|
|
Log in / Subscribe / Register

Systemd v239 released

Systemd v239 has been released with a long list of changes; click below for the full set. "A new system.conf setting NoNewPrivileges= is now available which may be used to turn off acquisition of new privileges system-wide (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also for all its children). Note that turning this option on means setuid binaries and file system capabilities lose their special powers. While turning on this option is a big step towards a more secure system, doing so is likely to break numerous pre-existing UNIX tools, in particular su and sudo."

From:  Lennart Poettering <lennart-AT-poettering.net>
To:  systemd Mailing List <systemd-devel-AT-lists.freedesktop.org>
Subject:  [ANNOUNCE] systemd v239
Date:  Fri, 22 Jun 2018 13:19:51 +0200
Message-ID:  <20180622111951.GA25506@gardel-login>
Archive-link:  Article

Heya!

I am happy to announce systemd v239:

https://github.com/systemd/systemd/archive/v239.tar.gz

Enjoy!

CHANGES WITH 239:

        * NETWORK INTERFACE DEVICE NAMING CHANGES: systemd-udevd's "net_id"
          builtin will name network interfaces differently than in previous
          versions for virtual network interfaces created with SR-IOV and NPAR
          and for devices where the PCI network controller device does not have
          a slot number associated.

          SR-IOV virtual devices are now named based on the name of the parent
          interface, with a suffix of "v<N>", where <N> is the virtual device
          number. Previously those virtual devices were named as if completely
          independent.

          The ninth and later NPAR virtual devices will be named following the
          scheme used for the first eight NPAR partitions. Previously those
          devices were not renamed and the kernel default (eth<n>) was used.

          "net_id" will also generate names for PCI devices where the PCI
          network controller device does not have an associated slot number
          itself, but one of its parents does. Previously those devices were
          not renamed and the kernel default (eth<n>) was used.

        * AF_INET and AF_INET6 are dropped from RestrictAddressFamilies= in
          systemd-logind.service. Since v235, IPAddressDeny=any has been set to
          the unit. So, it is expected that the default behavior of
          systemd-logind is not changed. However, if distribution packagers or
          administrators disabled or modified IPAddressDeny= setting by a
          drop-in config file, then it may be necessary to update the file to
          re-enable AF_INET and AF_INET6 to support network user name services,
          e.g. NIS.

        * When the RestrictNamespaces= unit property is specified multiple
          times, then the specified types are merged now. Previously, only the
          last assignment was used. So, if distribution packagers or
          administrators modified the setting by a drop-in config file, then it
          may be necessary to update the file.

        * When OnFailure= is used in combination with Restart= on a service
          unit, then the specified units will no longer be triggered on
          failures that result in restarting. Previously, the specified units
          would be activated each time the unit failed, even when the unit was
          going to be restarted automatically. This behaviour contradicted the
          documentation. With this release the code is adjusted to match the
          documentation.

        * systemd-tmpfiles will now print a notice whenever it encounters
          tmpfiles.d/ lines referencing the /var/run/ directory. It will
          recommend reworking them to use the /run/ directory instead (for
          which /var/run/ is simply a symlinked compatibility alias). This way
          systemd-tmpfiles can properly detect line conflicts and merge lines
          referencing the same file by two paths, without having to access
          them.

        * systemctl disable/unmask/preset/preset-all cannot be used with
          --runtime. Previously this was allowed, but resulted in unintuitive
          behaviour that wasn't useful. systemctl disable/unmask will now undo
          both runtime and persistent enablement/masking, i.e. it will remove
          any relevant symlinks both in /run and /etc.

        * Note that all long-running system services shipped with systemd will
          now default to a system call whitelist (rather than a blacklist, as
          before). In particular, systemd-udevd will now enforce one too. For
          most cases this should be safe, however downstream distributions
          which disabled sandboxing of systemd-udevd (specifically the
          MountFlags= setting), might want to disable this security feature
          too, as the default whitelisting will prohibit all mount, swap,
          reboot and clock changing operations from udev rules.

        * sd-boot acquired new loader configuration settings to optionally turn
          off Windows and MacOS boot partition discovery as well as
          reboot-into-firmware menu items. It is also able to pick a better
          screen resolution for HiDPI systems, and now provides loader
          configuration settings to change the resolution explicitly.

        * systemd-resolved now supports DNS-over-TLS. It's still
          turned off by default, use DNSOverTLS=opportunistic to turn it on in
          resolved.conf. We intend to make this the default as soon as couple
          of additional techniques for optimizing the initial latency caused by
          establishing a TLS/TCP connection are implemented.

        * systemd-resolved.service and systemd-networkd.service now set
          DynamicUser=yes. The users systemd-resolve and systemd-network are
          not created by systemd-sysusers.

        * The systemd-resolve tool has been renamed to resolvectl (it also
          remains available under the old name, for compatibility), and its
          interface is now verb-based, similar in style to the other <xyz>ctl
          tools, such as systemctl or loginctl.

        * The resolvectl/systemd-resolve tool also provides 'resolvconf'
          compatibility. It may be symlinked under the 'resolvconf' name, in
          which case it will take arguments and input compatible with the
          Debian and FreeBSD resolvconf tool.

        * Support for suspend-then-hibernate has been added, i.e. a sleep mode
          where the system initially suspends, and after a time-out resumes and
          hibernates again.

        * networkd's ClientIdentifier= now accepts a new option "duid-only". If
          set the client will only send a DUID as client identifier.

        * The nss-systemd glibc NSS module will now enumerate dynamic users and
          groups in effect. Previously, it could resolve UIDs/GIDs to user
          names/groups and vice versa, but did not support enumeration.

        * journald's Compress= configuration setting now optionally accepts a
          byte threshold value. All journal objects larger than this threshold
          will be compressed, smaller ones will not. Previously this threshold
          was not configurable and set to 512.

        * A new system.conf setting NoNewPrivileges= is now available which may
          be used to turn off acquisition of new privileges system-wide
          (i.e. set Linux' PR_SET_NO_NEW_PRIVS for PID 1 itself, and thus also
          for all its children). Note that turning this option on means setuid
          binaries and file system capabilities lose their special powers.
          While turning on this option is a big step towards a more secure
          system, doing so is likely to break numerous pre-existing UNIX tools,
          in particular su and sudo.

        * A new service systemd-time-sync-wait.service has been added. If
          enabled it will delay the time-sync.target unit at boot until time
          synchronization has been received from the network. This
          functionality is useful on systems lacking a local RTC or where it is
          acceptable that the boot process shall be delayed by external network
          services.

        * When hibernating, systemd will now inform the kernel of the image
          write offset, on kernels new enough to support this. This means swap
          files should work for hibernation now.

        * When loading unit files, systemd will now look for drop-in unit files
          extensions in additional places. Previously, for a unit file name
          "foo-bar-baz.service" it would look for dropin files in
          "foo-bar-baz.service.d/*.conf". Now, it will also look in
          "foo-bar-.service.d/*.conf" and "foo-.service.d/", i.e. at the
          service name truncated after all inner dashes. This scheme allows
          writing drop-ins easily that apply to a whole set of unit files at
          once. It's particularly useful for mount and slice units (as their
          naming is prefix based), but is also useful for service and other
          units, for packages that install multiple unit files at once,
          following a strict naming regime of beginning the unit file name with
          the package's name. Two new specifiers are now supported in unit
          files to match this: %j and %J are replaced by the part of the unit
          name following the last dash.

        * Unit files and other configuration files that support specifier
          expansion now understand another three new specifiers: %T and %V will
          resolve to /tmp and /var/tmp respectively, or whatever temporary
          directory has been set for the calling user. %E will expand to either
          /etc (for system units) or $XDG_CONFIG_HOME (for user units).

        * The ExecStart= lines of unit files are no longer required to
          reference absolute paths. If non-absolute paths are specified the
          specified binary name is searched within the service manager's
          built-in $PATH, which may be queried with 'systemd-path
          search-binaries-default'. It's generally recommended to continue to
          use absolute paths for all binaries specified in unit files.

        * Units gained a new load state "bad-setting", which is used when a
          unit file was loaded, but contained fatal errors which prevent it
          from being started (for example, a service unit has been defined
          lacking both ExecStart= and ExecStop= lines).

        * coredumpctl's "gdb" verb has been renamed to "debug", in order to
          support alternative debuggers, for example lldb. The old name
          continues to be available however, for compatibility reasons. Use the
          new --debugger= switch or the $SYSTEMD_DEBUGGER environment variable
          to pick an alternative debugger instead of the default gdb.

        * systemctl and the other tools will now output escape sequences that
          generate proper clickable hyperlinks in various terminal emulators
          where useful (for example, in the "systemctl status" output you can
          now click on the unit file name to quickly open it in the
          editor/viewer of your choice). Note that not all terminal emulators
          support this functionality yet, but many do. Unfortunately, the
          "less" pager doesn't support this yet, hence this functionality is
          currently automatically turned off when a pager is started (which
          happens quite often due to auto-paging). We hope to remove this
          limitation as soon as "less" learns these escape sequences. This new
          behaviour may also be turned off explicitly with the $SYSTEMD_URLIFY
          environment variable. For details on these escape sequences see:
          https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9...

        * networkd's .network files now support a new IPv6MTUBytes= option for
          setting the MTU used by IPv6 explicitly as well as a new MTUBytes=
          option in the [Route] section to configure the MTU to use for
          specific routes. It also gained support for configuration of the DHCP
          "UserClass" option through the new UserClass= setting. It gained
          three new options in the new [CAN] section for configuring CAN
          networks. The MULTICAST and ALLMULTI interface flags may now be
          controlled explicitly with the new Multicast= and AllMulticast=
          settings.

        * networkd will now automatically make use of the kernel's route
          expiration feature, if it is available.

        * udevd's .link files now support setting the number of receive and
          transmit channels, using the RxChannels=, TxChannels=,
          OtherChannels=, CombinedChannels= settings.

        * Support for UDPSegmentationOffload= has been removed, given its
          limited support in hardware, and waning software support.

        * networkd's .netdev files now support creating "netdevsim" interfaces.

        * PID 1 learnt a new bus call GetUnitByControlGroup() which may be used
          to query the unit belonging to a specific kernel control group.

        * systemd-analyze gained a new verb "cat-config", which may be used to
          dump the contents of any configuration file, with all its matching
          drop-in files added in, and honouring the usual search and masking
          logic applied to systemd configuration files. For example use
          "systemd-analyze cat-config systemd/system.conf" to get the complete
          system configuration file of systemd how it would be loaded by PID 1
          itself. Similar to this, various tools such as systemd-tmpfiles or
          systemd-sysusers, gained a new option "--cat-config", which does the
          corresponding operation for their own configuration settings. For
          example, "systemd-tmpfiles --cat-config" will now output the full
          list of tmpfiles.d/ lines in place.

        * timedatectl gained three new verbs: "show" shows bus properties of
          systemd-timedated, "timesync-status" shows the current NTP
          synchronization state of systemd-timesyncd, and "show-timesync"
          shows bus properties of systemd-timesyncd.

        * systemd-timesyncd gained a bus interface on which it exposes details
          about its state.

        * A new environment variable $SYSTEMD_TIMEDATED_NTP_SERVICES is now
          understood by systemd-timedated. It takes a colon-separated list of
          unit names of NTP client services. The list is used by
          "timedatectl set-ntp".

        * systemd-nspawn gained a new --rlimit= switch for setting initial
          resource limits for the container payload. There's a new switch
          --hostname= to explicitly override the container's hostname. A new
          --no-new-privileges= switch may be used to control the
          PR_SET_NO_NEW_PRIVS flag for the container payload. A new
          --oom-score-adjust= switch controls the OOM scoring adjustment value
          for the payload. The new --cpu-affinity= switch controls the CPU
          affinity of the container payload. The new --resolv-conf= switch
          allows more detailed control of /etc/resolv.conf handling of the
          container. Similarly, the new --timezone= switch allows more detailed
          control of /etc/localtime handling of the container.

        * systemd-detect-virt gained a new --list switch, which will print a
          list of all currently known VM and container environments.

        * Support for "Portable Services" has been added, see
          doc/PORTABLE_SERVICES.md for details. Currently, the support is still
          experimental, but this is expected to change soon. Reflecting this
          experimental state, the "portablectl" binary is not installed into
          /usr/bin yet. The binary has to be called with the full path
          /usr/lib/systemd/portablectl instead.

        * journalctl's and systemctl's -o switch now knows a new log output
          mode "with-unit". The output it generates is very similar to the
          regular "short" mode, but displays the unit name instead of the
          syslog tag for each log line. Also, the date is shown with timezone
          information. This mode is probably more useful than the classic
          "short" output mode for most purposes, except where pixel-perfect
          compatibility with classic /var/log/messages formatting is required.

        * A new --dump-bus-properties switch has been added to the systemd
          binary, which may be used to dump all supported D-Bus properties.
          (Options which are still supported, but are deprecated, are *not*
          shown.)

        * sd-bus gained a set of new calls:
          sd_bus_slot_set_floating()/sd_bus_slot_get_floating() may be used to
          enable/disable the "floating" state of a bus slot object,
          i.e. whether the slot object pins the bus it is allocated for into
          memory or if the bus slot object gets disconnected when the bus goes
          away. sd_bus_open_with_description(),
          sd_bus_open_user_with_description(),
          sd_bus_open_system_with_description() may be used to allocate bus
          objects and set their description string already during allocation.

        * sd-event gained support for watching inotify events from the event
          loop, in an efficient way, sharing inotify handles between multiple
          users. For this a new function sd_event_add_inotify() has been added.

        * sd-event and sd-bus gained support for calling special user-supplied
          destructor functions for userdata pointers associated with
          sd_event_source, sd_bus_slot, and sd_bus_track objects. For this new
          functions sd_bus_slot_set_destroy_callback,
          sd_bus_slot_get_destroy_callback, sd_bus_track_set_destroy_callback,
          sd_bus_track_get_destroy_callback,
          sd_event_source_set_destroy_callback,
          sd_event_source_get_destroy_callback have been added.

        * The "net.ipv4.tcp_ecn" sysctl will now be turned on by default.

        * PID 1 will now automatically reschedule .timer units whenever the
          local timezone changes. (They previously got rescheduled
          automatically when the system clock changed.)

        * New documentation has been added to document cgroups delegation,
          portable services and the various code quality tools we have set up:

          https://github.com/systemd/systemd/blob/master/doc/CGROUP...
          https://github.com/systemd/systemd/blob/master/doc/PORTAB...
          https://github.com/systemd/systemd/blob/master/doc/CODE_Q...

