Bug#727708: systemd (security) bugs (was: init system question)

To: Moritz Mühlenhoff <jmm@inutil.org>
Cc: Michael Stapelberg <stapelberg@debian.org>, 727708@bugs.debian.org, Ian Jackson <ijackson@chiark.greenend.org.uk>
Subject: Bug#727708: systemd (security) bugs (was: init system question)
From: Steve Langasek <vorlon@debian.org>
Date: Sun, 1 Dec 2013 12:11:11 -0600
Message-id: <[🔎] 20131201181111.GA26973@virgil.dodds.net>
Reply-to: Steve Langasek <vorlon@debian.org>, 727708@bugs.debian.org
In-reply-to: <20131130150714.GA4204@pisco.westfalen.local>
References: <21143.15318.826436.373171@chiark.greenend.org.uk> <21143.18559.754698.304773@chiark.greenend.org.uk> <x6wqjs9nrm.fsf@midna.lan> <20131129020716.GA8538@virgil.dodds.net> <20131130150714.GA4204@pisco.westfalen.local>

On Sat, Nov 30, 2013 at 04:07:17PM +0100, Moritz Mühlenhoff wrote:
> On Thu, Nov 28, 2013 at 08:07:16PM -0600, Steve Langasek wrote:
> > All distributions "care" about not having security issues in their code, but
> > that's not the same thing as actually doing the work to audit the code.  In
> > practice this only happens when dedicated resources are turned on the code
> > in question, and having more companies using the code does not magically
> > make that happen.

> [I took care of the systemd DSA people are referring to]

> The issue people are talking about were discovered during a review of the
> Red Hat Product Security Team (most likely triggered by the inclusion of
> systemd into RHEL7).
> So in fact having more companies use the code exactly made that magically
> happen.

No, this is a function of one specific company having a proactive security
review policy (for which they should be commended).  It has nothing to do
with how many companies are using the software.

> More review and more usage will lead to more bugs being found, we should
> rather applaud Red Hat for investing resources and be diligent. After all
> Red Hat is the only distro staffing a proactive product security team
> (from which everyone is profiting outside of RH as well). I don't consider
> the lack of reported security issues for the contenders as a credible 
> indication of them being more secure.

Red Hat shipped upstart as their init system in RHEL 6.  This did not result
in any CVEs being issued for upstart.  What conclusions should we draw from
this?

> FWIW, the main reason I'm personally in favour of adopting systemd is
> precisely security (in terms of sandboxing and restricting services).  See
> http://0pointer.de/blog/projects/security.html for some pointers.

I think such built-in sandboxing features are interesting, but not decisive.
They represent an incremental improvement over the status quo for
sandboxing, and aren't anything that couldn't be delivered as a feature in
upstart, for example, if there were demand for it.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Bug#727708: systemd (security) bugs
  - From: Russ Allbery <rra@debian.org>
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Raphael Hertzog <hertzog@debian.org>
- Bug#727708: systemd (security) bugs (was: init system question)
  - From: Moritz Muehlenhoff <jmm@inutil.org>

Next by Date: Bug#727708: systemd (security) bugs (was: init system question)
Next by thread: Bug#727708: systemd (security) bugs
Index(es):
- Date
- Thread