|
Message-ID: <20170705211451.GA16241@hurricane.linuxnetz.de>
Date: Wed, 5 Jul 2017 23:14:51 +0200
From: Robert Scheck <robert@...oraproject.org>
To: oss-security@...ts.openwall.com
Subject: Re: systemd fails to parse user that should run
service
On Wed, 05 Jul 2017, Perry E. Metzger wrote:
> On Wed, 5 Jul 2017 13:28:43 +0100 Ben Tasker <ben@...tasker.co.uk>
> wrote:
> > FWIW, I'd be inclined to agree that it needs a CVE so that
> > downstream distro's can at least refer to it, and decide how (and
> > if) they want to address it.
>
> +1
>
> I don't care much if the developers deny that this is a problem. It is
> a problem.
+1 for both, the CVE and that this is a problem. The service should not be
started with more (!) permissions simply if parsing username fails. As a
security sensitive guy I do not want to see a random software started with
root permissions, because the random username fails to be parsed by some
systemd code.
Regards,
Robert
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.