        * The Boot Loader Specification has been added to the source tree.

          https://github.com/systemd/systemd/blob/master/doc/BOOT_L...

          While moving it into our source tree we have updated it and further
          changes are now accepted through the usual github PR workflow.

        * pam_systemd will now look for PAM userdata fields systemd.memory_max,
          systemd.tasks_max, systemd.cpu_weight, systemd.io_weight set by
          earlier PAM modules. The data in these fields is used to initialize
          the session scope's resource properties. Thus external PAM modules
          may now configure per-session limits, for example sourced from
          external user databases.

        * socket units with Accept=yes will now maintain a "refused" counter in
          addition to the existing "accepted" counter, counting connections
          refused due to the enforced limits.

        * The "systemd-path search-binaries-default" command may now be use to
          query the default, built-in $PATH PID 1 will pass to the services it
          manages.

        * A new unit file setting PrivateMounts= has been added. It's a boolean
          option. If enabled the unit's processes are invoked in their own file
          system namespace. Note that this behaviour is also implied if any
          other file system namespacing options (such as PrivateTmp=,
          PrivateDevices=, ProtectSystem=, …) are used. This option is hence
          primarily useful for services that do not use any of the other file
          system namespacing options. One such service is systemd-udevd.service
          wher this is now used by default.

        * ConditionSecurity= gained a new value "uefi-secureboot" that is true
          when the system is booted in UEFI "secure mode".

        * A new unit "system-update-pre.target" is added, which defines an
          optional synchronization point for offline system updates, as
          implemented by the pre-existing "system-update.target" unit. It
          allows ordering services before the service that executes the actual
          update process in a generic way.

        Contributions from: Adam Duskett, Alan Jenkins, Alessandro Casale,
        Alexander Kurtz, Alex Gartrell, Anssi Hannula, Arnaud Rebillout, Brian
        J. Murrell, Bruno Vernay, Chris Lamb, Chris Lesiak, Christian Brauner,
        Christian Hesse, Christian Rebischke, Colin Guthrie, Daniel Dao, Daniel
        Lin, Danylo Korostil, Davide Cavalca, David Tardon, Dimitri John
        Ledkov, Dmitriy Geels, Douglas Christman, Elia Geretto, emelenas, Emil
        Velikov, Evgeny Vereshchagin, Felipe Sateler, Feng Sun, Filipe
        Brandenburger, Franck Bui, futpib, Giuseppe Scrivano, Guillem Jover,
        guixxx, Hannes Reinecke, Hans de Goede, Harald Hoyer, Henrique Dante de
        Almeida, Hiram van Paassen, Ian Miell, Igor Gnatenko, Ivan Shapovalov,
        Iwan Timmer, James Cowgill, Jan Janssen, Jan Synacek, Jared Kazimir,
        Jérémy Rosen, João Paulo Rechi Vita, Joost Heitbrink, Jui-Chi Ricky
        Liang, Jürg Billeter, Kai-Heng Feng, Karol Augustin, Kay Sievers,
        Krzysztof Nowicki, Lauri Tirkkonen, Lennart Poettering, Leonard König,
        Long Li, Luca Boccassi, Lucas Werkmeister, Marcel Hoppe, Marc
        Kleine-Budde, Mario Limonciello, Martin Jansa, Martin Wilck, Mathieu
        Malaterre, Matteo F. Vescovi, Matthew McGinn, Matthias-Christian Ott,
        Michael Biebl, Michael Olbrich, Michael Prokop, Michal Koutný, Michal
        Sekletar, Mike Gilbert, Mikhail Kasimov, Milan Broz, Milan Pässler,
        Mladen Pejaković, Muhammet Kara, Nicolas Boichat, Omer Katz, Paride
        Legovini, Paul Menzel, Paul Milliken, Pavel Hrdina, Peter A. Bigot,
        Peter D'Hoye, Peter Hutterer, Peter Jones, Philip Sequeira, Philip
        Withnall, Piotr Drąg, Radostin Stoyanov, Ricardo Salveti de Araujo,
        Ronny Chevalier, Rosen Penev, Rubén Suárez Alvarez, Ryan Gonzalez,
        Salvo Tomaselli, Sebastian Reichel, Sergey Ptashnick, Sergio Lindo
        Mansilla, Stefan Schweter, Stephen Hemminger, Stuart Hayes, Susant
        Sahani, Sylvain Plantefève, Thomas H. P. Andersen, Tobias Jungel,
        Tomasz Torcz, Vito Caputo, Will Dietz, Will Thompson, Wim van Mourik,
        Yu Watanabe, Zbigniew Jędrzejewski-Szmek

        — Berlin, 2018-06-22

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel

to post comments

Systemd v239 released

Posted Jun 25, 2018 1:43 UTC (Mon) by josh (subscriber, #17465) [Link] (3 responses)

I've been looking forward to the idea of system-wide NO_NEW_PRIVS for a long time. I look forward to seeing the corresponding changes in other parts of the ecosystem to make that possible.

