Opened 3 years ago
Closed 3 years ago
#4882 closed enhancement (fixed)
systemd-249
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 11.0 |
| Component: | Book | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New version
It looks relatively benign on the changes end.
Change History (6)
comment:1 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 3 years ago
comment:3 by , 3 years ago
| Priority: | normal → high |
|---|
The release notes do not mention the CVE, which is arguably the most important part of this release.
The CVE is known as CVE-2020-13529, and is in the systemd-networkd daemon. A specially crafted DHCP FORCERENEW packet can cause a server running the DHCP client to be vulnerable to a DHCP ACK spoofing attack. An attacker can forge a pair of FORCERENEW and DCHP ACK packets to reconfigure the server.
This issue seems to have been around since 245, so due to the merged-/usr changes, I will create a separate patch for 247 (LFS 10.1) and put that in the security advisory.
comment:4 by , 3 years ago
The man pages tarball has been uploaded to anduin.
This time, I did a DESTDIR install and copied /usr/share/man/* into a folder called systemd-man-pages-249, and then tarred it up.
The MD5SUM is d9f2508d6b114b1c02476cd79b8fc786
It is 584KB in size.
comment:5 by , 3 years ago
I'd rather call this "malignant", we'll need to copy/move MarkupSafe & Jinja2 from BLFS.
comment:6 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
CHANGES WITH 249: * When operating on disk images via the --image= switch of various tools (such as systemd-nspawn or systemd-dissect), or when udev finds no 'root=' parameter on the kernel command line, and multiple suitable root or /usr/ partitions exist in the image, then a simple comparison inspired by strverscmp() is done on the GPT partition label, and the newest partition is picked. This permits a simple and generic whole-file-system A/B update logic where new operating system versions are dropped into partitions whose label is then updated with a matching version identifier. * systemd-sysusers now supports querying the passwords to set for the users it creates via the "credentials" logic introduced in v247: the passwd.hashed-password.<user> and passwd.plaintext-password.<user> credentials are consulted for the password to use (either in UNIX hashed form, or literally). By default these credentials are inherited down from PID1 (which in turn imports it from a container manager if there is one). This permits easy configuration of user passwords during first boot. Example: # systemd-nspawn -i foo.raw --volatile=yes --set-credential=passwd.plaintext-password.root:foo Note that systemd-sysusers operates in purely additive mode: it executes no operation if the declared users already exist, and hence doesn't set any passwords as effect of the command line above if the specified root user exists already in the image. (Note that --volatile=yes ensures it doesn't, though.) * systemd-firstboot now also supports querying various system parameters via the credential subsystems. Thus, as above this may be used to initialize important system parameters on first boot of previously unprovisioned images (i.e. images with a mostly empty /etc/). * PID 1 may now show both the unit name and the unit description strings in its status output during boot. This may be configured with StatusUnitFormat=combined in system.conf or systemd.status-unit-format=combined on the kernel command line. * The systemd-machine-id-setup tool now supports a --image= switch for provisioning a machine ID file into an OS disk image, similar to how --root= operates on an OS file tree. This matches the existing switch of the same name for systemd-tmpfiles, systemd-firstboot, and systemd-sysusers tools. * Similarly, systemd-repart gained support for the --image= switch too. In combination with the existing --size= option, this makes the tool particularly useful for easily growing disk images in a single invocation, following the declarative rules included in the image itself. * systemd-repart's partition configuration files gained support for a new switch MakeDirectories= which may be used to create arbitrary directories inside file systems that are created, before registering them in the partition table. This is useful in particular for root partitions to create mount point directories for other partitions included in the image. For example, a disk image that contains a root, /home/, and /var/ partitions, may set MakeDirectories=yes to create /home/ and /var/ as empty directories in the root file system on its creation, so that the resulting image can be mounted immediately, even in read-only mode. * systemd-repart's CopyBlocks= setting gained support for the special value "auto". If used, a suitable matching partition on the booted OS is found as source to copy blocks from. This is useful when implementing replicating installers, that are booted from one medium and then stream their own root partition onto the target medium. * systemd-repart's partition configuration files gained support for a Flags=, a ReadOnly= and a NoAuto= setting, allowing control of these GPT partition flags for the created partitions: this is useful for marking newly created partitions as read-only, or as not being subject for automatic mounting from creation on. * The /etc/os-release file has been extended with two new (optional) variables IMAGE_VERSION= and IMAGE_ID=, carrying