I published my thoughts on the systemd “0day username gets root access” bug a few days ago. That got quite the attention and the discussion in places like HN, Reddit & Twitter.
In a blog post on Sunday, Mattias Geniar, a developer based in Belgium, said the issue qualifies as a bug because systemd’s parsing of the User= parameter in unit files falls back on root privileges when user names are invalid.
It would be better, Geniar said in an email to The Register, if systemd defaulted to user rather than root privileges. Geniar stressed that while this presents a security concern, it’s a not a critical security issue because the attack vectors are limited.
My reply to their inquiry was a bit more nuanced than that though, so for the sake of transparency I’ll publish my response below.
They also reached out on Twitter to confirm that “the snark is all theirs, of course” – I appreciate that!
My response to The Register
The e-mail starts of with a set of questions.
Lennart Poettering seems disinclined to accept that systemd should
check for invalid names.
I think he’s right in that systemd doesn’t have to check for invalid names, after all – those shouldn’t even get on the system in the first place. It would be nice if systemd did though, the more validation the better. Any webdeveloper knows he/she shouldn’t blindly trust user input, so why should systemd?
In this regard, I think Lennart is absolutely right that systemd should & does try to validate the username.
However, the problem here is that the username “0day” is a legit username, that’s being validated as invalid, after which systemd falls back to its system default, root. Arguably, perhaps not a sane default and a non-privileged user would be better.
I wanted to find out why you see the issue with systemd as a security
flaw. How might the ability to create a user with a name like “0day”
if I can be 100% clear upfront: this flaw/bugreport in systemd is most definitely a security issue. However, even though it sounds bad, it’s not a critical security issue. Attack vectors are limited, but they exist. My post was mostly aimed at preventing bad press that would interpret this bug as “if your username contains a digit, you can become root”.
In order to exploit this, you need;
- a username that gets interpreted by systemd as invalid (there are most likely more potential usernames that get interpreted as invalid)
- a systemd unit file to launch a script or service
Here’s where this is a potential issue;
- Shared hosting: systems that allow a username to be chosen by the client, that eventually run PHP, Ruby, … as that user. On RHEL/CentOS7, those could (1) get started by systemd
- Self-service portals that use systemd to manage one-off or recurring tasks with systemd
- Any place that allows user input for systemd-managed tasks, think controlpanels like Plesk, DirectAdmin, … that allow usernames to be chosen for script execution
(1) those implementing shared hosting have a wide variety of ways to implement it though, so no guarantee that it’s going to be a unit file with systemd.
In most cases (all?), you need at least access to the system already in one way or another, to try and use this bug as a security vector to get privilege escalation.