Readit News logoReadit News
jcgl commented on Nitro: A tiny but flexible init system and process supervisor   git.vuxu.org/nitro/about/... · Posted by u/todsacerdoti
nine_k · 4 days ago
The backlash against systemd was twofold. On one hand, when released and thrust upon distros via Gnome, it was quite rough around the edges, which caused both real problems and just understandable irritation. Fifteen years after, the kinks are ironed out, but it was sort of a long time. (Btrfs, released at about the same time, took even longer to stop being imprudent to use in production.)

On the other hand, systemd replaces Unix (sort of like Hurd, but differently). It grabs system init, logging, authentication, DNS, session management, cron, daemon monitoring, socket activation, running containers, etc. In an ideal Red Hat world, I suppose, a bare-metal box should contain a kernel, systemd, podman, IP tools, and maybe sshd and busybox. This is a very anti-Unix, mainframe-like approach, but for a big consulting firm, like Red Hat / IBM, it is very attractive.

jcgl · 4 days ago
No, systemd absolutely does not replace Unix.

Systemd-the-project and systemd-the-service-manager (“init”) are two different things. The former is a project with numerous components (e.g. resolved) that actually _are_ rather modular; they usually require systemd-the-service-manager, but you (or your distro) can generally pick and choose the components you want.

The service manager does indeed require some components to be gobbled up (udev comes to mind). But subsuming other subsystems shouldn’t be so anathema; the systemd people didn’t just think that “the one” thing of the Unix philosophy wasn’t being done well. Rather, the idea is that is was the wrong thing, i.e. classic Unix init was a tool operating at the wrong layer of abstraction. And in their eyes, a modern system needs a richer set of userspace primitives. So they made engineering decisions in pursuit of that goal.

jcgl commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
DyslexicAtheist · 8 days ago
I think it should be done by the maintainer of the software not by the distro. My concern is that these features are available since at least 5 years and it has not yet caught on (regardless of what this blog article recommends).

It would be great to see it implemented but for now at least on Debian/sid the situation is as follows:

  UNIT                                 EXPOSURE PREDICATE
  ModemManager.service                      6.3 MEDIUM    
  NetworkManager.service                    7.8 EXPOSED   
  alsa-state.service                        9.6 UNSAFE    
  anacron.service                           9.6 UNSAFE    
  atop.service                              9.6 UNSAFE    
  atopacct.service                          9.6 UNSAFE    
  avahi-daemon.service                      9.6 UNSAFE    
  blueman-mechanism.service                 9.6 UNSAFE    
  bluetooth.service                         6.0 MEDIUM    
  cron.service                              9.6 UNSAFE    
  dbus.service                              9.3 UNSAFE    
  dictd.service                             9.6 UNSAFE    
  dm-event.service                          9.5 UNSAFE    
  dnscrypt-proxy.service                    8.1 EXPOSED   
  emergency.service                         9.5 UNSAFE    
  exim4.service                             6.9 MEDIUM    
  getty@tty1.service                        9.6 UNSAFE    
  irqbalance.service                        1.2 OK        
  lvm2-lvmpolld.service                     9.5 UNSAFE    
  polkit.service                            1.2 OK        
  rc-local.service                          9.6 UNSAFE    
  rescue.service                            9.5 UNSAFE    
  rtkit-daemon.service                      7.2 MEDIUM    
  smartmontools.service                     9.6 UNSAFE    
  systemd-ask-password-console.service      9.4 UNSAFE    
  systemd-ask-password-wall.service         9.4 UNSAFE    
  systemd-bsod.service                      9.5 UNSAFE    
  systemd-hostnamed.service                 1.7 OK        
  systemd-journald.service                  4.9 OK        
  systemd-logind.service                    2.8 OK        
  systemd-networkd.service                  2.9 OK        
  systemd-timesyncd.service                 2.1 OK        
  systemd-udevd.service                     7.1 MEDIUM    
  tor@default.service                       6.6 MEDIUM    
  udisks2.service                           9.6 UNSAFE    
  upower.service                            2.4 OK        
  user@1000.service                         9.4 UNSAFE    
  wpa_supplicant.service                    9.6 UNSAFE

jcgl · 8 days ago
> I think it should be done by the maintainer of the software not by the distro

Why would you say that? I would agree that the developer likely has better insight into what the software needs. But the security boundary exists at the interface of the application and the system, so I think that both application devs and system devs (i.e. distros) have something to contribute here.

And because systemd allows for composition of these settings, it doesn't have to be a one-or-the other situation--a distro can do some basic locking down (e.g. limiting SUID, DynamicUser, etc.), and then the application dev can do syscall filtering.

In any case, I agree that I'd like to see things get even more locked down. But it's worth remembering that, before systemd, there was basically no easy-to-use least-privilege stuff available beyond Unix users and filesystem permissions. The closest you had (afaik) was apparmor and selinux. In both of those cases, the distro basically had to do all the work to create the security policy.

Also, n.b., that pdns.service I noted is provided by PowerDNS themselves.

jcgl commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
DyslexicAtheist · 8 days ago
these Hardening variables have been discussed some years back[1].

this will not take off I'm afraid, because locking these unitfiles down is offloaded to the end-user (I've yet to see maintainers embrace shipping locked down files). Maybe they will? But this same approach hasn't worked with apparmor so why should it work with systemd? Who will do the job?

If you consider apparmor maintainers provide skeleton-templates in many cases that will make the parser stop complaining. ("look I have a profile so apparmor shuts up, but don't take too close a look OK")

Then there is firejail, which some argue[2] is snake-oil considering the high level of administrative glue compared to its massive attack-surface (also it's a setuid binary).

I didn't mention SElinux since I don't know a single person who had the joy (or pain depending on perspective) of working with it. But again, seems the expectation to implement security with it is shifted to the user.

[1] https://news.ycombinator.com/item?id=22993304

[2] https://github.com/netblue30/firejail/issues/3046

jcgl · 8 days ago
> this will not take off I'm afraid, because locking these unitfiles down is offloaded to the end-user

Maybe your point is that this isn't done by the vendor in practice. And I'm sure there's room for lots of improvement. However, one of the great things about how systemd units can be provided by the vendor and seamlessly tweaked by the administrator is that the vendor (i.e. packager and/or distro) can set these up easily.

There definitely are packages that ship with locked-down files. Tor and powerdns (pdns) are two off the top of my head.

  → Overall exposure level for pdns.service: 1.9 OK 
  → Overall exposure level for tor.service: 7.1 MEDIUM

jcgl commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
dale_glass · 8 days ago
IMO, binary compatibility on Linux isn't really solvable. There's just a thousand tiny projects that make up the Linux base that aren't on the same page, and that's not about to change.

I do think packaging can be improved. I hate almost everything about how dpkg works, it's amazing. So I'm squarely in the RPM camp because I find the tooling a lot more tolerable, but still surely further improvements can be made.

jcgl · 8 days ago
I only started packaging relatively recently. Using OBS definitely made things easier, but it's crazy how much nicer RPM is than dpkg. So much better to have more-or-less everything inside a spec file with macros, versus dpgk's mess of static, purpose-specific files.
jcgl commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
bayindirh · 8 days ago
Probably. I don't think systemd is a mere "Service supervision daemon", but I'm not in the mood for a can of worms today.
jcgl · 8 days ago
Yeah, I'd probably call systemd something like "an event- and graph-based orchestrator."
jcgl commented on SystemD Service Hardening   roguesecurity.dev/blog/sy... · Posted by u/todsacerdoti
sgt · 8 days ago
I'd hate to restrict Docker like that - depending on what you run inside of Docker, it would be very hard to narrow it down to the right security tuning settings. In that case, it's actually safer and more predictable to run it in systemd (arguably).
jcgl · 8 days ago
What would be so hard about it? Also, this is not docker--it's podman. Which has a much simpler execution model than Docker. With it, it shouldn't be any harder to narrow down what the problem is, compared to running a non-containerized service.
jcgl commented on A privacy VPN you can verify   vp.net/l/en-US/blog/Don%2... · Posted by u/MagicalTux
exfil · 10 days ago
Where you connect to your "cash obtained" VPN? That IP has your name on it.
jcgl · 9 days ago
That’s a totally different problem than what you were saying before. This problem is one inherent to VPN technology writ large.
jcgl commented on A privacy VPN you can verify   vp.net/l/en-US/blog/Don%2... · Posted by u/MagicalTux
exfil · 10 days ago
Yes. But your cash gets attributed by your origin IP address. Which you pay with your identity available.
jcgl · 10 days ago
No? You put in a/your randomly generated account number for attribution.
jcgl commented on Nginx introduces native support for ACME protocol   blog.nginx.org/blog/nativ... · Posted by u/phickey
cpach · 12 days ago
Ah! I stand corrected.
jcgl · 12 days ago
I wanted to quickly double-check my (albeit limited) experience against docs. The RFC[0] implies the possibility of what I described (provided a well-behaved ACME client that doesn't clobber other TXT records):

   2.  Query for TXT records for the validation domain name
   
   3.  Verify that the contents of one of the TXT records match the
       digest value
And then the certbot docs[2] show how it's a well-behaved client that wouldn't clobber TXT records from concurrent instances:

> You can have multiple TXT records in place for the same name. For instance, this might happen if you are validating a challenge for a wildcard and a non-wildcard certificate at the same time. However, you should make sure to clean up old TXT records, because if the response size gets too big Let’s Encrypt will start rejecting it. > ... > It works well even if you have multiple web servers.

That bit about "multiple webservers" is a little ambiguous, but I think the preceding line indicates clearly enough how everything is supposed to work.

[0] https://datatracker.ietf.org/doc/html/rfc8555#section-8.4

[1] https://letsencrypt.org/docs/challenge-types/#dns-01-challen...

jcgl commented on Jujutsu and Radicle   radicle.xyz/2025/08/14/ju... · Posted by u/vinnyhaps
shayief · 12 days ago
Gitpatch author here.

Gitpatch attempts to build a Git hosting with native support for patches and commit-based review system, where each commit is its own patch. It's also smart to handle force pushes and can update or reorder patches as needed.

jcgl · 12 days ago
Gitpatch looks really great. And I greatly appreciate you listing out alternatives.

Do you have any plans to allow for self-hosting?

j

u/jcgl

KarmaCake day111May 18, 2024
About
sysadmin and low-key programmer

j+hn@cgl.sh

(my website and mail are hosted on my laptop; they may be offline at any given time.)

View Original