#4882 closed enhancement (fixed)

systemd-249

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 11.0
Component: Book Version: git
Severity: normal Keywords:
Cc:

Description

New version

It looks relatively benign on the changes end.

Change History (6)

comment:1 by Douglas R. Reno, 17 months ago

Owner: changed from lfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 17 months ago

CHANGES WITH 249:

        * When operating on disk images via the --image= switch of various
          tools (such as systemd-nspawn or systemd-dissect), or when udev finds
          no 'root=' parameter on the kernel command line, and multiple
          suitable root or /usr/ partitions exist in the image, then a simple
          comparison inspired by strverscmp() is done on the GPT partition
          label, and the newest partition is picked. This permits a simple and
          generic whole-file-system A/B update logic where new operating system
          versions are dropped into partitions whose label is then updated with
          a matching version identifier.

        * systemd-sysusers now supports querying the passwords to set for the
          users it creates via the "credentials" logic introduced in v247: the
          passwd.hashed-password.<user> and passwd.plaintext-password.<user>
          credentials are consulted for the password to use (either in UNIX
          hashed form, or literally). By default these credentials are inherited
          down from PID1 (which in turn imports it from a container manager if
          there is one). This permits easy configuration of user passwords
          during first boot. Example:

          # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo

          Note that systemd-sysusers operates in purely additive mode: it
          executes no operation if the declared users already exist, and hence
          doesn't set any passwords as effect of the command line above if the
          specified root user exists already in the image. (Note that
          --volatile=yes ensures it doesn't, though.)

        * systemd-firstboot now also supports querying various system
          parameters via the credential subsystems. Thus, as above this may be
          used to initialize important system parameters on first boot of
          previously unprovisioned images (i.e. images with a mostly empty
          /etc/).

        * PID 1 may now show both the unit name and the unit description
          strings in its status output during boot. This may be configured with
          StatusUnitFormat=combined in system.conf or
          systemd.status-unit-format=combined on the kernel command line.

        * The systemd-machine-id-setup tool now supports a --image= switch for
          provisioning a machine ID file into an OS disk image, similar to how
          --root= operates on an OS file tree. This matches the existing switch
          of the same name for systemd-tmpfiles, systemd-firstboot, and
          systemd-sysusers tools.

        * Similarly, systemd-repart gained support for the --image= switch too.
          In combination with the existing --size= option, this makes the tool
          particularly useful for easily growing disk images in a single
          invocation, following the declarative rules included in the image
          itself.

        * systemd-repart's partition configuration files gained support for a
          new switch MakeDirectories= which may be used to create arbitrary
          directories inside file systems that are created, before registering
          them in the partition table. This is useful in particular for root
          partitions to create mount point directories for other partitions
          included in the image. For example, a disk image that contains a
          root, /home/, and /var/ partitions, may set MakeDirectories=yes to
          create /home/ and /var/ as empty directories in the root file system
          on its creation, so that the resulting image can be mounted
          immediately, even in read-only mode.

        * systemd-repart's CopyBlocks= setting gained support for the special
          value "auto". If used, a suitable matching partition on the booted OS
          is found as source to copy blocks from. This is useful when
          implementing replicating installers, that are booted from one medium
          and then stream their own root partition onto the target medium.

        * systemd-repart's partition configuration files gained support for a
          Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these
          GPT partition flags for the created partitions: this is useful for
          marking newly created partitions as read-only, or as not being
          subject for automatic mounting from creation on.

        * The /etc/os-release file has been extended with two new (optional)
          variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version
          information for OS images that are updated comprehensively and
          atomically as one image. Two new specifiers %M, %A now resolve to
          these two fields in the various configuration options that resolve
          specifiers.

        * portablectl gained a new switch --extension= for enabling portable
          service images with extensions that follow the extension image
          concept introduced with v248, and thus allows layering multiple
          images when setting up the root filesystem of the service.

        * systemd-coredump will now extract ELF build-id information from
          processes dumping core and include it in the coredump report.
          Moreover, it will look for ELF .note.package sections with
          distribution packaging meta-information about the crashing process.
          This is useful to directly embed the rpm or deb (or any other)
          package name and version in ELF files, making it easy to match
          coredump reports with the specific package for which the software was
          compiled. This is particularly useful on environments with ELF files
          from multiple vendors, different distributions and versions, as is
          common today in our containerized and sand-boxed world. For further
          information, see:

          https://systemd.io/COREDUMP_PACKAGE_METADATA

        * A new udev hardware database has been added for FireWire devices
          (IEEE 1394).

