oss-sec mailing list archives
Re: systemd fails to parse user that should run service
From: Pali Rohár <pali.rohar () gmail com>
Date: Wed, 5 Jul 2017 22:03:45 +0200
On Wed, Jul 5, 2017 at 12:28, Ben Tasker wrote:
Honestly, I think upstream have done an *awful *job of handling it so far (and it's far from the only example of Poettering taking the not-a-bug approach questionably). Their issues do have a habit of attracting trolls, but I think sometimes their definition of troll expands to include anyone who doesn't agree with them.
The worst is that fact that discussion about this problem was locked in upstream bugtracker. Therefore there is no other option as continue discussion about this, which I think security issue, here at oss-security list. But problem is that upstream do not have to monitor this list and therefore they would ignore any results.
FWIW, I'd be inclined to agree that it needs a CVE so that downstream distro's can at least refer to it, and decide how (and if) they want to address it. Even if they decide to stick with upstream's approach, having the CVE at least gives them something to make sure package reviewers refer to.
From the whole discussion (and not only there) it looks like that
assigning CVE should be really done as more downstream distributions do not follow systemd's "allowed" characters in username and needs to handle this problem somehow. Either patching systemd or change validation for adding new user names into system... Is somebody going to ask Mitre for CVE? Or should it be done by Red Hat? Because upstream bug is locked, it is not possible to ask in upstream...
I think the approach SUSE has taken is pretty good, and it's basically the kind of fix I'd have liked to see upstream put in place (though in their case, the suggestion of a config var to define whether it's acceptable is also a very good suggestion).
-- Pali Rohár pali.rohar () gmail com
Current thread:
- Re: systemd fails to parse user that should run service, (continued)
- Re: systemd fails to parse user that should run service Marcus Meissner (Jul 05)
- Re: systemd fails to parse user that should run service Casper . Dik (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service John Haxby (Jul 05)
- Re: systemd fails to parse user that should run service Daniel Micay (Jul 05)
- Re: systemd fails to parse user that should run service John Haxby (Jul 05)
- Re: systemd fails to parse user that should run service Daniel Micay (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)
- Re: systemd fails to parse user that should run service Pali Rohár (Jul 05)
- Re: systemd fails to parse user that should run service Alan Coopersmith (Jul 05)
- Re: systemd fails to parse user that should run service Perry E. Metzger (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)
- Re: systemd fails to parse user that should run service Jeremy Stanley (Jul 05)
- Re: systemd fails to parse user that should run service Kristian Fiskerstrand (Jul 05)
- Re: systemd fails to parse user that should run service Simon McVittie (Jul 05)