Part of the issues about the ATT or BSD init systems had to do with
"local control" and with captive markets -- the latter a deliberate
choice by the profit-controllers to the engineers and implementers.
This is the old interplay between proprietary (often controlled by
"intellectual property" because the entity has sufficient patent
attorneys to gain such "property" that can then be used to prohibit the
development of an innovation to maintain revenue generation) and open
standards. The same reason that most threaded fasteners on vehicle
manufacturer A and B are readily available and interchangeable if the
same choice of thread, grade, form, etc., were used, whereas engines are
proprietary.
I fully agree that a full security audit would be valuable, an audit
that needs to be kept current. Nonetheless, "lines of code" is a well
established empirical metric, given the approximate number of execution
("run time") software defects in syntactically correct source code based
on the lines of code in the source. I am not defending "lines of code",
merely repeating what is a standard "rule of thumb".
My bigger concern is that SystemD is no longer used on an isolated
system in a segregated environment (NB: that term has nothing to do with
socio-political contexts -- please do not misinterpret it as have some
non-CSE colleagues when hearing of that, "race conditions", and other
CSE specific terminology). The larger the distributed (and integrated
or inter-dependent) the environment is, particularly over the public
Internet (even with VPNs or the like), the greater the risk of
compromise through vulnerabilities. Hardening systems is not easy, and
there are as yet no definite algorithms (let alone implementations) to
detect vulnerabilities pre-exploit. Obviously, methods to control
memory leaks in certain programming languages, etc., help -- but unless
source code is available, and verification of correctness of the
compiler (binary or "byte-code") output, there is no guarantee that such
have been implement. SystemD is open -- so in principle the coding
issue could be addressed, but such is not the case for closed systems,
no source code available.
Were the init systems more resilient? These were never designed for the
current wide area network platforms and environments such as "cloud
computing" -- thus it is very unlikely that these perform better. The
issue comes back to the bloat in SystemD overseeing, in some sense,
"everything". As such, it is a possible single point of failure, or
exploit.
However, lacking data and the person power to both accumulate and
understand such data, this discussion is more speculative than empirical
-- "philosophy", not "science". If a major vulnerability is exploited
through SystemD (as recently was revealed for a proprietary distributed
update environment, not SystemD), the consequences will affect more than
just the community of SL.
On 1/25/21 10:05 AM, Lamar Owen wrote:
> On 1/25/21 12:04 PM, Yasha Karant wrote:
>> The question is: what mechanism? The reality today for Linux systems
>> as deployed at scale mostly is SystemD. The question -- a question
>> that goes well beyond what started as an exchange about EL 8 -- is
>> what goes forward? SystemD as it currently stands is too delicate and
>> too vulnerable to compromise, either within itself or in terms of the
>> processes/subsystems it "controls", despite the large scale deployment
>> of SystemD. ...
>
> This statement begs some proof (preferably a formal code audit) of the
> stated opinion that systemd is too 'delicate' and vulnerable to
> compromise. Anecdotal evidence or counting LoC and saying 'more LoC =
> automatically more vulnerable' need not apply. Of course, all code is
> vulnerable, but the implication is that systemd is by nature more
> vulnerable because $reason where $reason is something other than a
> formal audit.
>
>> I asked a question to which I have not seen an answer: does a SystemD
>> configuration (plain text files in the SystemD design) from two
>> similar hardware platforms but different Linux distros (say, EL and
>> LTS) interoperate, or require significant rewriting to produce the
>> "same results"? In other words, are the valuable concepts of
>> portability and re-usability (do not reinvent the wheel, another
>> engineering turn of phrase) met in practice with SystemD?
>
> The systemd unit files are more portable than old initscripts, in my
> experience. The determining factors will be whether the distributions'
> engineers pick the same names for the services started by the unit file
> and if the paths to executables are the same or not. The main
> differences here are the same as the differences in the locations of
> files between the major branches of the Linux filesystem hierarchy;
> Debian and derivatives will be different from Red Hat and derivatives,
> to pick the two top examples.
>
> Old initscripts were and are highly dependent upon the functions sourced
> from the distribution's function library for initscripts, as well as
> paths and daemon/service name; chkconfig metadata differences; and, of
> course, they are executing as root in the system shell, and shell
> quoting and escaping syntax becomes critical (the initscript for an
> autossh instance, for instance, with say a half dozen reverse tunnels; I
> have a few of those around here). I wrote a few for PostgreSQL for use
> on several different RPM-based systems; there was quite a variety, and
> SuSE did things differently from Red Hat which did things differently
> from TurboLinux (one of the targets of my packaging), and others did
> things yet more differently. It's possible to write initscripts to be
> very portable, but it is harder than writing a unit file that can be
> portable, as far as I can see. But I do always reserve the right to be
> wrong.
>
> In practice a unit file from an upstream project, especially if the
> project uses /opt/$progname or /usr/local/{bin|lib}, will be very
> portable across distributions. This I have experienced; a single unit
> file can pretty easily be written to work across all systemd
> distributions unless it needs some distribution-specific daemon/service
> or feature.
|