Bug#837183: systemd: unprivileged call to systemd-resolve starts systemd-resolved even when masked

Michael Biebl biebl at debian.org
Fri Sep 9 23:26:56 BST 2016


Am 10.09.2016 um 00:20 schrieb Brian Kroth:
> Michael Biebl <biebl at debian.org> 2016-09-09 23:33:
>> Am 09.09.2016 um 22:47 schrieb Brian Kroth:
>>> Package: systemd
>>> Version: 230-7~bpo8+2
>>> Severity: normal
>>> Tags: security
>>>
>>> Dear Maintainer,
>>>
>>> systemd appears to start systemd-resolved, even when it's been masked,
>>> in the background even when an unprivileged user calls systemd-resolve.
>>>
>>> However, calls to start the service manually via systemctl are rejected
>>> (correctly).
>>>
>>> This seems like an error and a potential security issue.
>>>
>>> Details on my test and setup are as follows.  Let me know if you have
>>> any questions or need any other information.
>>
>> I assume you have libnss-resolve installed and enabled (in
>> /etc/nsswitch)?
> 

Oh, I guess I have an idea what's happening.
systemd-resolve triggers the start via D-Bus activation.

/usr/share/dbus-1/system-services/org.freedesktop.resolve1.service
has
SystemdService=dbus-org.freedesktop.resolve1.service

dbus-org.freedesktop.resolve1.service is a symlink to
systemd-resolved.service

So, you'll also need to mask that name, i.e
dbus-org.freedesktop.resolve1.service

If you do that, can you still trigger the start via systemd-resolve?





-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20160910/4212c778/attachment-0002.sig>


More information about the Pkg-systemd-maintainers mailing list