Hacker News new | ask | show | jobs
by bdd8f1df777b 799 days ago
> A back door in the same library is not likely.

But libsystemd is not linked to xz only. By removing it, sshd is free of many other potential risks.
2 comments
aborsy 799 days ago
Correct, I misread.

Still the question remains: what technology could be implemented to mitigate this type of attack (beyond sshd)?

For example, Linux sandboxing is poor, and SeLinux is not usually enforced.

link
vimax 798 days ago
Disable calling functions in transitive dependencies, force them to be direct dependencies.

Why should sshd be allowed to call an xz function directly without xz being an immediate dependency.

I'm not sure what all that would entail with the ifunc stuff, but I remember encountering a glibc linking change moving from Red Hat 6 to RH7 that did something similar and broke the build process for some legacy code.

link
hulitu 798 days ago
> what technology could be implemented to mitigate this type of attack (beyond sshd)?

UNIX ? (do one thing and do it well).

When your program links with 20 libraries, i have i very hard time to believe that security is one of your goals.

link
fsflover 798 days ago
See: Qubes OS.
link
metalspoon 798 days ago
I pointed out this weakness the other day on the internet. I got attacked by open source software armies.
link
ratg13 798 days ago
Maybe it was because you weren't pointing out anything new?

There was a pull request to stop linking liblzma into libsystemd a month before the backdoor was found

https://github.com/systemd/systemd/pull/31550

This was likely one of many things that pushed the attackers to work faster, and forced them into making mistakes.

link
metalspoon 798 days ago
No. They couldn't get along with the idea that some open source software packages should also sometimes be cut away, just like all other packages.

They felt threatened by the idea that open source maintenance can ever go wrong and started attacking me. They argued closed source was worse.

That was not my point at all. I was not raising a weakness of open source. I was just pointing out that linking to libsystemd had that kind of problem.

link
ranger_danger 798 days ago
FOSS zealots are not always security experts.
link
flohofwoe 798 days ago
Please don't throw despicable systemd zealots and honorable open source zealots into the same bucket ;)
link
baobun 797 days ago
Please don't bring group-identity politics here.
link
ikekkdcjkfke 798 days ago
Plot twist: systemd zealots were all sockpuppets
link
trust_bt_verify 798 days ago
Thanks for sharing.
link