Re: systemd fails to parse user that should run service

[Pali Rohár <pali.rohar () gmail com>]

On Wed, Jul 5, 2017 at 12:28, Ben Tasker wrote:
> Honestly, I think upstream have done an *awful *job of handling it so far
> (and it's far from the only example of Poettering taking the not-a-bug
> approach questionably). Their issues do have a habit of attracting trolls,
> but I think sometimes their definition of troll expands to include anyone
> who doesn't agree with them.

The worst is that fact that discussion about this problem was locked in
upstream bugtracker. Therefore there is no other option as continue
discussion about this, which I think security issue, here at
oss-security list. But problem is that upstream do not have to monitor
this list and therefore they would ignore any results.

> FWIW, I'd be inclined to agree that it needs a CVE so that downstream
> distro's can at least refer to it, and decide how (and if) they want to
> address it. Even if they decide to stick with upstream's approach, having
> the CVE at least gives them something to make sure package reviewers refer
> to.

> From the whole discussion (and not only there) it looks like that
assigning CVE should be really done as more downstream distributions
do not follow systemd's "allowed" characters in username and needs to
handle this problem somehow. Either patching systemd or change
validation for adding new user names into system...

Is somebody going to ask Mitre for CVE? Or should it be done by Red Hat?
Because upstream bug is locked, it is not possible to ask in upstream...

> I think the approach SUSE has taken is pretty good, and it's basically the
> kind of fix I'd have liked to see upstream put in place (though in their
> case, the suggestion of a config var to define whether it's acceptable is
> also a very good suggestion).

-- 
Pali Rohár
pali.rohar () gmail com