OH NONONONO!
*inhale*
marc.info
HAAAAAAAAAAAAAAAAAAAAAA!
Other urls found in this thread:
github.com
twitter.com
but y tho
>root privileges with names with special chars
Yeah, but y
lazy programming
the example used in the bug report was "0user"
This is why SystemV is superior
*inhales*
OH NO NO NO NO NO
This is MOST DEFINITELY not the only bug injected by the NSA thanks to systemd's enermous code base for a PID1 process.
> systemd
> not an NSA project
Yes, as you found out "0day" is not a valid username. I wonder which tool permitted you to create it in the first place. Note that not permitting numeric first characters is done on purpose: to avoid ambiguities between numeric UID and textual user names.
systemd will validate all configuration data you drop at it, making it hard to generate invalid configuration. Hence, yes, it's a feature that we don't permit invalid user names, and I'd consider it a limitation of xinetd that it doesn't refuse an invalid username.
So, yeah, I don't think there's anything to fix in systemd here. I understand this is annoying, but still: the username is clearly not valid.
I hope that makes sense?
go to bed leonart
Also: don't forget we don't break people's stuff with this, User=/Group= knew no counterpart in sysvinit, because priv dropping had to be implemented by the daemons manually there. If you do decide to let systemd do the priv dropping for you, we politely ask you to use portable names, so that the unit files work everywhere. And the rules we enforce are neither crazy nor random, they are the common core every distro accepts.
classic Ted, I love that guy
>So, yeah, I don't think there's anything to fix in systemd here.
I dont claim to be an expert on systemd, but dont many exploits start with layering other exploits ontop so this could be the final piece in the chain.
I guess the point pottyman is making is that if someone can make those invalid usernames its already game over.
looks like something to work on
I just had an interesting thought.
poettering is displaying behavior that is the pre-disposition to point the finger to someone elses project.
Makes me wonder if its possible to implant a serious exploit by splitting the logic across projects, then activating it in the wild where you know those two projects will be used.
probably already done by some CIA nigger
They aren't merging this, right?
user, I...
he's dangerously incompetent and god only knows why someone capable hasn't forked systemd yet and all systemd distros haven't switched over.
honestly i think we can hold distro maintainers just as accountable as poettering at this point for continuing to accept his bullshit.
Oy!! It's not a bug! It's a feature!
I wanna punch the guy, but I can't really deny that he's wrong in what he said. The guy who brought this "issue" up sounds a lot like those Jews who called out AMD' Ryzen chips. Yeah, we all get it, if you have physical control of a device,and root privs,you can do whatever you want. It all reads like a desperate attempt by an anti-systemd advocate. Not sure if the guy is pretending to be stupid, or if he's actually retarded.