identity and version information for OS images that are updated comprehensively and atomically as one image. Two new specifiers %M, %A now resolve to these two fields in the various configuration options that resolve specifiers. * portablectl gained a new switch --extension= for enabling portable service images with extensions that follow the extension image concept introduced with v248, and thus allows layering multiple images when setting up the root filesystem of the service. * systemd-coredump will now extract ELF build-id information from processes dumping core and include it in the coredump report. Moreover, it will look for ELF .note.package sections with distribution packaging meta-information about the crashing process. This is useful to directly embed the rpm or deb (or any other) package name and version in ELF files, making it easy to match coredump reports with the specific package for which the software was compiled. This is particularly useful on environments with ELF files from multiple vendors, different distributions and versions, as is common today in our containerized and sand-boxed world. For further information, see: https://systemd.io/COREDUMP_PACKAGE_METADATA * A new udev hardware database has been added for FireWire devices (IEEE 1394). * The "net_id" built-in of udev has been updated with three backwards-incompatible changes: - PCI hotplug slot names on s390 systems are now parsed as hexadecimal numbers. They were incorrectly parsed as decimal previously, or ignored if the name was not a valid decimal number. - PCI onboard indices up to 65535 are allowed. Previously, numbers above 16383 were rejected. This primarily impacts s390 systems, where values up to 65535 are used. - Invalid characters in interface names are replaced with "_". The new version of the net naming scheme is "v249". The previous scheme can be selected via the "net.naming-scheme=v247" kernel command line parameter. * sd-bus' sd_bus_is_ready() and sd_bus_is_open() calls now accept a NULL bus object, for which they will return false. Or in other words, an unallocated bus connection is neither ready nor open. * The sd-device API acquired a new API function sd_device_get_usec_initialized() that returns the monotonic time when the udev device first appeared in the database. * sd-device gained a new APIs sd_device_trigger_with_uuid() and sd_device_get_trigger_uuid(). The former is similar to sd_device_trigger() but returns a randomly generated UUID that is associated with the synthetic uevent generated by the call. This UUID may be read from the sd_device object a monitor eventually receives, via the sd_device_get_trigger_uuid(). This interface requires kernel 4.13 or above to work, and allows tracking a synthetic uevent through the entire device management stack. The "udevadm trigger --settle" logic has been updated to make use of this concept if available to wait precisely for the uevents it generates. "udevadm trigger" also gained a new parameter --uuid that prints the UUID for each generated uevent. * sd-device also gained new APIs sd_device_new_from_ifname() and sd_device_new_from_ifindex() for allocating an sd-device object for the specified network interface. The former accepts an interface name (either a primary or an alternative name), the latter an interface index. * The native Journal protocol has been documented. Clients may talk this as alternative to the classic BSD syslog protocol for locally delivering log records to the Journal. The protocol has been stable for a long time and in fact been implemented already in a variety of alternative client libraries. This documentation makes the support for that official: https://systemd.io/JOURNAL_NATIVE_PROTOCOL * A new BPFProgram= setting has been added to service files. It may be set to a path to a loaded kernel BPF program, i.e. a path to a bpffs file, or a bind mount or symlink to one. This may be used to upload and manage BPF programs externally and then hook arbitrary systemd services into them. * The "home.arpa" domain that has been officially declared as the choice for domain for local home networks per RFC 8375 has been added to the default NTA list of resolved, since DNSSEC is generally not available on private domains. * The CPUAffinity= setting of unit files now resolves "%" specifiers. * A new ManageForeignRoutingPolicyRules= setting has been added to .network files which may be used to exclude foreign-created routing policy rules from systemd-networkd management. * systemd-network-wait-online gained two new switches -4 and -6 that may be used to tweak whether to wait for only IPv4 or only IPv6 connectivity. * .network files gained a new RequiredFamilyForOnline= setting to fine-tune whether to require an IPv4 or IPv6 address in order to consider an interface "online". * networkctl will now show an over-all "online" state in the per-link information. * In .network files a new OutgoingInterface= setting has been added to specify the output interface in bridge FDB setups. * In .network files the Multipath group ID may now be configured for [NextHop] entries, via the new Group= setting. * The DHCP server logic configured in .network files gained a new setting RelayTarget= that turns the server into a DHCP server relay. The RelayAgentCircuitId= and RelayAgentRemoteId= settings may be used to further tweak the DHCP relay behaviour. * The DHCP server logic also gained a new ServerAddress= setting