Clarifying what 'systemd' actually means (was: Re: Remotely exploitable bug in systemd (CVE-2017-9445))
On 07/02/2017 11:24 AM, Michael Fothergill wrote:
> Could this be exploited to force people to use sysvinit instead of systemd ?
This bug has nothing to do with systemd as the init system, it's in an
optional component that's disabled by default on Debian. In principle,
I suspect that resolved could also be used on sysvinit, if you really
wanted to, though I haven't tried it.
Furthermore, the systemd versions of Wheezy and Jessie are too old to
already include systemd-resolved, so they are not affected at all.
In general, I think it's helpful for everyone to take a mental note
that 'systemd' can mean two things:
1. The init binary itself. (PID 1)
2. A project that implements various things in userspace
that includes the init binary, but also an assortment
of other tools.
In fact, it might be very helpful to draw the following Venn diagram:
+---------------------------------------------------------------------+
| systemd project |
| |
| +----------------------------+ +----------------------------------+ |
| | init system | | other tools (some require that | |
| | | | systemd be PID1, others don't) | |
| | +------------------------+ | | | |
| | | systemd binary (PID 1) | | | these are all optional when | |
| | +------------------------+ | | using systemd as init system, | |
| | | | and there are other projects | |
| | +------------------------+ | | providing similar functionality | |
| | | generators | | | | |
| | | (for supporing | | | +------------------------------+ | |
| | | /etc/fstab, etc.) | | | | resolved | | |
| | +------------------------+ | | +------------------------------+ | |
| | | | | |
| | +------------------------+ | | +------------------------------+ | |
| | | journald | | | | nspawn | | |
| | +------------------------+ | | +------------------------------+ | |
| | | | | |
| | +------------------------+ | | +------------------------------+ | |
| | | helpers (e.g. tmpfiles | | | | sysusers | | |
| | | or sd-modules-load.) | | | +------------------------------+ | |
| | +------------------------+ | | | |
| | | | +------------------------------+ | |
| | +------------------------+ | | | networkd | | |
| | | user tools (systemctl, | | | +------------------------------+ | |
| | | systemd-analyze, ...) | | | | |
| | +------------------------+ | | ... | |
| | | | | |
| | +-------------------------------------------------------------+ | |
| | | logind (it depends on the definitions where to put it) | | |
| | | | | |
| | | requires systemd's interfaces to run, but there is an | | |
| | | alternative implementation (systemd-shim) that mimicks that | | |
| | | so it can be used on sysvinit systems | | |
| | | | | |
| | | this (or rather, it's interfaces) is what's mainly required | | |
| | | by GNOME and others | | |
| | | | | |
| | +-------------------------------------------------------------+ | |
| | | | | |
| +----------------------------+ +----------------------------------+ |
| |
| +-----------------------------------------------------------------+ |
| | udev | |
| | | |
| | Doesn't require systemd as init system, but systemd requires it | |
| | (except when run in a container) | |
| +-----------------------------------------------------------------+ |
+---------------------------------------------------------------------+
In Debian most of the stuff in the "other tools" part is not enabled
by default, so unless you've explicitly chosen to enable it, it's very
likely that your system is NOT going to be affected by any bug in
there.
Regards,
Christian
Reply to: