Am Tue, 4 Jul 2017 21:23:01 +0000 (UTC) schrieb Alexander Bisogiannis <alexi...@gmail.com>:
> On Tue, 04 Jul 2017 17:21:01 +0000, Zbigniew Jędrzejewski-Szmek wrote: > > > If you need root permissions to create a unit, then it's not a > > security issue. An annoyance at most. > > The fact that you need to be root to create a unit file is irrelevant. > > Systemd is running a service as a different user to what is defined > in the unit file. > This is a bug and a local security issue, especially because it will > run said service as root. > > It might not warrant a CVE, although in my line of work this is > considered a security issue, but it is a bug and needs fixing. > > The fix is to refuse to run the service, period. There's nothing to fix because it already works that way: If you give it a valid user name that does not exists, the system refuses to start the unit with "user not found". If you give it an invalid user name (leading digits, disallowed characters), then it complains with a warning and continues to run as if you specified no user (thus it runs as root). The bug here is that a leading number will "convert" to the number and it actually runs with the UID specified that way: 0day = 0, 7days = 7. But this is not really a security concern as only root can create units that contain a user - except you open exploits for that: But then you have other problems then that. Conclusion: Not a security issue. If you trick an admin into accepting unit files without validating the contents, you are having other issues than an issue with systemd. > Is there any other place I can go to open a bug, or do I need to go > to the upstream "vendor" bugzila? Maybe open a new issue and suggest that the current "conversion" should be upgraded from a warning to a fatal error. Give examples of behavior you get and behavior you expect. Also give counter examples of behavior that works as you expect. Don't try to troll, after all it's the developers forum and it only works if people stay with the facts. Otherwise it becomes unusable, nobody wants that. Best way to get it into one of the next releases is to prepare a pull request that fixes the issue. -- Regards, Kai Replies to list-only preferred. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
