|
Message-ID: <CAH8yC8nDE3RG1yeWg3WbH1eZSJqTi9kdHfFL6Hfq_7cGZPEnDg@mail.gmail.com> Date: Wed, 5 Jul 2017 22:12:11 -0400 From: Jeffrey Walton <noloader@...il.com> To: oss-security@...ts.openwall.com Subject: Re: systemd fails to parse user that should run service On Sun, Jul 2, 2017 at 5:08 AM, Daniel SkowroĊski <daniel@...nf.net> wrote: > Just wanted to bring attention to issue with systemd not doing what is expected when parsing User that should run service. > When it fails to parse string starting with digit it fails back to root causing obvious threat to security. > > See discussion with developer on github: https://github.com/systemd/systemd/issues/6237 Point 1 from https://github.com/systemd/systemd/issues/6237#issuecomment-312479534 seems to be a problem: > systemd is not the one coming up with the restrictions on user names, > and while some distributions are less restrictive, many do enforce the > same restrictions as we do. In order to make systemd unit files > portable between systems we'll hence enforce something that > resembles more the universally accepted set, rather than accept the > most liberal set possible. systemd is effectively setting policy where it has no business doing so. Jeff
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.