Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Lennart Poettering on opentmpfiles: it's just baaaad
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5, 6, 7  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
mike155
Advocate
Advocate


Joined: 17 Sep 2010
Posts: 2411
Location: Frankfurt, Germany

PostPosted: Wed Nov 13, 2019 4:38 pm    Post subject: Lennart Poettering on opentmpfiles: it's just baaaad Reply with quote

Lennart Poettering wrote:
... Of course, people are good at ignoring these complexities, because they don't think about this. For example gentoo came up with a shell script to replace it: https://github.com/OpenRC/opentmpfiles/blob/master/tmpfiles.sh – there are more security vulnerabilities (and benign races) in it then I can count, it's just baaaad. ...

See: https://lwn.net/Articles/804554/
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18556

PostPosted: Wed Nov 13, 2019 5:02 pm    Post subject: Reply with quote

Still not systemd. </superdave>

But is LP correct about it having security issues, regardless of his hyperbole?
_________________
Your lips move, but I can't hear what you're saying.
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5847
Location: Removed by Neddy

PostPosted: Wed Nov 13, 2019 5:14 pm    Post subject: Reply with quote

pjp wrote:
Still not systemd. </superdave>

But is LP correct about it having security issues, regardless of his hyperbole?
if he is then he is being irresponsible in not opening bug reports
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4866
Location: Dallas area

PostPosted: Wed Nov 13, 2019 6:19 pm    Post subject: Reply with quote

Interesting, a deliberate swipe at gentoo.

mezcalero must be having a bad trip.

Quote:
But most importantly: even stuff such as tmpfiles.d/ is inherently really really hard to get right, even if from a view far away it looks trivial since all it does is a bit of mknod()+chown()+chmod(), right? I know that it is hard because it took us long to get it right. Here's the thing: UNIX doesn't make writing a tool such as tmpfiles.d/ easy — at least not if you want to do so securely. Why? Because all those issues with concurrent execution on Linux: people might replace files underneath you, there are symlinks and hardlinks, and you only have very limited control what a specific path really means at a specific moment. In our tmpfiles implementation we nowadays use openat() for these things, and follow symlinks entirely manually to fix all these races (and thus potential vulnerabilities) as much as we can. Of course, people are good at ignoring these complexities, because they don't think about this. For example gentoo came up with a shell script to replace it: gentoo github for tmpfiles
– there are more security vulnerabilities (and benign races) in it then I can count, it's just baaaad. I mean, I am not saying one couldn't reimplement this as safe as the original (or even safer), it's just a much harder, much more time consuming project than people could ever believe.


What a bunch of horse pucky. Because of course multiple programs will be trying to create/modify the file(s) it's working on. :roll:
I haven't looked (because I'm not that interested) but I'm pretty sure that basically he's doing mknod/chown/chmod, just from inside a program and it's no more inherently safe or free from race conditions, etc than the shell script. Because to make it secure, you'd have to make sure absolutely no other program is running at the same time, and they don't do that. He is a master of hyperbole otherwise know as BS.

Quote:
Yes I too would like more competition, because there's nothing really we can compare us with anymore. Everything interesting (SMF, launchd) kinda stopped progressing. But I am pretty sure just copying 1:1 what systemd came up with is pointless. Take our code, it's free, fork it if you must, but why reimplement the exact same thing in a crappier way again?


As if all of systemd isn't the crappier way. as far as taking your code, when it starts being implemented in a proper manageable way, instead of throwing stuff at the wall to see what sticks, maybe.

Sounds like some people (debian in this case) are rethinking the systemd only kool-aid and he's getting worried.
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4866
Location: Dallas area

PostPosted: Wed Nov 13, 2019 6:24 pm    Post subject: Reply with quote

pjp wrote:
Still not systemd. </superdave>

But is LP correct about it having security issues, regardless of his hyperbole?


It's a shell script, a little more over-engineered than is really necessary, but workable.
It runs once, at the end of emerge.

