Bug#727708: systemd (security) bugs (was: init system question)

To: 727708@bugs.debian.org
Subject: Bug#727708: systemd (security) bugs (was: init system question)
From: Josselin Mouette <joss@debian.org>
Date: Fri, 29 Nov 2013 19:18:33 +0100
Message-id: <[🔎] 1385749113.24216.1192.camel@dsp0698014>
Reply-to: Josselin Mouette <joss@debian.org>, 727708@bugs.debian.org
In-reply-to: <[🔎] 21144.51928.798814.268993@chiark.greenend.org.uk>
References: <[🔎] 21143.15318.826436.373171@chiark.greenend.org.uk> <[🔎] 21143.18559.754698.304773@chiark.greenend.org.uk> <[🔎] 1385744139.24216.1151.camel@dsp0698014> <[🔎] 21144.51928.798814.268993@chiark.greenend.org.uk>

Le vendredi 29 novembre 2013 à 17:11 +0000, Ian Jackson a écrit : 
> Josselin Mouette writes ("Bug#727708: systemd (security) bugs (was: init system question)"):
> > Personally, I find the flow of bugs (including security bugs) for
> > moderately recent software the sign of a healthy project. A simple look
> > at a few packages in the BTS will show that packages with lots of
> > reported bugs are packages with lots of users and features, regardless
> > of the quality of their code: Linux, X, Iceweasel, GNOME, KDE all come
> > to mind as being full of bugs, including security bugs.
> 
> All of those components are to a greater or lesser extent optional.

Linux is optional?
X is optional? Not for everyone. (X is a bad example anyway, because,
unlike the rest, it *has* a bad security design.)

> What we are being asked is to make use of systemd mandatory.

It doesn’t mean that all of systemd’s features should be enabled on all
machines. The reason why embedded manufacturers are sponsors for
systemd’s development is that it means less code, and therefore less
bugs (security or not), than alternatives.

> > Indeed, systemd has not been written with security in mind.
> 
> What an alarming comment on a program which has ultimate privilege, is
> intended to be universally deployed even in the most demanding
> security environment, crosses security boundaries (without, IMO, a
> sufficient justification), and is being touted as the single
> systemwide manager for security features like cgroups !

Only an extreme minority of Debian packages have been written with
security in mind. Not all packages can be OpenSSH or Postfix, and we
have to live with that fact, because we need the features in other
packages (starting with a kernel and libc).

> > Neither have sysvinit nor upstart, AFAICT.
> 
> I will leave the upstart maintainers to comment on this in more
> detail, but sysvinit has had remarkably few security bugs for a
> program of its vintage.  This is because it has very few, and very
> restricted, interfaces to untrusted parts of the system.

And of course, there has never been any buggy init script.

Again, your comparison doesn’t make any sense since you don’t compare
similar functionality scopes.

> >  Just like we don’t hold the Mozilla developers responsible
> > for security issues in brand-new Javascript engines that maybe 10
> > developers in the world could understand.
> 
> The security record of web browsers is indeed atrocious.  It is the
> result of a persistent swamp of bad design decisions, hideous
> overcomplexity, plain bad code, and lack of attention to mitigation
> measures.  Google's efforts in this area are to be applauded, even
> though I have serious privacy problems with Google.

I’m afraid you don’t entirely understand why the security record of web
browsers looks atrocious. Because of a swamp of bad decisions *from web
developers and designers*, backed by users, browsers have to cover a
functional scope that far exceeds in complexity any other kind of
software. A typical browser has to include several virtual machines,
graphical/layout toolkits, JIT compilers, advanced cryptographic
software, all of which have to work with heaps of untrusted data. When
taking all of that into account, as much as I hate dealing with them, I
have to admit the security record for several browsers is good, and it’s
because they *are* developed with security in mind.

> It is very alarming that web browsers are being presented as the
> security benchmark for our new init system.

It is quite alarming that a member of the Technical Committee
demonstrates lacks in security knowledge while at the same time using
security bugs as a measure for comparing solutions.


This “security” discussion has nothing to do with the case in point,
though. If you have specific points you want addressed by the systemd
position (like how systemd’s upstream designs user interfaces to avoid
security bugs, or handles security alerts), please state them clearly
and I will do my best to gather information for you and answer them.

-- 
 .''`.        Josselin Mouette
: :' :
`. `'
  `-

Reply to:

Follow-Ups:
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Andreas Barth <aba@ayous.org>

References:
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Josselin Mouette <joss@debian.org>
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#727708: systemd (security) bugs (was: init system question)
Next by Date: Bug#727708: systemd (security) bugs (was: init system question)
Previous by thread: Bug#727708: systemd (security) bugs (was: init system question)
Next by thread: Bug#727708: systemd (security) bugs (was: init system question)
Index(es):
- Date
- Thread