Re: sshd dependancy to systemd and attack surface

To: debian-ssh@lists.debian.org
Subject: Re: sshd dependancy to systemd and attack surface
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 31 Mar 2024 00:08:29 +0000
Message-id: <[🔎] ZgipfeVSZiw40SR3@riva.ucam.org>
Mail-followup-to: debian-ssh@lists.debian.org
In-reply-to: <[🔎] Zgf7q7VO7AYetpFS@alphanet.ch>
References: <[🔎] Zgf7q7VO7AYetpFS@alphanet.ch>

On Sat, Mar 30, 2024 at 12:46:51PM +0100, Marc SCHAEFER wrote:
> sshd has a dependancy to systemd, and thus includes a lot of libraries,
> which augments its attack surface.

libsystemd, not systemd.

> The recent xz-utils issue [1] has lead to this post by someone suggesting
> (with a patch, apparently) to confine the sshd -> systemd dependancy
> in a subprocess [2].
> 
> Maybe you want to look into it?

We could do something like that, but I'd prefer to go with the patch
upstream is working on in
https://bugzilla.mindrot.org/show_bug.cgi?id=2641.  I'm going to be
doing some testing of that soon.

There's also work on the libsystemd side to load decompression libraries
only when actually needed, which they wouldn't be in this case.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

References:
- sshd dependancy to systemd and attack surface
  - From: Marc SCHAEFER <schaefer@alphanet.ch>

Prev by Date: Processed: Bug#1067243 marked as pending in openssh
Next by Date: Processing of openssh_9.7p1-3_source.changes
Previous by thread: sshd dependancy to systemd and attack surface
Next by thread: Processing of openssh_9.7p1-3_source.changes
Index(es):
- Date
- Thread