On Wed, 13.05.15 17:01, Martin Pitt (martin.p...@ubuntu.com) wrote:

> Hello all,
> 
> I got a report [1] that you can trivially crash systemd (pid1) at boot
> by creating a unit with an Exec= line with a modifier and a space:
> 
> $ cat /tmp/foo.service
> [Service]
> ExecStart=- /bin/echo hello
> 
> $ systemd-analyze verify /tmp/foo.service
> Assertion 'skip < l' failed at ../src/core/load-fragment.c:607, function 
> config_parse_exec(). Aborting.
> Aborted (core dumped)

Urks, that function isn't particular pretty anyway... I figure we
should rewrite this eventually to use unquote_first_word() instead of
FOREACH_WORD_QUOTED, which is pretty ugly...

> systemd pid 1 will crash the same way at boot, but with
> systemd-analyze it's less harmful to test :-)
> 
> So, obviously we need to fix the crash; but I was wondering what the
> desired behaviour should be? In the sense of "be liberal what you
> accept" I think the extra space(s) should just be ignored; or should
> that count as an error and the unit get rejected?

Neither.

It should be considered an error, logged about, but the line should be
ignored and we should continue. This is how we usually do it so far,
to ensure unit files stay relatively portable between version, but on
the other hand we aren't too liberal with accepting any data.

I think the "be liberal what you accept" thing really applies if you
have a true interchange format, that is read and written by multiple
different implementations. But this is not of this kind, since there's
exactly one implementation reading it that defines its semantics.

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to