in facilities such as cross-trust-domain
fd passing.

The XKB one (CVE-2013-4394) is concerning too.  I can't quite tell
exactly in what configurations you would be vulnerable, but the bug
itself is not reassuring as regards the authors' additude to
cross-trust-boundary data processing.  It looks like there's a bunch
of filenames which are taken from the untrusted side and just
textually stuffed into the X server configuration.  Even after the
change which is supposed to fix it,
  
http://cgit.freedesktop.org/systemd/systemd/commit/?id=0b507b17a760b21e33fc52ff377db6aa5086c6800
it looks like the system might still accept editor backup,
auto-save files, and the like - the filename patterns which are
accepted seem far too generous.  I 

Bug#727708: systemd (security) bugs (was: init system question)

[Uoti Urpala]

Ian Jackson wrote:
 It isn't always 100% clear to me from reading these which of them
 apply to systemd's init replacement.  But reading the systemd debate
 page makes it clear that the other components in the systemd upstream
 package are seen by systemd proponents as part of their offering, and
 indeed reasons to pick systemd.

Yes, the other tools that systemd provides and enables are part of its
usefulness, so it is appropriate to look into their quality.


 I should say that it is hard to write code with no security bugs at
 all.  But I think our benchmark for security bugs in our init system
 ought to be very few, particularly if we are making a specific
 implementation effectively mandatory.  And I don't think I would like
 to accept justifications (for a large bug count) along the lines of
 but systemd does so much more; I think the security bugs that come
 with a large codebase, or having more functionality exposed to
 ordinary users, are a direct and very relevant downside to such a
 large codebase or large attack surface.

But this, I think, is completely wrong. You shouldn't count bugs from
other tools included with systemd against its core init functionality or
vice versa. If for example systemd and coreutils came from the same
source package, that should be allowed as many bugs as the current two
separate source packages, not less.

Most of the separate functionality is optional. It's likely that Debian
would want to use it, but then Debian would want that functionality with
other init systems too (or miss it). The most appropriate comparison is
whether it's possible to have similar functionality with less bugs
(whether provided with init system or completely independently). As far
as I can see, for most functionality there are no such alternatives.

At least Upstart, and likely other alternatives to systemd also, would
still use forked versions of at least logind and possibly other tools
originating from systemd. Such forks are worse for security than using
the original systemd one. Thus the fact that logind is developed with
systemd should count in favor of systemd, not against it.

Also, systemd is the system under the most intense scrutiny for security
and other issues, so it's not easy to compare bug counts with
alternatives - alternatives likely have a significantly larger portion
of issues undetected.


 Here are a couple of exciting snippets:

 https://bugzilla.redhat.com/show_bug.cgi?id=708537
 
   Problems with runlevel emulation doing mad things.  It isn't clear
   to me whether this bug is a symptom of a fundamental problem with
   systemd's state-based dependency model, or whether it's simply a

I think it's completely obvious that there is no fundamental problem.
I wonder what could make you consider it a possible symptom of one.

   missing feature or perhaps even wrong default configuration.  But
   the bug has been open for some time.

My guess is that most people do not consider that exciting or really
care - thinking of system states in terms of runlevels is mostly
obsolete, and the flaws do not bother many people in the cases where
backwards compatibility is still needed.


-- 
To UNSUBSCRIBE, email to debian-ctte-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/1385668823.13584.28.camel@glyph.nonexistent.invalid

Bug#727708: systemd (security) bugs (was: init system question)

[Michael Stapelberg]

Hi Ian,

Ian Jackson ijack...@chiark.greenend.org.uk writes:
 CVE  summary Debian BTS  Redhat
 2012-0871systemd-logind insecure file creation   ?   795853 
 2012-1101DoS from systemctl status   662029  799902
 2012-1174TOCTOU deletion race in systemd-logind  664364  803358
 2013-4327insecure use of polkit  723713  1006680
 2013-4391systemd journald integer overflow   725357  859051
 2013-4392TOCTOU race updating file perms 725357  859060
 2013-4393systemd journald DoS725357  859104
 2013-4394improper sanitization of XKB layouts725357  862324

 It isn't always 100% clear to me from reading these which of them
 apply to systemd's init replacement.  But reading the systemd debate
2012-1101 does, I think 2013-4327 and 2013-4392 might, all the others do
not affect the init part of src:systemd.

 Furthermore, I think it is fair to look at bugs in non-pid-1 parts of
 the systemd codebase when assessing the likely code quality of the pid
 1 parts.
I don’t really agree. The code quality of other parts of the systemd
ecosystem sure are related and probably provide a good trend of the
overall code quality. However, there are some “subsystems” of systemd,
which are to a big part written by non-core contributors. Take for
example networkd, a minimal network configuration for static
(server-ish) setups, which was largely implemented by Tom Gundersen:
http://cgit.freedesktop.org/systemd/systemd/log/src/network
Or take journald, which also has plenty of contributors:
http://cgit.freedesktop.org/systemd/systemd/log/src/journal?ofs=50
http://cgit.freedesktop.org/systemd/systemd/log/src/journal?ofs=100

One can compare this to the Linux kernel, I think: looking at any
subsystem will give you a somewhat useful idea about the overall code
quality, but it’s not fair to say linux’s syscall security sucks just
by looking at the filesystem code.

