Skip to Content [alt-c]

Andrew Ayer


Systemd is not Magic Security Dust

Comment by Reader infosec

This comment is owned by whoever posted it. I am not responsible for it in any way.

Uhm... about Apache:

1. "Broad" access? No. A site exists under a directory. Of course the httpd will have access to files it is, uhm... serving.

2. Credentials used by PHP? Nope. Only if you run PHP DSO which you shouldn't. The web server can have zero access to PHP files, because properly configured fastcgi daemon (eg. php-fpm) will get a fastcgi REQUEST sent to by httpd. It is then the PHP itself that finds and opens a file for reading, parsing and execution.

3. Attacker gaining remote execution of httpd will be able to do all those things regardless of an init system. HOWEVER, systemd ALLOWS very simple and easy, all within the one unit file, configuration of seccomp filters, capability dropping, binding to <1000 ports for daemons not running as root, etc... I don't think any other init system does this? Oh, sure, it's not the domain of an init system to do all this? Think again, it exactly is, because init is managing processes.

It's hard to take the rest of your post seriously when you make such huge mistakes.

| Posted on 2017-06-03 at 14:36:32 UTC by Reader infosec | Reply to This

Post a Reply

Your comment will be public. If you would like to contact me privately, please email me. Please keep your comment on-topic, polite, and comprehensible. Use the "Preview" button to make sure your comment is properly formatted. Name and email address are optional. If you specify an email address it will be kept confidential.

Post Comment

(Optional; will be published)

(Optional; will not be published)

(Optional; will be published)

  • Blank lines separate paragraphs.
  • Lines starting with ">" are indented as block quotes.
  • Lines starting with two spaces are reproduced verbatim.
  • Text surrounded by *asterisks* is italicized.
  • Text surrounded by `back ticks` is monospaced.
  • URLs are turned into links.