DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st July 2017
Maxnix's Avatar
Maxnix Maxnix is offline
Port Guard
 
Join Date: Feb 2016
Posts: 28
Default Linux's Systemd can be pwned via an evil DNS query

This is the systemd DNS service that Poettering & co. recommended to use...
https://www.theregister.co.uk/2017/0..._by_dns_query/

Some others considerations about resolvd from Andrew Ayer's blog:
Quote:
DNS is a complicated, security-sensitive protocol. In August 2014, Lennart Poettering declared that "systemd-resolved is now a pretty complete caching DNS and LLMNR stub resolver." In reality, systemd-resolved failed to implement any of the documented best practices to protect against DNS cache poisoning. It was vulnerable to Dan Kaminsky's cache poisoning attack which was fixed in every other DNS server during a massive coordinated response in 2008 (and which had been fixed in djbdns in 1999). Although systemd doesn't force you to use systemd-resolved, it exposes a non-standard interface over DBUS which they encourage applications to use instead of the standard DNS protocol over port 53. If applications follow this recommendation, it will become impossible to replace systemd-resolved with a more secure DNS resolver, unless that DNS resolver opts to emulate systemd's non-standard DBUS API.
__________________
The world doesn't live off jam and fancy perfumes - it lives off bread and meat and potatoes. Nothing changes. All the big fancy stuff is sloppy stuff that crashes. I don't need dancing baloney - I need stuff that works. -- Theo de Raadt
Reply With Quote
  #2   (View Single Post)  
Old 1st July 2017
hermano hermano is offline
Port Guard
 
Join Date: Mar 2017
Posts: 18
Default

There are several Linux distributions that don't use systemd. For example Slackware.
Reply With Quote
  #3   (View Single Post)  
Old 2nd July 2017
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

RedHat, the most used in the US for commercial use, (or if not them, CentOS), says that their version of systemd isn't affected.
Reply With Quote
  #4   (View Single Post)  
Old 2nd July 2017
Head_on_a_Stick's Avatar
Head_on_a_Stick Head_on_a_Stick is offline
Real Name: Matthew
Bitchy Nerd Elitist
 
Join Date: Dec 2015
Location: London
Posts: 456
Default

Do any Linux distributions actually use systemd's "stub resolver" that is affected by this vulnerability?

I use systemd-networkd to connect in my Arch & Debian boxes but systemd-resolved's built-in DNS never worked for me and I use unbound instead (which works fine in conjuction with systemd-networkd).

The vast majority of distributions use good ol' NetworkManager and that doesn't use the stub resolver at all, AFAIK.
Reply With Quote
  #5   (View Single Post)  
Old 2nd July 2017
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 314
Default

It was identified as being vulnerable to cache poisoning a few years ago: http://seclists.org/oss-sec/2014/q4/592

And this was a few years after publication of RFC5452 (2009).

Many Linux people simply have their heads in the sand with regards to systemd and it's pretty much "bandwagon fallacy" all over again, where systemd fans are sneering at anyone who doesn't want systemd and treating the widespread adoption of shit code as "inevitable". This really proves that systemd fans aren't so different from the average windows user, who many in turn look down upon.

It seems to me that some are so heavily invested in this crap that they can't easily back out and just want others to just shut up and put up and do the same, so that they can feel more at ease with their choice.

The old "you don't have to use this bit or that bit" excuses from the apologists are wearing a bit thin.
Reply With Quote
  #6   (View Single Post)  
Old 2nd July 2017
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

Practically, saying code it yourself, or use something else no longer applies. RedHat is kind of the Microsoft of the Linux world and Poettering is their employee. Though various niche distributions won't use it, it's become almost impossible to avoid, at least when using Linux commercially, especially after Debian and Ubuntu went over, to avoid. Yes, you could use Slack, or Gentoo, or a few others, but generally, in the US at least, people are going to expect RedHat/CentOS and/or Debian/Ubuntu.
Reply With Quote
  #7   (View Single Post)  
Old 2nd July 2017
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I saw this on Twitter from Rob Graham (@ErrataRob) regarding this issue:
Quote:
Among the things wrong with systemd is trying to re-invent the wheel without prior experience with wheels.
Reply With Quote
  #8   (View Single Post)  
Old 3rd July 2017
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

Meh, it's like insulting some politicians. There is so much obviously bad about it, but it is now there, and rather than railing against it, one just has to be on their guard to avoid its pitfalls.
Reply With Quote
  #9   (View Single Post)  
Old 3rd July 2017
sacerdos_daemonis's Avatar
sacerdos_daemonis sacerdos_daemonis is offline
Real Name: Will forever be a secret.
Spam Deminer
 
Join Date: Sep 2014
Posts: 283
Default

Quote:
Originally Posted by scottro View Post
... but it is now there, and rather than railing against it, one just has to be on their guard to avoid its pitfalls.
There is another option. Linux users can accept the bad fact and be on guard or they can stop using Linux. But you are correct in your sentiment. The time for complaining ended a few years ago. Continuing to use the system and complaining about it makes no sense. Either use it or do not.
Reply With Quote
Old 15th July 2017
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Default