        * The "net_id" built-in of udev has been updated with three
          backwards-incompatible changes:

          - PCI hotplug slot names on s390 systems are now parsed as
            hexadecimal numbers. They were incorrectly parsed as decimal
            previously, or ignored if the name was not a valid decimal
            number.

          - PCI onboard indices up to 65535 are allowed. Previously, numbers
            above 16383 were rejected. This primarily impacts s390 systems,
            where values up to 65535 are used.

          - Invalid characters in interface names are replaced with "_".

          The new version of the net naming scheme is "v249". The previous
          scheme can be selected via the "net.naming-scheme=v247" kernel
          command line parameter.

        * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a
          NULL bus object, for which they will return false. Or in other words,
          an unallocated bus connection is neither ready nor open.

        * The sd-device API acquired a new API function
          sd_device_get_usec_initialized() that returns the monotonic time when
          the udev device first appeared in the database.

        * sd-device gained a new APIs sd_device_trigger_with_uuid() and
          sd_device_get_trigger_uuid(). The former is similar to
          sd_device_trigger() but returns a randomly generated UUID that is
          associated with the synthetic uevent generated by the call. This UUID
          may be read from the sd_device object a monitor eventually receives,
          via the sd_device_get_trigger_uuid(). This interface requires kernel
          4.13 or above to work, and allows tracking a synthetic uevent through
          the entire device management stack. The "udevadm trigger --settle"
          logic has been updated to make use of this concept if available to
          wait precisely for the uevents it generates. "udevadm trigger" also
          gained a new parameter --uuid that prints the UUID for each generated
          uevent.

        * sd-device also gained new APIs sd_device_new_from_ifname() and
          sd_device_new_from_ifindex() for allocating an sd-device object for
          the specified network interface. The former accepts an interface name
          (either a primary or an alternative name), the latter an interface
          index.

        * The native Journal protocol has been documented. Clients may talk
          this as alternative to the classic BSD syslog protocol for locally
          delivering log records to the Journal. The protocol has been stable
          for a long time and in fact been implemented already in a variety
          of alternative client libraries. This documentation makes the support
          for that official:

          https://systemd.io/JOURNAL_NATIVE_PROTOCOL

        * A new BPFProgram= setting has been added to service files. It may be
          set to a path to a loaded kernel BPF program, i.e. a path to a bpffs
          file, or a bind mount or symlink to one. This may be used to upload
          and manage BPF programs externally and then hook arbitrary systemd
          services into them.

        * The "home.arpa" domain that has been officially declared as the
          choice for domain for local home networks per RFC 8375 has been added
          to the default NTA list of resolved, since DNSSEC is generally not
          available on private domains.

        * The CPUAffinity= setting of unit files now resolves "%" specifiers.

        * A new ManageForeignRoutingPolicyRules= setting has been added to
          .network files which may be used to exclude foreign-created routing
          policy rules from systemd-networkd management.

        * systemd-network-wait-online gained two new switches -4 and -6 that
          may be used to tweak whether to wait for only IPv4 or only IPv6
          connectivity.

        * .network files gained a new RequiredFamilyForOnline= setting to
          fine-tune whether to require an IPv4 or IPv6 address in order to
          consider an interface "online".

        * networkctl will now show an over-all "online" state in the per-link
          information.

        * In .network files a new OutgoingInterface= setting has been added to
          specify the output interface in bridge FDB setups.

        * In .network files the Multipath group ID may now be configured for
          [NextHop] entries, via the new Group= setting.

        * The DHCP server logic configured in .network files gained a new
          setting RelayTarget= that turns the server into a DHCP server relay.
          The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used
          to further tweak the DHCP relay behaviour.

        * The DHCP server logic also gained a new ServerAddress= setting in
          .network files that explicitly specifies the server IP address to
          use. If not specified, the address is determined automatically, as
          before.

        * The DHCP server logic in systemd-networkd gained support for static
          DHCP leases, configurable via the [DHCPServerStaticLease]
          section. This allows explicitly mapping specific MAC addresses to
          fixed IP addresses and vice versa.

        * The RestrictAddressFamilies= setting in service files now supports a
          new special value "none". If specified sockets of all address
          families will be made unavailable to services configured that way.

        * systemd-fstab-generator and systemd-repart have been updated to
          support booting from disks that carry only a /usr/ partition but no
          root partition yet, and where systemd-repart can add it in on the
          first boot. This is useful for implementing systems that ship with a
          single /usr/ file system, and whose root file system shall be set up
          and formatted on a LUKS-encrypted volume whose key is generated
          locally (and possibly enrolled in the TPM) during the first boot.

