:: Re: [DNG] What is an init system? O…
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Didier Kryn
日付:  
To: dng
題目: Re: [DNG] What is an init system? OT
Le 11/05/2024 à 04:55, Joel Roth via Dng a écrit :
> Steve Litt wrote:
>> Systemd is a complexificated catastrophe.
> I probably shouldn't be stoking the fires again, but what
> the hell?
>
> By some definitions (thanks to its gigantic code base and
> diatomaceous surface area) systemd is a huge contribution to
> the IT economy, creating new layers and dimensions of
> mystery, not to mention opportunities for security holes.
>
> Or, it's a power grab, so cleverly engineered that in a
> decade, 98% or so of linux computers have been innoculated
> with this alien code, the evil spawn of Microsoft ;-)
> Interestingly, the engineer who discovered the exploit was
> working on Microsoft's Postgresql offering.
>
> There was significant social engineering to introduce
> malicious code into the xz distribution distribution
> tarball.
>
> The final step in the chain of vulnerabilities came by
> the linking of the xz and sshd libraries to systemd.
>
>     Any library can tamper with the inner workings of any
>     executable it is linked against.
>
>     IFUNC, a mechanism in glibc that allows for indirect
>     function calls, is used to perform runtime
>     hooking/redirection of OpenSSH's authentication
>     routines. IFUNC is a tool that is normally used for
>     legitimate things, but in this case it is exploited for
>     this attack path. [introduced in v 2.11.1, 2009]
>
>     Debian and many other Linux distributions add a patch to
>     link sshd to systemd, a program that loads a variety of
>     services during the system bootup. Systemd, in turn,
>     links to liblzma, and this allows xz Utils to exert
>     control over sshd.
>
> https://arstechnica.com/security/2024/04/what-we-know-about-the-xz-utils-backdoor-that-almost-infected-the-world/
>
> Cheers, and wishing you safe computing,
>

    This is the major argument for Musl libc to *not* support IFUNC.

    Dependencies are like hell, both for package management and
security. Try to avoid them as much as possible; this was the original
reason why I developped hopman, and I'm currently working on a web
application with absolutely no dependency (except libc and kernel, of
course).

--     Didier