←back to thread

Run0, a systemd based alternative to sudo, announced

(mastodon.social)
466 points CoolCold | 1 comments | 29 Apr 24 23:59 UTC | HN request time: 0.402s | source
Show context
pmlnr ◴[30 Apr 24 06:14 UTC] No.40207739[source]
> The developer talks about the weaknesses of sudo, and how it has a large possible attack surface

Poettering's hypocrisy is painful.

replies(2): >>40207851 #>>40215571 #
mort96 ◴[30 Apr 24 06:30 UTC] No.40207851[source]
Is it? Does systemd's sudo replacement also have a lot of complex code running as root in a suid binary?

Because that's what he's complaining about

replies(3): >>40207883 #>>40208574 #>>40208584 #
jpollock ◴[30 Apr 24 06:35 UTC] No.40207883[source]
People blame systemd for making the liblzma problem larger than it should have been.

https://marc.info/?l=openbsd-misc&m=171227941117852&w=2

"Liblzma ends up dynamically linked to sshd because of a systemd-related extension added by many Linux packagers that pulls in liblzma as an unrelated dependency."

https://news.ycombinator.com/item?id=39866076

"openssh does not directly use liblzma. However debian and several other distributions patch openssh to support systemd notification, and libsystemd does depend on lzma."

replies(3): >>40207931 #>>40207948 #>>40208269 #
deng ◴[30 Apr 24 06:46 UTC] No.40207948[source]
So that's your best shot against systemd?

- Linux packagers decide to patch sshd to use libsystemd for a notification, that could have been trivially done without this library.

- libsystemd depends on libzlma

- libzlma depends on xz

And therefore, systemd is insecure?

And what does this have to do with the fact that SUID is a terrible idea that needs to go?

replies(3): >>40208009 #>>40208035 #>>40208416 #
lmm ◴[30 Apr 24 06:58 UTC] No.40208009[source]
> - Linux packagers decide to patch sshd to use libsystemd for a notification, that could have been trivially done without this library.

Why was that? Would that "trivial" approach have broken the next time systemd made one of their incompatible interface changes, perhaps? Was using libsystemd the kind of thing the systemd maintainers recommended?

> And therefore, systemd is insecure?

Systems with systemd had a vulnerability that systems without systemd did not. So it certainly seems like systemd-the-system (not necessarily systemd-the-unix-process) is bad for security.

replies(2): >>40208206 #>>40209789 #
Xylakant ◴[30 Apr 24 07:36 UTC] No.40208206[source]
You're not making a very good point here. A lot of packages have a transitive dependency on liblzma - for example everything that depends on libxml since that depends on liblzma https://packages.debian.org/sid/libxml2. LZMA is a pretty widely used compression algorithm, I'm absolutely certain there's other juicy targets that depend on liblzma.

The reason why "only" sshd on debian/ubuntu was affected is that the attacker chose to tailor their exploit to those systems. Systemd was the vehicle, debian patching opensshd was what made this specific incarnation of the attack possible, but essentially, both trusted a widely used library.

replies(1): >>40217038 #
1. lmm ◴[30 Apr 24 22:09 UTC] No.40217038[source]
> A lot of packages have a transitive dependency on liblzma - for example everything that depends on libxml since that depends on liblzma https://packages.debian.org/sid/libxml2.

Sure. But security-critical software like SSH would certainly think twice before bringing in such a huge and complex dependency as an XML parser.

> I'm absolutely certain there's other juicy targets that depend on liblzma.

You could probably make a system package manager (which has obvious reasons to depend on a compression algorithm) do something nefarious. But that would be a more complex chain of exploitation with more chance for things to go wrong. Most security teams put more attention on security-critical parts like SSH, and I think most people would agree they're right to do so.