 I should say that it is hard to write code with no security bugs at
 all.  But I think our benchmark for security bugs in our init system
 ought to be very few, particularly if we are making a specific
 implementation effectively mandatory.  And I don't think I would like
 to accept justifications (for a large bug count) along the lines of
 but systemd does so much more; I think the security bugs that come
 with a large codebase, or having more functionality exposed to
 ordinary users, are a direct and very relevant downside to such a
 large codebase or large attack surface.
They sure are. OTOH, chosing the init system that receives the most
attention in form of development and is adopted by many other
distributions helps us a lot with security issues. They are no longer
just our problem, but other distributions also care about getting them
fixed quickly.

 There are a couple of filesystem races (CVE-2012-1174, CVE-2013-4392)
 which I think a concurrent init system author ought really to be
 competent to avoid.  (And the system should be designed, so far as
 possible, to reduce the opportunity for such races.)
“a concurrent init system author” sounds strange on multiple counts:
systemd was not written by one author. It is also not concurrent (in
fact it is single-threaded and only links to pthreads to call sync
asynchronously on shutdown), but event-based. As for competency, I am
sure that everybody involved has learned their lesson and will avoid
such issues in the future. I am also sure that other init systems have
(had) similar bugs. And if there is no evidence of that yet, maybe
nobody looked really closely yet…? :)

 The systemctl status resource usage DoS (CVE-2012-1101) is an
 understandable resource leak, given systemd's design.  But for me it
 raises this question: why is the system designed in such a way that
 the critical pid 1 is required to implement functionality (and
 unprivileged-facing interfaces) in which such a resource leak is (a) a
 likely programming error and then (b) exposed so as to be exploitable.
a) I think “a likely programming error” is an exaggeration. Do you have
   data on how often there were resource leaks in systemd?
b) I am unclear on how exactly this was exploitable, and the bugs lack
   explanation unfortunately.

Furthermore, I think Lennart’s explanation of why arbitrary units must
be able to be created is fair:
https://bugzilla.redhat.com/show_bug.cgi?id=680122#c1

 AIUI the journald integer overflow (CVE-2013-4391) is a remotely
 exploitable bug, if you have configured journald to allow remote
 logging.  (I assume this isn't the default configuration but haven't
 checked.)
journald does not provide remote logging. See
https://lists.fedoraproject.org/pipermail/devel/2013-July/185585.html

 The other journald one (CVE-2013-4393) seems to stem from a poor
 design decision: journald expects to be given an fd and then reads
 from it.  The authors 

Bug#727708: systemd (security) bugs (was: init system question)

[Steve Langasek]

On Thu, Nov 28, 2013 at 11:15:09PM +0100, Michael Stapelberg wrote:
  I should say that it is hard to write code with no security bugs at
  all.  But I think our benchmark for security bugs in our init system
  ought to be very few, particularly if we are making a specific
  implementation effectively mandatory.  And I don't think I would like
  to accept justifications (for a large bug count) along the lines of
  but systemd does so much more; I think the security bugs that come
  with a large codebase, or having more functionality exposed to
  ordinary users, are a direct and very relevant downside to such a
  large codebase or large attack surface.
 They sure are. OTOH, chosing the init system that receives the most
 attention in form of development and is adopted by many other
 distributions helps us a lot with security issues. They are no longer
 just our problem, but other distributions also care about getting them
 fixed quickly.

All distributions care about not having security issues in their code, but
that's not the same thing as actually doing the work to audit the code.  In
practice this only happens when dedicated resources are turned on the code
in question, and having more companies using the code does not magically
make that happen.

I don't know that the upstart code has been subjected to any sort of
comprehensive security audit.  I also don't know whether the auditing that's
been done on systemd qualifies as comprehensive.  I *will* assert that
upstart development is aimed at avoiding extraneous features precisely to
reduce the risk of bugs (security or otherwise).

  There are a couple of filesystem races (CVE-2012-1174, CVE-2013-4392)
  which I think a concurrent init system author ought really to be
  competent to avoid.  (And the system should be designed, so far as
  possible, to reduce the opportunity for such races.)
 “a concurrent init system author” sounds strange on multiple counts:
 systemd was not written by one author. It is also not concurrent (in
 fact it is single-threaded and only links to pthreads to call sync
 asynchronously on shutdown), but event-based. As for competency, I am
 sure that everybody involved has learned their lesson and will avoid
 such issues in the future.

Are the systemd developers novice programmers, that they need to learn to
program securely by trial and error?

The reality is that the kind of security bugs that we're talking about are
very subtle, and even experienced developers are going to make mistakes like
this from time to time, and as one of the arguments advanced for systemd is
that it has a large community of contributors, not all of those contributors
are going to be experienced developers.  A project's security record has at
least as much to do with having a solid design to reduce the attack surface,
as it does with the developers' skill.

 I am also sure that other init systems have (had) similar bugs.  And if
 there is no evidence of that yet, maybe nobody looked really closely yet…? 
 :)

Unless you're offering to do a security audit of upstart, I don't think such
speculation changes anything.

-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature