Bug#837183: systemd: unprivileged call to systemd-resolve starts systemd-resolved even when masked
Brian Kroth
bpkroth at gmail.com
Fri Sep 9 21:47:18 BST 2016
Package: systemd
Version: 230-7~bpo8+2
Severity: normal
Tags: security
Dear Maintainer,
systemd appears to start systemd-resolved, even when it's been masked,
in the background even when an unprivileged user calls systemd-resolve.
However, calls to start the service manually via systemctl are rejected
(correctly).
This seems like an error and a potential security issue.
Details on my test and setup are as follows. Let me know if you have
any questions or need any other information.
Thanks,
Brian
# readlink -f /etc/systemd/system/systemd-resolved.service
/dev/null
# systemctl status systemd-resolved.service | head -n3
Failed to dump process list, ignoring: Unit systemd-resolved.service is masked.
● systemd-resolved.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
# systemctl start systemd-resolved.service
Failed to start systemd-resolved.service: Unit systemd-resolved.service is masked.
# systemctl status systemd-resolved.service | head -n3
Failed to dump process list, ignoring: Unit systemd-resolved.service is masked.
? systemd-resolved.service
Loaded: masked (/dev/null; bad)
Active: inactive (dead)
# pgrep -l -f systemd-resolved || echo "no systemd-resolved process found"
no systemd-resolved process found
# netstat -lnp | grep :53 || echo "nothing listening on port 53"
nothing listening on port 53
$ systemd-resolve debian.org
debian.org: 2001:41c8:1000:21::21:4
2001:4f8:8:36::1deb:22
2001:610:1908:b000::148:14
140.211.15.34
149.20.20.22
5.153.231.4
128.31.0.62
130.89.148.14
-- Information acquired via protocol DNS in 214.8ms.
-- Data is authenticated: yes
# systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/lib/systemd/system/systemd-resolved.service; masked; vendor preset: enabled)
Drop-In: /lib/systemd/system/systemd-resolved.service.d
└─resolvconf.conf
Active: active (running) since Thu 2016-08-25 09:23:51 CDT; 28s ago
Docs: man:systemd-resolved.service(8)
http://www.freedesktop.org/wiki/Software/systemd/resolved
http://www.freedesktop.org/wiki/Software/systemd/writing-network-configuration-managers
http://www.freedesktop.org/wiki/Software/systemd/writing-resolver-clients
Process: 8468 ExecStartPost=/bin/sh -c [ ! -e /run/resolvconf/enable-updates ] || echo "nameserver 127.0.0.53" | /sbin/resolvconf -a systemd-resolved (code=exited, status=0/SUCCESS)
Main PID: 8465 (systemd-resolve)
Status: "Processing requests..."
Tasks: 1
CPU: 18ms
CGroup: /system.slice/systemd-resolved.service
└─8465 /lib/systemd/systemd-resolved
# pgrep -l -f systemd-resolved || echo "no systemd-resolved process found"
8465 systemd-resolve
# sudo netstat -lnp | grep :53 || echo "nothing listening on port 53"
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 8465/systemd-resolv
udp 0 0 127.0.0.53:53 0.0.0.0:* 8465/systemd-resolv
# systemd-delta
[MASKED] /etc/systemd/system/systemd-timesyncd.service -> /lib/systemd/system/systemd-timesyncd.service
[EXTENDED] /etc/systemd/system/systemd-timesyncd.service -> /lib/systemd/system/systemd-timesyncd.service.d/disable-with-time-daemon.conf
[EXTENDED] /lib/systemd/system/watchdog.service -> /etc/systemd/system/watchdog.service.d/01-fixup-syslog-messages-file.conf
[MASKED] /etc/systemd/system/systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service
[EXTENDED] /etc/systemd/system/systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service.d/resolvconf.conf
[EXTENDED] /lib/systemd/system/syslog.socket -> /etc/systemd/system/syslog.socket.d/more-receive-buffer.conf
[EXTENDED] /lib/systemd/system/systemd-journald.service -> /etc/systemd/system/systemd-journald.service.d/syslog-deps.conf
[EXTENDED] /lib/systemd/system/rc-local.service -> /lib/systemd/system/rc-local.service.d/debian.conf
[MASKED] /etc/systemd/system/dev-hugepages.mount -> /lib/systemd/system/dev-hugepages.mount
[MASKED] /etc/systemd/system/dev-mqueue.mount -> /lib/systemd/system/dev-mqueue.mount
[MASKED] /etc/systemd/system/systemd-networkd.service -> /lib/systemd/system/systemd-networkd.service
[OVERRIDDEN] /etc/udev/rules.d/80-net-setup-link.rules -> /lib/udev/rules.d/80-net-setup-link.rules
-- Package-specific info:
-- System Information:
Debian Release: 8.5
APT prefers stable
APT policy: (500, 'stable'), (120, 'testing'), (110, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.5.0-0.bpo.2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii adduser 3.113+nmu3
ii libacl1 2.2.52-2
ii libapparmor1 2.10.95-4~bpo8+2
ii libaudit1 1:2.4-1+b1
ii libblkid1 2.25.2-6
ii libc6 2.19-18+deb8u4
ii libcap2 1:2.24-8
ii libcap2-bin 1:2.24-8
ii libcryptsetup4 2:1.6.6-5
ii libgcrypt20 1.6.3-2+deb8u2
ii libgpg-error0 1.17-3
ii libidn11 1.29-1+deb8u2
ii libkmod2 18-3
ii liblzma5 5.1.1alpha+20120614-2+b3
ii libmount1 2.25.2-6
ii libpam0g 1.1.8-3.1+deb8u1+b1
ii libseccomp2 2.1.1-1
ii libselinux1 2.3-2
ii libsystemd0 230-7~bpo8+2
ii mount 2.25.2-6
ii util-linux 2.25.2-6
Versions of packages systemd recommends:
ii dbus 1.8.20-0+deb8u1
ii libpam-systemd 230-7~bpo8+2
Versions of packages systemd suggests:
pn policykit-1 <none>
ii systemd-container 230-7~bpo8+2
pn systemd-ui <none>
Versions of packages systemd is related to:
ii udev 230-7~bpo8+2
-- Configuration Files:
/etc/systemd/journald.conf changed [not included]
/etc/systemd/logind.conf changed [not included]
/etc/systemd/resolved.conf changed [not included]
/etc/systemd/system.conf changed [not included]
/etc/systemd/timesyncd.conf changed [not included]
-- no debconf information
More information about the Pkg-systemd-maintainers
mailing list