[175476] in North American Network Operators' Group
Re: Linux: concerns over systemd adoption and Debian's decision to
daemon@ATHENA.MIT.EDU (John Schiel)
Wed Oct 22 16:22:47 2014
X-Original-To: nanog@nanog.org
Date: Wed, 22 Oct 2014 14:22:58 -0600
From: John Schiel <jschiel@flowtools.net>
To: nanog@nanog.org
In-Reply-To: <21169.1414006229@turing-police.cc.vt.edu>
Errors-To: nanog-bounces@nanog.org
On 10/22/2014 01:30 PM, Valdis.Kletnieks@vt.edu wrote:
> On Wed, 22 Oct 2014 13:13:29 -0600, John Schiel said:
>
>> i was beginning to wonder how secure systemd is also.
> One of the 3 CIA pillars of security is "availability". And if
> it's oh-dark-30, figuring out what symlink is supposed to be where
> for a given failed systemd unit can be a tad challenging. At least under
> sysvinit, either /etc/rc5.d/S50foobar is there or it isn't(*).
>
> And if they carry through on their systemd-console threat, that could get
> even worse - that introduces a whole new pile of risks for being unable
> to diagnose early boot bugs
>
> So yeah, there's security issues other than "can it be hacked because
> it's got a huge surface area".
Agreed, the "oh-dark-thirty" call outs will be harder to resolve but I'm
sure some folks will learn to deal with it. It's new and changes the job
but as was noted earlier, there is always change.
My concern is with the "large surface area". Does that expose the daemon
to more vulnerabilities because it does more or does one daemon make it
easier to protect against multiple vulnerabilities? I don't know, that's
where the research needs to be done.
--John
>
> (*) Unless you're really having a bad night and it's a hard link to /dev/sda1
> or something. :)