From the top of the script
Quote:

# This is a reimplementation of the systemd tmpfiles.d code
# Control creation, deletion, and cleaning of volatile and temporary files
#
# Copyright (c) 2012 Gentoo Foundation
# Released under the 2-clause BSD license.
#
# This instance is a pure-POSIX sh version, written by Robin H Johnson
# <robbat2@gentoo.org>, based on the Arch Linux version as of 2012/01/01:
# http://projects.archlinux.org/initscripts.git/tree/arch-tmpfiles
#
# See the tmpfiles.d manpage as well:
# http://0pointer.de/public/systemd-man/tmpfiles.d.html
# This script should match the manpage as of 2012/03/12

_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
GDH-gentoo
Guru
Guru


Joined: 20 Jul 2019
Posts: 482
Location: South America

PostPosted: Wed Nov 13, 2019 10:08 pm    Post subject: Reply with quote

mezcalero wrote:
But most importantly: even stuff such as tmpfiles.d/ is inherently really really hard to get right, even if from a view far away it looks trivial since all it does is a bit of mknod()+chown()+chmod(), right? I know that it is hard because it took us long to get it right. Here's the thing: UNIX doesn't make writing a tool such as tmpfiles.d/ easy — at least not if you want to do so securely.
Hmmm, if it is that complex to implement, maybe the tmpfiles.d concept wasn't a very good idea in the first place? :)
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5847
Location: Removed by Neddy

PostPosted: Wed Nov 13, 2019 10:25 pm    Post subject: Reply with quote

Its also worth noting, since AGAIN pottering has a hardon for Gentoo, there is an active pull request on openRC/opentmpfiles : https://github.com/OpenRC/opentmpfiles/pull/10

vapier commented on 21 May
Quote:
This is an RFC first off -- I don't intend on merging this directly. I'd like to get feedback about higher level directions before I dive deeper with both documentation and converting code over to compiled code entirely.

For unittesting, I'm writing things in C++ & using gtest. This simplifies test code quite a bit and uses existing common frameworks rather than inventing our own ad-hoc.

I'm assuming people would still prefer to keep the main code in C rather than writing it in C++. Writing it in C++ would simplify resource management, and allow us to use some existing C++ container classes (rather than having to reinvent our own basic ones for C).

Either way, the end result LOC will be higher with the compiled aspect, but it should also be significantly faster, and allow us to address security issues we have now around TOCTOU that are practically impossible to fix in pure shell.



So a typical narcissistic post without any real investigation
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
GDH-gentoo
Guru
Guru


Joined: 20 Jul 2019
Posts: 482
Location: South America

PostPosted: Wed Nov 13, 2019 10:55 pm    Post subject: Reply with quote

pjp wrote:
But is LP correct about it having security issues, regardless of his hyperbole?
All code specific to systemd-tmpfiles lives in a single C source file, so I suppose that anyone motivated enough could compare implementations and find out.

Naib wrote:
https://github.com/OpenRC/opentmpfiles/pull/10

Quote:
lu-zero: I'd rather do it in rust then.
vapier: yeah, I'm not doing that
Yes please, let's not do that :P
Back to top
View user's profile Send private message
Naib
Watchman
Watchman


Joined: 21 May 2004
Posts: 5847
Location: Removed by Neddy

PostPosted: Wed Nov 13, 2019 11:06 pm    Post subject: Reply with quote

https://github.com/OpenRC/opentmpfiles/issues/8 --> https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html#Specifiers

Why the HELL is % being used for variable expansion WTF. This is the systemd "spec" ...
_________________
The best argument against democracy is a five-minute conversation with the average voter
Great Britain is a republic, with a hereditary president, while the United States is a monarchy with an elective king
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4866
Location: Dallas area

PostPosted: Wed Nov 13, 2019 11:29 pm    Post subject: Reply with quote

This is from the tmpfile.eclass, which is a wrapper over tmpfiles(.sh)