in .network files that explicitly specifies the server IP address to use. If not specified, the address is determined automatically, as before. * The DHCP server logic in systemd-networkd gained support for static DHCP leases, configurable via the [DHCPServerStaticLease] section. This allows explicitly mapping specific MAC addresses to fixed IP addresses and vice versa. * The RestrictAddressFamilies= setting in service files now supports a new special value "none". If specified sockets of all address families will be made unavailable to services configured that way. * systemd-fstab-generator and systemd-repart have been updated to support booting from disks that carry only a /usr/ partition but no root partition yet, and where systemd-repart can add it in on the first boot. This is useful for implementing systems that ship with a single /usr/ file system, and whose root file system shall be set up and formatted on a LUKS-encrypted volume whose key is generated locally (and possibly enrolled in the TPM) during the first boot. * The [Address] section of .network files now accepts a new RouteMetric= setting that configures the routing metric to use for the prefix route created as effect of the address configuration. Similarly, the [DHCPv6PrefixDelegation] and [IPv6Prefix] sections gained matching settings for their prefix routes. (The option of the same name in the [DHCPv6] section is moved to [IPv6AcceptRA], since it conceptually belongs there; the old option is still understood for compatibility.) * The DHCPv6 IAID and DUID are now explicitly configurable in .network files. * A new udev property ID_NET_DHCP_BROADCAST on network interface devices is now honoured by systemd-networkd, controlling whether to issue DHCP offers via broadcasting. This is used to ensure that s390 layer 3 network interfaces work out-of-the-box with systemd-networkd. * nss-myhostname and systemd-resolved will now synthesize address records for a new special hostname "_outbound". The name will always resolve to the local IP addresses most likely used for outbound connections towards the default routes. On multi-homed hosts this is useful to have a stable handle referring to "the" local IP address that matters most, to the point where this is defined. * The Discoverable Partition Specification has been updated with a new GPT partition flag "grow-file-system" defined for its partition types. Whenever partitions with this flag set are automatically mounted (i.e. via systemd-gpt-auto-generator or the --image= switch of systemd-nspawn or other tools; and as opposed to explicit mounting via /etc/fstab), the file system within the partition is automatically grown to the full size of the partition. If the file system size already matches the partition size this flag has no effect. Previously, this functionality has been available via the explicit x-systemd.growfs mount option, and this new flag extends this to automatically discovered mounts. A new GrowFileSystem= setting has been added to systemd-repart drop-in files that allows configuring this partition flag. This new flag defaults to on for partitions automatically created by systemd-repart, except if they are marked read-only. See the specification for further details: https://systemd.io/DISCOVERABLE_PARTITIONS * .network files gained a new setting RoutesToNTP= in the [DHCPv4] section. If enabled (which is the default), and an NTP server address is acquired through a DHCP lease on this interface an explicit route to this address is created on this interface to ensure that NTP traffic to the NTP server acquired on an interface is also routed through that interface. The pre-existing RoutesToDNS= setting that implements the same for DNS servers is now enabled by default. * A pair of service settings SocketBindAllow= + SocketBindDeny= have been added that may be used to restrict the network interfaces sockets created by the service may be bound to. This is implemented via BPF. * A new ConditionFirmware= setting has been added to unit files to conditionalize on certain firmware features. At the moment it may check whether running on an UEFI system, a device.tree system, or if the system is compatible with some specified device-tree feature. * A new ConditionOSRelease= setting has been added to unit files to check os-release(5) fields. The "=", "!=", "<", "<=", ">=", ">" operators may be used to check if some field has some specific value or do an alphanumerical comparison. Equality comparisons are useful for fields like ID, but relative comparisons for fields like VERSION_ID or IMAGE_VERSION. * hostnamed gained a new Describe() D-Bus method that returns a JSON serialization of the host data it exposes. This is exposed via "hostnamectl --json=" to acquire a host identity description in JSON. It's our intention to add a similar features to most services and objects systemd manages, in order to simplify integration with program code that can consume JSON. * Similarly, networkd gained a Describe() method on its Manager and Link bus objects. This is exposed via "networkctl --json=". * hostnamectl's various "get-xyz"/"set-xyz" verb pairs (e.g. "hostnamectl get-hostname", "hostnamectl "set-hostname") have been replaced by a single "xyz" verb (e.g. "hostnamectl hostname") that is used both to get the value (when no argument is given), and to set the value (when an argument is specified). The old names continue to be supported for compatibility. * systemd-detect-virt and ConditionVirtualization= are now able to correctly identify Amazon EC2 environments. * The LogLevelMax= setting of unit files now applies not only to log messages generated *by* the service, but also to log messages generated *about* the service by PID 1. To suppress logs concerning a specific service comprehensively, set this option to a high log level. * bootctl gained support for a new --make-machine-id-directory= switch that allows precise control on whether to create the top-level per-machine directory in the boot partition that typically contains Type 1 boot loader entries. * During build SBAT data to include in the systemd-boot EFI PE binaries may be specified now. * /etc/crypttab learnt a new option "headless". If specified any requests to query the user interactively for passwords or PINs will be skipped. This is useful on systems that are headless, i.e. where an interactive user is generally not present. * /etc/crypttab also learnt a new option "password-echo=" that allows configuring whether the encryption password prompt shall echo the typed password and if so, do so literally or via asterisks. (The default is the same behaviour as before: provide echo feedback via asterisks.) * FIDO2 support in systemd-cryptenroll/systemd-cryptsetup and systemd-homed has been updated to allow explicit configuration of the "user presence" and "user verification" checks, as well as whether a PIN is required for authentication, via the new switches --fido2-with-user-presence=, --fido2-with-user-verification=, --fido2-with-client-pin= to systemd-cryptenroll and homectl. Which features are available, and may be enabled or disabled depends on the used FIDO2 token. * systemd-nspawn's --private-user= switch now accepts the special value "identity" which configures a user namespacing environment with an identity mapping of 65535 UIDs. This means the container UID 0 is mapped to the host UID 0, and the UID 1 to host UID 1. On first look this doesn't appear to be useful, however it does reduce the attack surface a bit, since the resulting container will possess process capabilities only within its namespace and not on the host. * systemd-nspawn's --private-user-chown switch has been replaced by a more generic --private-user-ownership= switch that accepts one of three values: "chown" is equivalent to the old --private-user-chown, and "off" is equivalent to the absence of the old switch. The value "map" uses the new UID mapping mounts of Linux 5.12 to map ownership of files and directories of the underlying image to the chosen UID range for the container. "auto" is equivalent to "map" if UID mapping mount are supported, otherwise it is equivalent to "chown". The short -U switch systemd-nspawn now implies --private-user-ownership=auto instead of the old --private-user-chown. Effectively this means: if the backing file system supports UID mapping mounts the feature is now used by default if -U is used. Generally, it's a good idea to use UID mapping mounts instead of recursive chown()ing, since it allows running containers off immutable images (since no modifications of the images need to take place), and share images between multiple instances. Moreover, the recursive chown()ing operation is slow and can be avoided. Conceptually it's also a good thing if transient UID range uses do not leak into persistent file ownership anymore. TLDR: finally, the last major drawback of user namespacing has been removed, and -U should always be used (unless you use btrfs, where UID mapped mounts do not exist; or your container actually needs privileges on the host). * nss-systemd now synthesizes user and group shadow records in addition to the main user and group records. Thus, hashed passwords managed by systemd-homed are now accessible via the shadow database. * The userdb logic (and thus nss-systemd, and so on) now read additional user/group definitions in JSON format from the drop-in directories /etc/userdb/, /run/userdb/, /run/host/userdb/ and /usr/lib/userdb/. This is a simple and powerful mechanism for making additional users available to the system, with full integration into NSS including the shadow databases. Since the full JSON user/group record format is supported this may also be used to define users with resource management settings and other runtime settings that pam_systemd and systemd-logind enforce at login. * The userdbctl tool gained two new switches --with-dropin= and --with-varlink= which can be used to fine-tune the sources used for user database lookups. * systemd-nspawn gained a new switch --bind-user= for binding a host user account into the container. This does three things: the user's home directory is bind mounted from the host into the container, below the /run/userdb/home/ hierarchy. A free UID is picked in the container, and a user namespacing UID mapping to the host user's UID installed. And finally, a minimal JSON user and group record (along with its hashed password) is dropped into /run/host/userdb/. These records are picked up automatically by the userdb drop-in logic describe above, and allow the user to login with the same password as on the host. Effectively this means: if host and container run new enough systemd versions making a host user available to the container is trivially simple. * systemd-journal-gatewayd now supports the switches --user, --system, --merge, --file= that are equivalent to the same switches of journalctl, and permit exposing only the specified subset of the Journal records. * The OnFailure= dependency between units is now augmented with a implicit reverse dependency OnFailureOf= (this new dependency cannot be configured directly it's only created as effect of an OnFailure= dependency in the reverse order — it's visible in "systemctl show" however). Similar, Slice= now has an reverse dependency SliceOf=, that is also not configurable directly, but useful to determine all units that are members of a slice. * A pair of new dependency types between units PropagatesStopTo= + StopPropagatedFrom= has been added, that allows propagation of unit stop events between two units. It operates similar to the existing PropagatesReloadTo= + ReloadPropagatedFrom= dependencies. * A new dependency type OnSuccess= has been added (plus the reverse dependency OnSuccessOf=, which cannot be configured directly, but exists only as effect of the reverse OnSuccess=). It is similar to OnFailure=, but triggers in the opposite case: when a service exits cleanly. This allows "chaining up" of services where one or more services are started once another service has successfully completed. * A new dependency type Upholds= has been added (plus the reverse dependency UpheldBy=, which cannot be configured directly, but exists only as effect of Upholds=). This dependency type is a stronger form of Wants=: if a unit has an UpHolds= dependency on some other unit and the former is active then the latter is started whenever it is found inactive (and no job is queued for it). This is an alternative to Restart= inside service units, but less configurable, and the request to uphold a unit is not encoded in the unit itself but in another unit that intends to uphold it. * The systemd-ask-password tool now also supports reading passwords from the credentials subsystem, via the new --credential= switch. * The systemd-ask-password tool learnt a new switch --emoji= which may be used to explicit control whether the lock and key emoji (🔐) is shown in the password prompt on suitable TTYs. * The --echo switch of systemd-ask-password now optionally takes a parameter that controls character echo. It may either show asterisks (default, as before), turn echo off entirely, or echo the typed characters literally. * The systemd-ask-password tool also gained a new -n switch for suppressing output of a trailing newline character when writing the acquired password to standard output, similar to /bin/echo's -n switch. * New documentation has been added that describes the organization of the systemd source code tree: https://systemd.io/ARCHITECTURE * Units using ConditionNeedsUpdate= will no longer be activated in the initrd. * It is now possible to list a template unit in the WantedBy= or RequiredBy= settings of the [Install] section of another template unit, which will be instantiated using the same instance name. * A new MemoryAvailable property is available for units. If the unit, or the slice(s) it is part of, have a memory limit set via MemoryMax=/ MemoryHigh=, MemoryAvailable will indicate how much more memory the unit can claim before hitting the limit(s). * systemd-coredump will now try to stay below the cgroup memory limit placed on itself or one of the slices it runs under, if the storage area for core files (/var/lib/systemd/coredump/) is placed on a tmpfs, since files written on such filesystems count toward the cgroup memory limit. If there is not enough available memory in such cases to store the core file uncompressed, systemd-coredump will skip to compressed storage directly (if enabled) and it will avoid analyzing the core file to print backtrace and metadata in the journal. * tmpfiles.d/ drop-ins gained a new '=' modifier to check if the type of a path matches the configured expectations, and remove it if not. * tmpfiles.d/'s 'Age' now accepts an 'age-by' argument, which allows to specify which of the several available filesystem timestamps (access time, birth time, change time, modification time) to look at when deciding whether a path has aged enough to be cleaned. * A new IPv6StableSecretAddress= setting has been added to .network files, which takes an IPv6 address to use as secret for IPv6 address generation. * The [DHCPServer] logic in .network files gained support for a new UplinkInterface= setting that permits configuration of the uplink interface name to propagate DHCP lease information from. * The WakeOnLan= setting in .link files now accepts a list of flags instead of a single one, to configure multiple wake-on-LAN policies. * User-space defined tracepoints (USDT) have been added to udev at strategic locations. This is useful for tracing udev behaviour and performance with bpftrace and similar tools. * systemd-journald-upload gained a new NetworkTimeoutSec= option for setting a network timeout time. * If a system service is running in a new mount namespace (RootDirectory= and friends), all file systems will be mounted with MS_NOSUID by default, unless the system is running with SELinux enabled. * When enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by the IANA time zone database package, in addition to 'zone1970.tab', as before. This makes sure time zone aliases are now correctly supported. Some distributions so far did not install this additional file, most do however. If you distribution does not install it yet, it might make sense to change that.