Systemd v239 released

Posted Jun 25, 2018 15:28 UTC (Mon) by admalledd (subscriber, #95347) [Link] (2 responses)

I await for it to be added to the "dirty tricks professors use on trick question tests" such as the combo:

chmod -x /bin/chmod
chattr +i /bin/chmod

Systemd v239 released

Posted Jun 26, 2018 22:57 UTC (Tue) by zlynx (guest, #2285) [Link] (1 responses)

/lib64/ld-linux-x86-64.so.2 /tmp/chmod

/tmp/chmod because I didn't want to actually chmod -x /bin/chmod. Heh.

Systemd v239 released

Posted Jun 26, 2018 23:54 UTC (Tue) by josh (subscriber, #17465) [Link]

Fun. Another approach (also using /tmp/chmod for the same reason):

/tmp$ cp -a /bin/ls fixed-chmod
/tmp$ cat chmod > fixed-chmod
/tmp$ ls -l fixed-chmod
-rwxr-xr-x 1 josh josh 60224 Jun 26 16:52 fixed-chmod
/tmp$ ./fixed-chmod +x chmod

Systemd v239 released

Posted Jun 25, 2018 2:42 UTC (Mon) by scientes (guest, #83068) [Link] (24 responses)

I am most excited to see DNS-over-TLS. This helps alot with privacy.

Systemd v239 released

Posted Jun 25, 2018 2:44 UTC (Mon) by scientes (guest, #83068) [Link] (14 responses)

I wish it was possible to turn off the libsystemd-shared. That would make it easy to drop in systemd-resolvd 239 on a older systemd system.

Systemd v239 released

Posted Jun 25, 2018 4:04 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Can you compile it statically?

Systemd v239 released

Posted Jun 25, 2018 5:50 UTC (Mon) by lkundrak (subscriber, #43452) [Link] (12 responses)

The symbols seem versioned. Presumably you could just drop in the new libsystemd along with the new resolved?

Systemd v239 released

Posted Jun 25, 2018 13:16 UTC (Mon) by mbiebl (subscriber, #41876) [Link] (11 responses)

I think you meant libsystemd-shared, not libsystemd.
systemd-networkd does not link against libsystemd.

$ objdump -x /lib/systemd/systemd-networkd | grep NEEDED
NEEDED libc.so.6
NEEDED libsystemd-shared-239.so
NEEDED librt.so.1
NEEDED libcap.so.2
NEEDED libip4tc.so.0
NEEDED libselinux.so.1
NEEDED libidn.so.11
NEEDED libmount.so.1
NEEDED libpthread.so.0
NEEDED ld-linux-x86-64.so

Systemd v239 released

Posted Jun 25, 2018 22:44 UTC (Mon) by kloczek (guest, #6391) [Link]

# awk '/\/usr/ {print $6}' /proc/1/smaps | sort | uniq
/usr/lib64/gconv/gconv-modules.cache
/usr/lib64/ld-2.27.9000.so
/usr/lib64/libacl.so.1.1.0
/usr/lib64/libargon2.so.0
/usr/lib64/libattr.so.1.1.0
/usr/lib64/libaudit.so.1.0.0
/usr/lib64/libblkid.so.1.1.0
/usr/lib64/libc-2.27.9000.so
/usr/lib64/libcap-ng.so.0.0.0
/usr/lib64/libcap.so.2.25
/usr/lib64/libcryptsetup.so.12.3.0
/usr/lib64/libdevmapper.so.1.02
/usr/lib64/libdl-2.27.9000.so
/usr/lib64/libgcc_s-8-20180502.so.1
/usr/lib64/libgcrypt.so.20.2.3
/usr/lib64/libgpg-error.so.0.24.2
/usr/lib64/libidn2.so.0.3.4
/usr/lib64/libip4tc.so.0.1.0
/usr/lib64/libjson-c.so.4.0.0
/usr/lib64/libkmod.so.2.3.3
/usr/lib64/liblz4.so.1.8.2
/usr/lib64/liblzma.so.5.2.4
/usr/lib64/libm-2.27.9000.so
/usr/lib64/libmount.so.1.1.0
/usr/lib64/libpam.so.0.84.2
/usr/lib64/libpcap.so.1.8.1
/usr/lib64/libpcre2-8.so.0.7.0
/usr/lib64/libpthread-2.27.9000.so
/usr/lib64/librt-2.27.9000.so
/usr/lib64/libseccomp.so.2.3.3
/usr/lib64/libselinux.so.1
/usr/lib64/libsepol.so.1
/usr/lib64/libudev.so.1.6.11
/usr/lib64/libunistring.so.2.1.0
/usr/lib64/libuuid.so.1.3.0
/usr/lib64/libz.so.1.2.11
/usr/lib/locale/locale-archive
/usr/lib/systemd/libsystemd-shared-239.so
/usr/lib/systemd/systemd

Systemd v239 released

Posted Jun 26, 2018 7:35 UTC (Tue) by lkundrak (subscriber, #43452) [Link] (9 responses)

Ah, in that case the whole library is versioned and you could just copy it next to the old one?

Systemd v239 released

Posted Jun 26, 2018 11:58 UTC (Tue) by kloczek (guest, #6391) [Link] (8 responses)

The problems are:
1) that this list to long
2) there are several duplications functional duplicates
3) mounting and unmounting is so unique operation that putting such operations straight into PID 1 is idiotic

ad 2) For example in libc provides regular expression functions and for not so sophisticated regexps SELinux libraries choosed pcre.
Everything is linked with THREE compression libraries!!!
UTF operations are in libc and despite of this libunistring is used.
Why modules operations must be straight in PID 1? (libkmod)
Why init must be responsible for authentication? (libpam, libargon).
ACL and ext attrs?
JSON operations?
What is doing here network monitoring and network traffic dumping library? (libpcap)
What PID 1 is calculating so important that it must use FPU libm functions?

Systemd v239 released

Posted Jun 26, 2018 14:00 UTC (Tue) by judas_iscariote (guest, #47386) [Link] (7 responses)

The way you are determining the libraries needed by PID1 is incorrect, you need to look at the ELF DT_NEEDED entries, otherwise your conclusions will be garbage. other libraries are not used by systemd but are indirect dependencies, in such case you may direct your badly thought out questions to the relevant project.

readelf --dynamic /usr/lib/systemd/systemd | grep NEEDED

Systemd v239 released

Posted Jun 27, 2018 8:28 UTC (Wed) by kloczek (guest, #6391) [Link] (6 responses)

Bollocks.
All those libraries are in process address space.
Does't matter that some of those libraries are used not straight by PID 1 but by libraries linked with systemd.

$ objdump -x /usr/lib/systemd/systemd| grep NEEDED
NEEDED libsystemd-shared-239.so
NEEDED librt.so.1
NEEDED libseccomp.so.2
NEEDED libselinux.so.1
NEEDED libmount.so.1
NEEDED libpam.so.0
NEEDED libaudit.so.1
NEEDED libkmod.so.2
NEEDED libgcc_s.so.1
NEEDED libpthread.so.0
NEEDED libc.so.6

$ objdump -x /usr/lib/systemd/libsystemd-shared-239.so| grep NEEDED
NEEDED librt.so.1
NEEDED libcap.so.2
NEEDED libacl.so.1
NEEDED libcryptsetup.so.12
NEEDED libgcrypt.so.20
NEEDED libip4tc.so.0
NEEDED libseccomp.so.2
NEEDED libselinux.so.1
NEEDED libidn2.so.0
NEEDED liblzma.so.5
NEEDED liblz4.so.1
NEEDED libblkid.so.1
NEEDED libmount.so.1
NEEDED libgcc_s.so.1
NEEDED libpthread.so.0
NEEDED libc.so.6
NEEDED ld-linux-x86-64.so.2

As you see for example libsystemd-sharedstraight used more than one compression library.

Systemd v239 released

Posted Jun 27, 2018 10:54 UTC (Wed) by cortana (subscriber, #24596) [Link] (2 responses)

All those libraries are in process address space.

Oh, no, how terrible. 

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.0  0.0 242272  8952 ?        Ss   Jun19   1:12 /lib/systemd/systemd --system --deserialize 16

Anyway, I don't see anything in src/shared referring to any symbols from liblzma or liblz4, so perhaps they are pulled in at build time? These things can slip in unless you (and all your transitive dependencies) take care to link using --as-needed...

Systemd v239 released

Posted Jun 27, 2018 11:32 UTC (Wed) by excors (subscriber, #95769) [Link] (1 responses)

If I'm reading the build scripts correctly, libshared statically links libjournal_client, using "link_whole" so that all symbols (even unused ones) are included, because libshared intentionally wants to export the journal API (because it's commonly used functionality). The journal is what uses liblz4/liblzma.

Systemd v239 released

Posted Jun 28, 2018 9:20 UTC (Thu) by cortana (subscriber, #24596) [Link]

You're quite right, thanks for ponting me in the right direction. I guess things would be a little cleaner if the sd-journal(3) functionality for reading the journal would be split into a separate library--that way libsystemd clients, most of whom would only ever want to write to the joural, wouldn't need those libraries being pulled in. But does this make any practical difference on a non-embedded system? I don't think so.

Systemd v239 released

Posted Jun 27, 2018 11:15 UTC (Wed) by excors (subscriber, #95769) [Link] (2 responses)

What's wrong with using multiple compression libraries? Different compression algorithms have different tradeoffs of performance vs compression ratio, so they are useful in different situations. And sometimes they're just needed for compatibility with files or protocols that made different algorithm choices.

In systemd it looks like they compress the journal and coredumps with LZ4 if built with --enable-lz4, or fall back to XZ(/LZMA) if --enable-xz, or fall back to uncompressed. If both are enabled then both are supported for compatibility with reading old data files.

When looking at indirect dependencies, it's not surprising that the authors of library A might choose to use library B that implements feature C, while the authors of D might choose E that implements the same C. Then F comes along and wants to use both A and D, and they end up with two libraries that both implement C. Unless you want to forbid either competition between libraries or code reuse, that situation will continue to occur.

Systemd v239 released

Posted Jun 29, 2018 13:05 UTC (Fri) by kloczek (guest, #6391) [Link] (1 responses)

Systemd has separated process which is storing logs in compressed logs.
systemd source code is so crappy that there is no proper separations between PID 1 process and other processes functionalities.

Systemd v239 released

Posted Jun 29, 2018 18:30 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

Have you actually checked it? The PID1 code is clearly segregated from other tools.

Systemd v239 released

Posted Jun 25, 2018 13:50 UTC (Mon) by ibukanov (subscriber, #3942) [Link] (8 responses)

It depends on a longer-term effects. With authoritarian governments it may push to require that all devices has government-issues certificates that can fake any domain. And even with not so authoritarian countries ISP may offer discounts if a user install such certificates so ISP can inject ads into any TLS traffic.

Systemd v239 released

Posted Jun 25, 2018 15:07 UTC (Mon) by Wol (subscriber, #4433) [Link] (7 responses)

> And even with not so authoritarian countries ISP may offer discounts if a user install such certificates so ISP can inject ads into any TLS traffic.

Until somebody signs up for this and a safety-critical system falls over ... THIS REALLY HAPPENED!

Ages ago (sorry can't remember details :-) some router manufacturer thought it would be a good idea to stick ads in http traffic passing through. Until someone installed one of these routers in an environment that ran "control traffic over http". Obviously, the system started misbehaving and it came out that this is what was happening. The router was very rapidly patched to remove this behaviour.

The post office is not allowed to interfere with mail (unless they believe the law is being broken). ISPs should not interfere with traffic going over their network! Either they are common carriers, with no liability other than passing traffic through, or they take editorial control AND LIABILITY, which means they have to pay for their cock-ups!

Cheers,
Wol

Systemd v239 released

Posted Jun 25, 2018 16:30 UTC (Mon) by ibukanov (subscriber, #3942) [Link] (6 responses)

I am not talking about ISP doing that without user consent. Rather they can explicitly offer a discount if a user opts in. This will be like a post-office offering a discount if the receiver is OK with letters stuffed with adds.

Systemd v239 released

Posted Jun 25, 2018 16:37 UTC (Mon) by excors (subscriber, #95769) [Link] (5 responses)

Why is DNS-over-TLS relevant in that situation? It seems like ISPs and authoritarian governments could do (and do) exactly the same things with traditional DNS, but much more easily.

Systemd v239 released

Posted Jun 25, 2018 18:11 UTC (Mon) by ibukanov (subscriber, #3942) [Link] (4 responses)

Consider the current situation in Russia. The censorship block there is implemented either via IP addresses or via DNS. Since most sites are banned only by DNS resolvers at local ISPs a trivial way to circumvent that at least until recently was to use DNS resolvers outside of Russia. Yet the government has not bothered to close even this trivial hole as the block worked against the majority of population and it was enough for the government.

The moment the blocking will need to decrypt TLS sessions for most people, they will consider more drastic measures like requiring to filter based on SNI header or, when that will be encrypted according to various proposals, by requiring to install government certificates on all devices.

So the current push by Goggle and Facebook to encrypt all meta-information may be helpful to improve privacy in the short term at the cost of total lack of privacy in the longer term.

Systemd v239 released

Posted Jun 25, 2018 18:49 UTC (Mon) by rgmoore (✭ supporter ✭, #75) [Link] (2 responses)

So the current push by Goggle and Facebook to encrypt all meta-information may be helpful to improve privacy in the short term at the cost of total lack of privacy in the longer term.

If the government has the power to force everyone to use the drastic measures you discuss, any measure of privacy was going to go away soon anyway.

Systemd v239 released

Posted Jun 25, 2018 19:28 UTC (Mon) by ibukanov (subscriber, #3942) [Link] (1 responses)

This is not necessary so. It is costly to decrypt all the traffic. So if a government can get what it needs just from meta-information, it will not bother with the information itself, so the current status-quo of open meta and encrypted content may continue for quite some time. Encrypting meta may trigger drastic backlash.

Systemd v239 released

Posted Jun 26, 2018 20:20 UTC (Tue) by rahvin (guest, #16953) [Link]

His point is once the government has the ability to hit you with the iron pipe to force your compliance your only privacy is how much work it is for them to hit you with the iron pipe. Or in other words....