Quote:
# This eclass provides functionality related to installing and
# creating volatile and temporary files based on configuration files$and
# locations defined at this URL:
#
# https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
#
# The dotmpfiles and newtmpfiles functions are used to install
# configuration files into /usr/lib/tmpfiles.d, then in pkg_postinst,
# the tmpfiles_process function must be called to process the newly
# installed tmpfiles.d entries.
#
# The tmpfiles.d files can be used by service managers to recreate/clean
# up temporary directories on boot or periodically. Additionally,
# the pkg_postinst() call ensures that the directories are created
# on systems that do not support tmpfiles.d natively, without a need
# for explicit fallback.


So gentoo is just using it for setup of things during the initial emerge/install.

Other than that, it seems to be called in tmpfiles.dev and tmpfiles.setup (/etc/init.d) which sets things up at boot time before users start doing things on the system. And if there's multiple conf files trying to do something to the same dir/file then that's just poor logic, so I don't really see where race conditions, etc can play a part.

So I really don't know what LP is on about, unless they use it a lot more internally for things inside systemd, which we don't care about as the shell script isn't used for systemd installations.

Edit to add: I had a thought this morning (yeah, I know rare, but I do have them occasionally)
Why does LP even care whether someone is doing something similar in script, whether it has bugs or not?
It has nothing to do with systemd, and even if it had bugs it might possibly push people towards using his software.
So again why does he care? What does it matter to him?

I think my earlier surmise that not everyone is embracing his software, and that things like eudev, elogind, etc as alternatives, bother him. It keeps his software from being the (complete) controller of the linux world and that keeps him up at night.
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 634
Location: EU

PostPosted: Fri Nov 15, 2019 10:18 am    Post subject: Reply with quote

Well systemd-tmpfiles has been abused in a number of exploit, and well it's a godsend for an attacker to have the chance to use a process that manipulates files, directories and permissions with root privileges.


https://seclists.org/oss-sec/2018/q4/271
https://seclists.org/oss-sec/2018/q1/115
https://seclists.org/oss-sec/2018/q1/155

that is why they use openat() instead of open() to make sure files are only opened where they should and use some code that check all symlinks (hard and soft) also every chained symlink to make sure the files are where they should be. It's all written in the OP and nobody disprove his point so far :-)
See for example:
https://lwn.net/Articles/250468/

A shell script cannot do that since it uses regular commands, do all those exploit work in gentoo? Being a small niche distro with a big ego maybe the exploits are simply never found.Even inside gentoo probably only a small number of people would use it at boot time, no admin sane of mind would enable it on a server, so maybe exploits are never exposed to the public.

Unless there is a serious and safe alternative it's better not to use systemd tmpfiles or other stuff at all. If upstream only releases stuff that depends on it, like increasingly is, the solution is not use a insecure mockup at boot time, since attackers are patient and can wait for the next boot.
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net


Last edited by erm67 on Fri Nov 15, 2019 10:48 am; edited 1 time in total
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4866
Location: Dallas area

PostPosted: Fri Nov 15, 2019 10:37 am    Post subject: Reply with quote

Before systemd/tmpfiles all the stuff it does used to be done manually or by way of *tada* shell script.
And I don't remember any exploits for any of the things that tmpfiles has before the advent of tmpfiles/systemd so maybe it's not so much that doing the things is wrong but the whole concept of the way systemd/tmpfiles does it needs to be rethought. I doubt that even the developers of systemd and all it's components have a good understanding of what it does or why. I'm all in favor of having things done in a safe, fast and efficient way, but systemd seems to have focused on the speed aspect and somewhat the efficient aspect at the expence of safe.

I put little faith in someone like LP who won't fix problems in their own code, with either NOT A BUG or WON"T FIX, or just ignore it completely. But that's just me.
Everyone else can choose their own poison.
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
erm67
l33t
l33t


Joined: 01 Nov 2005
Posts: 634
Location: EU

PostPosted: Fri Nov 15, 2019 11:21 am    Post subject: Reply with quote

What are the alternatives?
The problem is that hate for LP and systemd is being increasingly associated with arrogance, ineptitude and bullying. After all this years nothing good as come out from the anti-systemd crowd, only bullying arrogance and ineptitude: take this thread for example it is a perfect example of all three points.

