Date: Wed, 5 Jul 2017 22:12:11 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Re: systemd fails to parse user that should run service On Sun, Jul 2, 2017 at 5:08 AM, Daniel Skowroński <daniel@...nf.net> wrote: > Just wanted to bring attention to issue with systemd not doing what is expected when parsing User that should run service. > When it fails to parse string starting with digit it fails back to root causing obvious threat to security. > > See discussion with developer on github: https://github.com/systemd/systemd/issues/6237 Point 1 from https://github.com/systemd/systemd/issues/6237#issuecomment-312479534 seems to be a problem: > systemd is not the one coming up with the restrictions on user names, > and while some distributions are less restrictive, many do enforce the > same restrictions as we do. In order to make systemd unit files > portable between systems we'll hence enforce something that > resembles more the universally accepted set, rather than accept the > most liberal set possible. systemd is effectively setting policy where it has no business doing so. Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