Am 07.07.2017 um 21:55 schrieb Kai Krakow:
Am Tue, 4 Jul 2017 21:23:01 +0000 (UTC)
schrieb Alexander Bisogiannis <alexi...@gmail.com>:
On Tue, 04 Jul 2017 17:21:01 +0000, Zbigniew Jędrzejewski-Szmek wrote:
If you need root permissions to create a unit, then it's not a
security issue. An annoyance at most.
The fact that you need to be root to create a unit file is irrelevant.
Systemd is running a service as a different user to what is defined
in the unit file.
This is a bug and a local security issue, especially because it will
run said service as root.
It might not warrant a CVE, although in my line of work this is
considered a security issue, but it is a bug and needs fixing.
The fix is to refuse to run the service, period.
There's nothing to fix because it already works that way: If you give
it a valid user name that does not exists, the system refuses to start
the unit with "user not found"
and if you give a invalid username it has to do the same - PERIOD
systemd is directly after the kernel the most important and lowest level
stuff on a setup and hence can't be handeled like some random stuff
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
