Bug#766938: systemd: network-pre.target doesn't seem to be guaranteed to run before the network is up
Control: tag -1 pending Hey Christoph, Christoph Anton Mitterer [2014-10-27 3:09 +0100]: Maybe I just miss something, but AFAIU, network-pre.target is not guaranteed to run before any networking is brougt up (which is the whole point of network-pre.target). network.target has an After= on network-pre.target, but network.target itself isn't what brings the network up, right? Correct, it's just the goal, which causes everything that actually brings up the network to start before it. Instead ifup@.service does that which has a Before= on network.target. That's part of it, but also /etc/init.d/networking, i. e. the autogenerated networking.service. I committed a fix for this: http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/commit/?h=experimentalid=c90467c1b2909 This is fairly harmless on a standard installation as nothing hooks into this target, but fairly important on systems which do rely on it, so I'll also apply this to the master branch for Jessie. Thanks, Martin -- Martin Pitt| http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#766938: systemd: network-pre.target doesn't seem to be guaranteed to run before the network is up
Package: systemd Version: 215-5+b1 Severity: important Tags: security Hi. Maybe I just miss something, but AFAIU, network-pre.target is not guaranteed to run before any networking is brougt up (which is the whole point of network-pre.target). network.target has an After= on network-pre.target, but network.target itself isn't what brings the network up, right? Instead ifup@.service does that which has a Before= on network.target. Doesn't that mean that there is no guarantee that network-pre.target runs before ifup@.service? Therefore there is no guarantee that any services that bring up the firewall are run before and iface is brought up, which in case should make this issue security relevant. Depending on the other rules of a system there may be a short or even longer period between an iface being brougt up and firewall rules loaded by a unit file, that trusts in network-pre.target. Cheers, Chris. -- Package-specific info: -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.16-3-amd64 (SMP w/8 CPU cores) Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages systemd depends on: ii acl 2.2.52-2 ii adduser 3.113+nmu3 ii initscripts 2.88dsf-57 ii libacl1 2.2.52-2 ii libaudit1 1:2.4-1 ii libblkid1 2.25.2-2 ii libc6 2.19-12 ii libcap2 1:2.24-6 ii libcap2-bin 1:2.24-6 ii libcryptsetup4 2:1.6.6-3 ii libgcrypt20 1.6.2-4 ii libkmod218-3 ii liblzma55.1.1alpha+20120614-2 ii libpam0g1.1.8-3.1 ii libselinux1 2.3-2 ii libsystemd0 215-5+b1 ii sysv-rc 2.88dsf-57 ii udev215-5+b1 ii util-linux 2.25.2-2 Versions of packages systemd recommends: ii dbus1.8.8-2 ii libpam-systemd 215-5+b1 Versions of packages systemd suggests: ii systemd-ui 3-2 -- Configuration Files: /etc/systemd/logind.conf changed [not included] -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org