        * The [Address] section of .network files now accepts a new
          RouteMetric= setting that configures the routing metric to use for
          the prefix route created as effect of the address configuration.
          Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections
          gained matching settings for their prefix routes. (The option of the
          same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since
          it conceptually belongs there; the old option is still understood for
          compatibility.)

        * The DHCPv6 IAID and DUID are now explicitly configurable in .network
          files.

        * A new udev property ID_NET_DHCP_BROADCAST on network interface
          devices is now honoured by systemd-networkd, controlling whether to
          issue DHCP offers via broadcasting. This is used to ensure that s390
          layer 3 network interfaces work out-of-the-box with systemd-networkd.

        * nss-myhostname and systemd-resolved will now synthesize address
          records for a new special hostname "_outbound". The name will always
          resolve to the local IP addresses most likely used for outbound
          connections towards the default routes. On multi-homed hosts this is
          useful to have a stable handle referring to "the" local IP address
          that matters most, to the point where this is defined.

        * The Discoverable Partition Specification has been updated with a new
          GPT partition flag "grow-file-system" defined for its partition
          types. Whenever partitions with this flag set are automatically
          mounted (i.e. via systemd-gpt-auto-generator or the --image= switch
          of systemd-nspawn or other tools; and as opposed to explicit mounting
          via /etc/fstab), the file system within the partition is
          automatically grown to the full size of the partition. If the file
          system size already matches the partition size this flag has no
          effect. Previously, this functionality has been available via the
          explicit x-systemd.growfs mount option, and this new flag extends
          this to automatically discovered mounts. A new GrowFileSystem=
          setting has been added to systemd-repart drop-in files that allows
          configuring this partition flag. This new flag defaults to on for
          partitions automatically created by systemd-repart, except if they
          are marked read-only. See the specification for further details:

          https://systemd.io/DISCOVERABLE_PARTITIONS

        * .network files gained a new setting RoutesToNTP= in the [DHCPv4]
          section. If enabled (which is the default), and an NTP server address
          is acquired through a DHCP lease on this interface an explicit route
          to this address is created on this interface to ensure that NTP
          traffic to the NTP server acquired on an interface is also routed
          through that interface. The pre-existing RoutesToDNS= setting that
          implements the same for DNS servers is now enabled by default.

        * A pair of service settings SocketBindAllow= + SocketBindDeny= have
          been added that may be used to restrict the network interfaces
          sockets created by the service may be bound to. This is implemented
          via BPF.

        * A new ConditionFirmware= setting has been added to unit files to
          conditionalize on certain firmware features. At the moment it may
          check whether running on an UEFI system, a device.tree system, or if
          the system is compatible with some specified device-tree feature.

        * A new ConditionOSRelease= setting has been added to unit files to
          check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">"
          operators may be used to check if some field has some specific value
          or do an alphanumerical comparison. Equality comparisons are useful
          for fields like ID, but relative comparisons for fields like
          VERSION_ID or IMAGE_VERSION.

        * hostnamed gained a new Describe() D-Bus method that returns a JSON
          serialization of the host data it exposes. This is exposed via
          "hostnamectl --json=" to acquire a host identity description in JSON.
          It's our intention to add a similar features to most services and
          objects systemd manages, in order to simplify integration with
          program code that can consume JSON.

        * Similarly, networkd gained a Describe() method on its Manager and
          Link bus objects. This is exposed via "networkctl --json=".

        * hostnamectl's various "get-xyz"/"set-xyz" verb pairs
          (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have
          been replaced by a single "xyz" verb (e.g. "hostnamectl hostname")
          that is used both to get the value (when no argument is given), and
          to set the value (when an argument is specified). The old names
          continue to be supported for compatibility.

        * systemd-detect-virt and ConditionVirtualization= are now able to
          correctly identify Amazon EC2 environments.

        * The LogLevelMax= setting of unit files now applies not only to log
          messages generated *by* the service, but also to log messages
          generated *about* the service by PID 1. To suppress logs concerning a
          specific service comprehensively, set this option to a high log
          level.

        * bootctl gained support for a new --make-machine-id-directory= switch
          that allows precise control on whether to create the top-level
          per-machine directory in the boot partition that typically contains
          Type 1 boot loader entries.

        * During build SBAT data to include in the systemd-boot EFI PE binaries
          may be specified now.

        * /etc/crypttab learnt a new option "headless". If specified any
          requests to query the user interactively for passwords or PINs will
          be skipped. This is useful on systems that are headless, i.e. where
          an interactive user is generally not present.

        * /etc/crypttab also learnt a new option "password-echo=" that allows
          configuring whether the encryption password prompt shall echo the
          typed password and if so, do so literally or via asterisks. (The
          default is the same behaviour as before: provide echo feedback via
          asterisks.)

        * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and
          systemd-homed has been updated to allow explicit configuration of the
          "user presence" and "user verification" checks, as well as whether a
          PIN is required for authentication, via the new switches
          --fido2-with-user-presence=, --fido2-with-user-verification=,
          --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which
          features are available, and may be enabled or disabled depends on the
          used FIDO2 token.

        * systemd-nspawn's --private-user= switch now accepts the special value
          "identity" which configures a user namespacing environment with an
          identity mapping of 65535 UIDs. This means the container UID 0 is
          mapped to the host UID 0, and the UID 1 to host UID 1. On first look
          this doesn't appear to be useful, however it does reduce the attack
          surface a bit, since the resulting container will possess process
          capabilities only within its namespace and not on the host.

        * systemd-nspawn's --private-user-chown switch has been replaced by a
          more generic --private-user-ownership= switch that accepts one of
          three values: "chown" is equivalent to the old --private-user-chown,
          and "off" is equivalent to the absence of the old switch. The value
          "map" uses the new UID mapping mounts of Linux 5.12 to map ownership
          of files and directories of the underlying image to the chosen UID
          range for the container. "auto" is equivalent to "map" if UID mapping
          mount are supported, otherwise it is equivalent to "chown". The short
          -U switch systemd-nspawn now implies --private-user-ownership=auto
          instead of the old --private-user-chown. Effectively this means: if
          the backing file system supports UID mapping mounts the feature is
          now used by default if -U is used. Generally, it's a good idea to use
          UID mapping mounts instead of recursive chown()ing, since it allows
          running containers off immutable images (since no modifications of
          the images need to take place), and share images between multiple
          instances. Moreover, the recursive chown()ing operation is slow and
          can be avoided. Conceptually it's also a good thing if transient UID
          range uses do not leak into persistent file ownership anymore. TLDR:
          finally, the last major drawback of user namespacing has been
          removed, and -U should always be used (unless you use btrfs, where
          UID mapped mounts do not exist; or your container actually needs
          privileges on the host).

        * nss-systemd now synthesizes user and group shadow records in addition
          to the main user and group records. Thus, hashed passwords managed by
          systemd-homed are now accessible via the shadow database.

        * The userdb logic (and thus nss-systemd, and so on) now read
          additional user/group definitions in JSON format from the drop-in
          directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and
          /usr/lib/userdb/. This is a simple and powerful mechanism for making
          additional users available to the system, with full integration into
          NSS including the shadow databases. Since the full JSON user/group
          record format is supported this may also be used to define users with
          resource management settings and other runtime settings that
          pam_systemd and systemd-logind enforce at login.

        * The userdbctl tool gained two new switches --with-dropin= and
          --with-varlink= which can be used to fine-tune the sources used for
          user database lookups.

        * systemd-nspawn gained a new switch --bind-user= for binding a host
          user account into the container. This does three things: the user's
          home directory is bind mounted from the host into the container,
          below the /run/userdb/home/ hierarchy. A free UID is picked in the
          container, and a user namespacing UID mapping to the host user's UID
          installed. And finally, a minimal JSON user and group record (along
          with its hashed password) is dropped into /run/host/userdb/. These
          records are picked up automatically by the userdb drop-in logic
          describe above, and allow the user to login with the same password as
          on the host. Effectively this means: if host and container run new
          enough systemd versions making a host user available to the container
          is trivially simple.

        * systemd-journal-gatewayd now supports the switches --user, --system,
          --merge, --file= that are equivalent to the same switches of
          journalctl, and permit exposing only the specified subset of the
          Journal records.

        * The OnFailure= dependency between units is now augmented with a
          implicit reverse dependency OnFailureOf= (this new dependency cannot
          be configured directly it's only created as effect of an OnFailure=
          dependency in the reverse order — it's visible in "systemctl show"
          however). Similar, Slice= now has an reverse dependency SliceOf=,
          that is also not configurable directly, but useful to determine all
          units that are members of a slice.

        * A pair of new dependency types between units PropagatesStopTo= +
          StopPropagatedFrom= has been added, that allows propagation of unit
          stop events between two units. It operates similar to the existing
          PropagatesReloadTo= + ReloadPropagatedFrom= dependencies.

        * A new dependency type OnSuccess= has been added (plus the reverse
          dependency OnSuccessOf=, which cannot be configured directly, but
          exists only as effect of the reverse OnSuccess=). It is similar to
          OnFailure=, but triggers in the opposite case: when a service exits
          cleanly. This allows "chaining up" of services where one or more
          services are started once another service has successfully completed.

        * A new dependency type Upholds= has been added (plus the reverse
          dependency UpheldBy=, which cannot be configured directly, but exists
          only as effect of Upholds=). This dependency type is a stronger form
          of Wants=: if a unit has an UpHolds= dependency on some other unit
          and the former is active then the latter is started whenever it is
          found inactive (and no job is queued for it). This is an alternative
          to Restart= inside service units, but less configurable, and the
          request to uphold a unit is not encoded in the unit itself but in
          another unit that intends to uphold it.

        * The systemd-ask-password tool now also supports reading passwords
          from the credentials subsystem, via the new --credential= switch.

        * The systemd-ask-password tool learnt a new switch --emoji= which may
          be used to explicit control whether the lock and key emoji (🔐) is
          shown in the password prompt on suitable TTYs.

        * The --echo switch of systemd-ask-password now optionally takes a
          parameter that controls character echo. It may either show asterisks
          (default, as before), turn echo off entirely, or echo the typed
          characters literally.

        * The systemd-ask-password tool also gained a new -n switch for
          suppressing output of a trailing newline character when writing the
          acquired password to standard output, similar to /bin/echo's -n
          switch.

        * New documentation has been added that describes the organization of
          the systemd source code tree:

          https://systemd.io/ARCHITECTURE

        * Units using ConditionNeedsUpdate= will no longer be activated in
          the initrd.

        * It is now possible to list a template unit in the WantedBy= or
          RequiredBy= settings of the [Install] section of another template
          unit, which will be instantiated using the same instance name.

        * A new MemoryAvailable property is available for units. If the unit,
          or the slice(s) it is part of, have a memory limit set via MemoryMax=/
          MemoryHigh=, MemoryAvailable will indicate how much more memory the
          unit can claim before hitting the limit(s).

        * systemd-coredump will now try to stay below the cgroup memory limit
          placed on itself or one of the slices it runs under, if the storage
          area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs,
          since files written on such filesystems count toward the cgroup memory
          limit. If there is not enough available memory in such cases to store
          the core file uncompressed, systemd-coredump will skip to compressed
          storage directly (if enabled) and it will avoid analyzing the core file
          to print backtrace and metadata in the journal.

        * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type
          of a path matches the configured expectations, and remove it if not.

        * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to
          specify which of the several available filesystem timestamps (access
          time, birth time, change time, modification time) to look at when
          deciding whether a path has aged enough to be cleaned.

        * A new IPv6StableSecretAddress= setting has been added to .network
          files, which takes an IPv6 address to use as secret for IPv6 address
          generation.

        * The [DHCPServer] logic in .network files gained support for a new
          UplinkInterface= setting that permits configuration of the uplink
          interface name to propagate DHCP lease information from.

        * The WakeOnLan= setting in .link files now accepts a list of flags
          instead of a single one, to configure multiple wake-on-LAN policies.

        * User-space defined tracepoints (USDT) have been added to udev at
          strategic locations. This is useful for tracing udev behaviour and
          performance with bpftrace and similar tools.

        * systemd-journald-upload gained a new NetworkTimeoutSec= option for
          setting a network timeout time.

        * If a system service is running in a new mount namespace (RootDirectory=
          and friends), all file systems will be mounted with MS_NOSUID by
          default, unless the system is running with SELinux enabled.

        * When enumerating time zones the timedatectl tool will now consult the
          'tzdata.zi' file shipped by the IANA time zone database package, in
          addition to 'zone1970.tab', as before. This makes sure time zone
          aliases are now correctly supported. Some distributions so far did
          not install this additional file, most do however. If you
          distribution does not install it yet, it might make sense to change
          that.

comment:3 by Douglas R. Reno, 17 months ago

Priority: normalhigh

The release notes do not mention the CVE, which is arguably the most important part of this release.

The CVE is known as CVE-2020-13529, and is in the systemd-networkd daemon. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.

This issue seems to have been around since 245, so due to the merged-/usr changes, I will create a separate patch for 247 (LFS 10.1) and put that in the security advisory.

comment:4 by Douglas R. Reno, 17 months ago

The man pages tarball has been uploaded to anduin.

This time, I did a DESTDIR install and copied /usr/share/man/* into a folder called systemd-man-pages-249, and then tarred it up.

The MD5SUM is d9f2508d6b114b1c02476cd79b8fc786

It is 584KB in size.

comment:5 by Xi Ruoyao, 17 months ago

I'd rather call this "malignant", we'll need to copy/move MarkupSafe & Jinja2 from BLFS.

comment:6 by Douglas R. Reno, 17 months ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.