Maybe people would take the anti-systemd struggle more seriously it it would not put them at danger with stuff like this, or if replacing systemd with your stuff would solve any of their problems.
_________________
Ok boomer
True ignorance is not the absence of knowledge, but the refusal to acquire it.
Ab esse ad posse valet, a posse ad esse non valet consequentia

My fediverse account: @erm67@erm67.dynu.net
Back to top
View user's profile Send private message
CasperVector
Apprentice
Apprentice


Joined: 03 Apr 2012
Posts: 155

PostPosted: Fri Nov 15, 2019 11:48 am    Post subject: Reply with quote

erm67 wrote:
What are the alternatives?

This for instance?

erm67 wrote:
The problem is that hate for LP and systemd is being increasingly associated with arrogance, ineptitude and bullying.

You spelled "decreasingly" wrong. See Sections 03, 05, 07 & 10 in my document for examples.

erm67 wrote:
After all this years nothing good as come out from the anti-systemd crowd, only bullying arrogance and ineptitude: take this thread for example it is a perfect example of all three points. Maybe people would take the anti-systemd struggle more seriously it it would not put them at danger with stuff like this, or if replacing systemd with your stuff would solve any of their problems.

Replacing systemd with s6/s6-rc surely solves most of systemd's problems, while sacrificing little (if any) of its advantages. Here I quote Footnote 33 from version 0.1.2 of my document:
Casper Ti. Vector wrote:
Besides, I guess all systemd functionalities, that are meaningful enough in practice, can be implemented in an infrastructure based on s6/s6-rc, and the codebase of many among them will be smaller than 1/5 those of their systemd counterparts.


EDIT: fix referenced post ID.
_________________
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C


Last edited by CasperVector on Fri Nov 15, 2019 12:33 pm; edited 2 times in total
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4866
Location: Dallas area

PostPosted: Fri Nov 15, 2019 12:14 pm    Post subject: Reply with quote

erm67 wrote:
The problem is that hate for LP and systemd is being increasingly associated with arrogance, ineptitude and bullying.


What hate? I don't hate either LP or systemd.

I do admit seeing "arrogance, ineptitude and bullying" but I see it in the post the OP quoted from LP himself.

Again, why does LP even worry about gentoo, this isn't the first time he's taken shots at it.

As for the rest of your OTW rhetoric ... whatever.
_________________
PRIME x570-pro, 3700x, RX 550 - 5.8 zen kernel
Acer E5-575 (laptop), i3-7100u - i965 - 5.5 zen kernel
---both---
gcc 9.3.0, profile 17.1 (no-pie & modified) amd64-no-multilib, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
CasperVector
Apprentice
Apprentice


Joined: 03 Apr 2012
Posts: 155

PostPosted: Fri Nov 15, 2019 12:18 pm    Post subject: Reply with quote

Anon-E-moose wrote:
What hate? I don't hate either LP or systemd.

I do hate both LP and systemd, just like how I hate mosquitos and cockroaches -- which however does not make them appear any better :roll:
_________________
My current OpenPGP key:
RSA4096/0x227E8CAAB7AA186C (expires: 2020.10.19)
7077 7781 B859 5166 AE07 0286 227E 8CAA B7AA 186C
Back to top
View user's profile Send private message
GDH-gentoo
Guru
Guru


Joined: 20 Jul 2019
Posts: 482
Location: South America

PostPosted: Fri Nov 15, 2019 12:29 pm    Post subject: Reply with quote

erm67 wrote:
Well systemd-tmpfiles has been abused in a number of exploit, and well it's a godsend for an attacker to have the chance to use a process that manipulates files, directories and permissions with root privileges.
[...]
Unless there is a serious and safe alternative it's better not to use systemd tmpfiles or other stuff at all. If upstream only releases stuff that depends on it, like increasingly is, [...]
So, what does a sysadmin do these days when faced with a systemd-based server and tmpfiles.d directories full of files?
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 18556

PostPosted: Fri Nov 15, 2019 4:08 pm    Post subject: Reply with quote

@erm67: Your post can be written from the other perspective.

not erm67 wrote:
The problem is that hate for systemd alternatives is being increasingly associated with arrogance, ineptitude and bullying. After all this years nothing good as come out from the systemd crowd, only bullying arrogance and ineptitude: take any systemd thread for example it is a perfect example of all three points.

Maybe people would take the systemd more seriously it it would not put them at danger with stuff like this, or if using systemd would solve any of their problems.

_________________
Your lips move, but I can't hear what you're saying.
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6714

PostPosted: Fri Nov 15, 2019 7:14 pm    Post subject: Reply with quote

Naib wrote:
https://github.com/OpenRC/opentmpfiles/issues/8 --> https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html#Specifiers

Why the HELL is % being used for variable expansion WTF. This is the systemd "spec" ...

Let's remove /usr/bin/date next
Back to top
View user's profile Send private message
proteusx
Apprentice
Apprentice


Joined: 21 Jan 2008
Posts: 297

PostPosted: Sat Nov 16, 2019 3:22 am    Post subject: Reply with quote

Naib wrote:
https://github.com/OpenRC/opentmpfiles/issues/8 --> https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html#Specifiers

Why the HELL is % being used for variable expansion WTF. This is the systemd "spec" ...

Would it be better if it was like this: %variable%
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 4111
Location: Illinois, USA

PostPosted: Sat Nov 16, 2019 5:34 am    Post subject: Reply with quote

Ant P. wrote:
Let's remove /usr/bin/date next

I don't have /usr/bin/date ! I do have /bin/date
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6380

PostPosted: Sat Nov 16, 2019 6:41 am    Post subject: Reply with quote

erm67 wrote:
Well systemd-tmpfiles has been abused in a number of exploit

Have they? Do you have any reference?
The ones you were citing show only that bad rules in a tmpfiles.d file can have bad consequences - like bad commands in an init.d file can have bad consequences: If somebody uses Z on an directory which (or in which parent) can be written by anybody else than root and the destination user is doing something fundamentally wrong.
Back to top
View user's profile Send private message
steve_v
Apprentice
Apprentice


Joined: 20 Jun 2004
Posts: 177
Location: New Zealand

PostPosted: Sat Nov 16, 2019 12:35 pm    Post subject: Reply with quote

Another day, another over-engineered replacement for a thing that works just fine in shell.
Another day, another snipe at Gentoo, the only well-known distro that hasn't jumped on the systemd bandwagon.
Another day, another holier-than-thou post from Lennart on his way being the only true way, and his software being superior to all alternatives.
_________________
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 4111
Location: Illinois, USA

PostPosted: Sat Nov 16, 2019 2:11 pm    Post subject: Reply with quote

steve_v wrote:
Another day, another over-engineered replacement for a thing that works just fine in shell.
Another day, another snipe at Gentoo, the only well-known distro that hasn't jumped on the systemd bandwagon.
Another day, another holier-than-thou post from Lennart on his way being the only true way, and his software being superior to all alternatives.

++++
Back to top
View user's profile Send private message
aidanjt
Veteran
Veteran


Joined: 20 Feb 2005
Posts: 1118
Location: Rep. of Ireland

PostPosted: Sat Nov 16, 2019 3:34 pm    Post subject: Reply with quote

He sure is salty that Gentoo isn't just bowing down before his grand magnificence.
_________________
juniper wrote:
you experience political reality dilation when travelling at american political speeds. it's in einstein's formulas. it's not their fault.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3, 4, 5, 6, 7  Next
Page 1 of 7

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum