Blog - #1

systemd Insecurity

2022-01-29 (UTC+00:00)

Anyone who cares about security may want to switch from systemd as soon as
possible; its lead developer doesn't care about your security at all, and
makes the thing seem like an intentional government backdoor if I've ever
seen one.

"You don't assign CVEs to every single random bugfix we do, do you?"

My thoughts:
Uhh... Yes, if they're security related.


"Humpf, I am not convinced this is the right way to announce this.
We never did that, and half the CVEs aren't useful anyway, hence I am not
sure we should start with that now, because it is either inherently
incomplete or blesses the nonsensical part of the CVE circus which we
really shouldn't bless..."

My thoughts:
CVEs are supposed to be for security, and a log of when they were
found and their severity, so yes, it *is* the correct way to announce it.
It seems as if over 95 security concious people think the same.


"I am not sure I buy enough into the security circus to do that though for
any minor issue..."


"Yes, as you found out "0day" is not a valid username. I wonder which tool
permitted you to create it in the first place. Note that not permitting
numeric first characters is done on purpose: to avoid ambiguities between
numeric UID and textual user names.

systemd will validate all configuration data you drop at it, making it hard
to generate invalid configuration. Hence, yes, it's a feature that we don't
permit invalid user names, and I'd consider it a limitation of xinetd that
it doesn't refuse an invalid username.

So, yeah, I don't think there's anything to fix in systemd here. I
understand this is annoying, but still: the username is clearly not valid."

My thoughts:
systemd was the thing that allowed root access just because a username
started with a number.