Quote:
Originally Posted by sacerdos_daemonis View Post
There is another option. Linux users can accept the bad fact and be on guard or they can stop using Linux. But you are correct in your sentiment. The time for complaining ended a few years ago. Continuing to use the system and complaining about it makes no sense. Either use it or do not.
I run Slackware when I run Linux, and I run OpenBSD on two laptops. Both operating systems are systemd free.
__________________
hitest
Reply With Quote
Old 15th July 2017
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

This site, Without Systemd, has a large list of systemd-free Linux distributions. They also list many other Unix-like OSs, but I'm not sure if systemd is a direct threat to be ported to them or not.
Reply With Quote
Old 15th July 2017
sacerdos_daemonis's Avatar
sacerdos_daemonis sacerdos_daemonis is offline
Real Name: Will forever be a secret.
Spam Deminer
 
Join Date: Sep 2014
Posts: 283
Default

Quote:
Originally Posted by hitest View Post
I run Slackware when I run Linux ... systemd free.
Free for now, but how long will Volkerding be able to keep it at bay?
Quote:
and I run OpenBSD on two laptops.
Which is irrelevant to the Linux developments in question.
Reply With Quote
Old 15th July 2017
scottro's Avatar
scottro scottro is offline
Real Name: Scott Robbins
ISO Quartermaster
 
Join Date: Apr 2008
Location: NYC
Posts: 652
Default

If you're just running Linux at home, then you can use one of the variants. If using it at work, at least in the US, the most common thing to see is CentOS. A lot of people stayed on CentOS-6 to avoid systemd, but it's getting somewhat long in the tooth. We have some CentOS-7.x machines and so far, they're not horrible. Heh, just realized that I'm writing this from a CentOS-7 machine, but this is a home workstation-cum-server where I'm not that concerned.
Reply With Quote
Old 16th July 2017
hitest's Avatar
hitest hitest is offline
Real Name: George Nielsen
VPN Cryptographer
 
Join Date: Sep 2008
Location: B.C., Canada
Posts: 373
Default

Quote:
Originally Posted by sacerdos_daemonis View Post
Free for now, but how long will Volkerding be able to keep it at bay?
Good question. Systemd is not in Slackware-current yet, so I think there is a better than average chance that the next stable release of Slackware will not have systemd. Therefore, Slackware will continue to be systemd free for the next 1-2 years.
__________________
hitest
Reply With Quote
Old 16th July 2017
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

Problem with replacing systemd is it exposes and encourages to use its non-standard interfaces. Software can be written to be systemd-dependend. Large part of FOSS community idea is to not only write, share and use freely licensed software (code), but also use openly standardized protocols (e.g. HTTP, XMPP), file formats (e.g. Open Document Format) and programming interfaces. It seems like systemd has only freely licensed code, but does not bother to meet other requirements of FOSS.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
Old 16th July 2017
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

Quote:
Originally Posted by hitest View Post
Good question. Systemd is not in Slackware-current yet, so I think there is a better than average chance that the next stable release of Slackware will not have systemd. Therefore, Slackware will continue to be systemd free for the next 1-2 years.
Yup. In fact Slackware 13.0 was released in 2009 and is still receiving patches. So the next release of Slackware (14.3 ?, 15.0 ?, 14.37 ?? ) could be expected to be supported for 7+ years. Of course, as scottro pointed out, such a system could become "long in the tooth" depending on the requirements.

Probably there's a positive side to this too. 7 years is a long time in computing. Lots can and will change. systemd could well be dead as a doornail by then, killed by its own demerits. Whatever good ideas it may have could be implemented differently. We'll probably all be worried about something else by then.
Reply With Quote
Old 16th July 2017
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 628
Default

For me Slackware is missing security mitigations, so I prefer OpenBSD.
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase

Last edited by e1-531g; 16th July 2017 at 08:35 PM.
Reply With Quote
Old 24th July 2017
rons's Avatar
rons rons is offline
Snoozing
 
Join Date: Oct 2015
Posts: 69
Default

If I must use Linux, lately I've sometimes been using Alpine. Not only does it not have systemd, it also does not have the GNU C lib.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Linux greybeards release beta of systemd-free Debian fork comet--berkeley Other BSD and UNIX/UNIX-like 0 29th April 2016 09:47 PM
Is OpenBSD adopting Linux's systemd? cravuhaw2C OpenBSD General 8 19th September 2015 03:03 PM
Stallman: Did I say Jobs was evil? I meant really evil. J65nko News 1 30th October 2011 08:18 PM
pftop state query. bsdnewbie999 OpenBSD General 1 10th April 2009 03:33 AM
Directory query delboy FreeBSD General 6 8th September 2008 01:51 PM


All times are GMT. The time now is 07:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick