There has been a few terrible bugs found in systemd recently. For example, the one where unit constrained to a single user's permissions would get root permissions if user's name happen to start with a digit. The systemd team acknowledges the bug, but downplays it a lot with "it is just a bug, Linux has bugs, it is not a big problem". They miss an important distinction right here.
Let's step back a little to think how software engineer goes about writing code. She thinks about all possible cases and writes a block of code for each of them. If something does not seem right to the code, it can either ignore the odd data or emit an error. Good engineers write code to emit an error. Bad engineers do not.
Hence the reason why systemd bugs are so terrible. Someone placed a line User=0day
into the unit file to constrain the service.
Does not matter what reason lead systemd developers to treat this user name as invalid, the real problem is that after declaring
the input line invalid they decided to not trigger the error state. They decided to use the default, which is root
.
It is true that one needs to place such line into the unit file to begin with. But it is not an excuse fir this kind of a bug. Systemd's complexity and undocumented behaviours provide a perfect vector for a "core review" attack. This is a case when an attacker writes some desirable code for a project and includes a "hidden bomb" in it. The change may then pass even the most vigorous of code review processes and the attacker gains a backdoor.
It is funny that we seen two systemd bugs this week. One was about resolved and was downplayed on the grounds that resolved runs in an isolated mode and makes bug unexploitable and "thanks systemd for its inpenetrable isolation code". And the second bug was about a giant hole in the unit isolation code with such a trivial trigger condition.
No, systemd bugs are not of the same sort as bugs in other software. They are bordering malicious backdoors purposely planted into Open Source Software. Systemd makes OS more secure from the attacks from the outside internet, and that is a good thing. However, it is way easier for a disgruntled employee to plant a timebomb and get it through the process.