[ale] systemd bad. Very bad.

Solomon Peachy pizza at shaftnet.org
Thu Jun 29 23:15:16 EDT 2017 

On Thu, Jun 29, 2017 at 06:13:47PM -0400, Alan Hightower wrote:
> As a 3rd party to the conversation, I don't believe that comment is
> fair. The Heartbleed vulnerability was focused on the primary purpose of
> SSL (encrypted connectivity). You cannot avoid those issues without
> limiting the base functionality. 

You're correct in that it's not a fair comparison, just not for the 
reason you mentioned.

The Heartbleed vunerability was not part of the "base functionality" of 
SSL/TLS -- Instead, it was in an optional extension ("heartbeat") which 
which nearly nobody actually used.  The crucial difference is that this 
extension was nonetheless always present and enabled for all users of 
OpenSSL, capable of being trivially remotely exploited once an encrypted 
connection was established but before any data was sent -- ie layered 
on top of the "base functionality" of SSL/TLS.

> I believe the original poster's point was DNS look-ups are outside the
> core feature of what an init system is supposed to provide - local-only
> hierarchical control of system startup. 

Yes, he's correct in that it's outside what an init system should 
provide.  And oddly enough, the systemd authors would completely agree 
with him in that respect -- which is why it isn't actually part of the 
"core features" of systemd, instead living in a standalone daemon that 
doesn't actually depend on systemd running in order to function.

Is this vulnerability a problem that needs fixing?  Absolutely.  But if 
'systemd' hadn't been part of its name it would have barely merited 
commenting upon, as this vulnerability is no different to the many 
vulnerabilities that every other DNS resolver out there has had over the 
years.  And on my system, there are at least six resolvers installed -- 
dnsmasq, unbound, bind/dig, networkmanager, glibc, and systemd-resolved.  
Or maybe that's actually eight, as I think both Chrom[ium] and Firefox 
include their own resolvers as well.

(Heck, systemd-resolved arguably has a _better_ security track record 
 than the others.  But it is also the newest..)

 - Solomon
-- 
Solomon Peachy			       pizza at shaftnet dot org
Delray Beach, FL                          ^^ (email/xmpp) ^^
Quidquid latine dictum sit, altum videtur.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20170629/08b1af26/attachment.sig>

More information about the Ale mailing list