Your entire argument is based on the idea that you have privacy because it's too much bother to record everything and that if the companies force their hand they'll insist on that forced decoding so they can record everything. But you don't have privacy in the first case either, it's clear the government already has the power, just that you aren't interesting enough for them to use it, but other people are. That's not actually a protection on your privacy, hopefully you realize that.

The root cert that can decode all traffic has significant issues and isn't the catch all you present it as. There are significant risks with such a system, if ever implemented, because you've put a single point of failure on the entire economy and privacy of the nation. That singe cert can spy on your entire nation, it's loss would be catastrophic and protecting it would be extremely difficult.

Systemd v239 released

Posted Jun 26, 2018 11:30 UTC (Tue) by excors (subscriber, #95769) [Link]

If their current implementation of censorship is so lacklustre and easily bypassed, that suggests either the government is incompetent, or under-resourced, or simply isn't aiming for comprehensive censorship. (I imagine you don't need to prevent 100% of people from hearing about some dangerous idea, if blocking 95% is sufficient to prevent that idea from snowballing and becoming a serious threat to the government. And trying to shut down the other 5% might cause significant economic harm by unintentionally blocking legitimate traffic, so they can't just implement a whitelist approach and block any traffic they don't understand.)

When technology becomes more secure, those conditions will stay the same. If the government is incompetent or under-resourced then they won't be able to keep up, and the security will be successful. If they do have the competence and resources, they'll come up with the simplest solution that works 95% of the time and can still be trivially bypassed by the 5% - just use a non-default DNS-over-TLS server, or a non-default protocol (like legacy DNS-over-UDP), or a VPN, or develop new protocols that tunnel properly-encrypted data inside the decryptable-by-government traffic (DNS-over-TLS-over-DNS-over-TLS), or whatever, because software is endlessly flexible and will always be able to bypass blacklists. You wouldn't be any worse off than you are now.

If you're in the 5%, you're only in danger if the government decides they want to change the conditions and oppress you more, and that's a political problem rather than a technological one.

Systemd v239 released

Posted Jun 25, 2018 16:24 UTC (Mon) by dbe (guest, #100351) [Link] (7 responses)

So about the no-new-privileges... how does that work? When a setuid binary is execd it’s immediately in its new UID... right? Maybe that’s not the case?

Systemd v239 released

Posted Jun 25, 2018 18:42 UTC (Mon) by josh (subscriber, #17465) [Link] (2 responses)

Quoting "man prctl":

PR_SET_NO_NEW_PRIVS (since Linux 3.5)

Set the calling thread's no_new_privs bit to the value in arg2. With no_new_privs set to 1, execve(2) promises not to grant privileges to do anything that could not have been done without the execve(2) call (for example, rendering the set-user-ID and set-group-ID mode bits, and file capabilities non-functional). Once set, this bit cannot be unset. The setting of this bit is inherited by children created by fork(2) and clone(2), and preserved across execve(2).

Systemd v239 released

Posted Jun 25, 2018 18:53 UTC (Mon) by josh (subscriber, #17465) [Link] (1 responses)

Here's a sample: 
$ cat nnp.c 
#include <err.h>
#include <sys/prctl.h>
#include <unistd.h>

int main(int argc, char *argv[])
{
    if (argc < 2)
        errx(1, "Usage: nnp prog [args]");

    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
        err(1, "prctl");

    execvp(argv[1], argv+1);
    err(1, "execvp");
}
$ gcc nnp.c -o nnp
$ cp -a /usr/bin/id id
$ sudo chown root:root id
$ sudo chmod u+s id
$ ./id -un
root
$ ./nnp ./id -un
josh
$ ./nnp bash
$ ./id -un
josh
$ sudo id
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Systemd v239 released

Posted Jun 25, 2018 20:39 UTC (Mon) by comio (subscriber, #115526) [Link]

Very clear, thanks.

Ciao

Systemd v239 released

Posted Jun 25, 2018 19:04 UTC (Mon) by ebiederm (subscriber, #35028) [Link] (3 responses)

Note this also affects setcap executables as well. So one of the recent trends to get away from setuid executables by replacing them with setcap executables instead will also stop functioning.

Systemd v239 released

Posted Jun 26, 2018 9:36 UTC (Tue) by ibukanov (subscriber, #3942) [Link] (2 responses)

In quite a few cases an executable with setcap can be replaced by ambient capabilities. For example, on my system nginx runs as a user with no capabilities set on the executable yet it can listen on 80/443 ports due to ambient CAP_NET_BIND_SERVICE granted to it by systemd. This way an arbitrary instance of nginx cannot listen to privileged ports.

Systemd v239 released

Posted Jun 28, 2018 7:47 UTC (Thu) by smurf (subscriber, #17840) [Link] (1 responses)

Ideally it would get these ports passed in from systemd, thus would not need any privileges at all.

Systemd v239 released

Posted Jul 2, 2018 20:11 UTC (Mon) by k8to (guest, #15413) [Link]

Maybe enough for nginx. There are some programs which close and re-open their ports in some cases where the capability would be useful.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds