Bug#943716: systemd: generates a directory name with the /etc/machine-id value, which is confidential

Vincent Lefevre vincent at vinc17.net
Mon Oct 28 14:23:58 GMT 2019 

Package: systemd
Version: 242-7
Severity: important
Tags: security

systemd generates a directory name under /var/log/journal with
the /etc/machine-id value, which is confidential according to
the machine-id(5) man page:

  This ID uniquely identifies the host. It should be considered
  "confidential", and must not be exposed in untrusted environments, in
  particular on the network. If a stable unique identifier that is tied
  to the machine is needed for some application, the machine ID or any
  part of it must not be used directly. Instead the machine ID should be
  hashed with a cryptographic, keyed hash function, using a fixed,
  application-specific key. That way the ID will be properly unique, and
  derived in a constant way from the machine ID but there will be no way
  to retrieve the original machine ID from the application-specific one.
  The sd_id128_get_machine_app_specific(3) API provides an implementation
  of such an algorithm.

This directory name is not directly exposed on the network, but most
users do not know where it comes from and that it is confidential,
so that it may end up on the net, e.g. in debugging exchanges and
when asking for help. An example:

  https://forum.ubuntu-fr.org/viewtopic.php?pid=21992288#p21992288

As a consequence, the machine-id is also present in journalctl output,
which may also end up on the net.

BTW, the fact that this ID is available in a file, in particular
word-readable, instead of an API to generate a hash, is a bad idea.

-- Package-specific info:

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.3.0-1-amd64 (SMP w/12 CPU cores)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages systemd depends on:
ii  adduser          3.118
ii  libacl1          2.2.53-5
ii  libapparmor1     2.13.3-5+b1
ii  libaudit1        1:2.8.5-2
ii  libblkid1        2.34-0.1
ii  libc6            2.29-2
ii  libcap2          1:2.25-2
ii  libcryptsetup12  2:2.2.1-1
ii  libgcrypt20      1.8.5-3
ii  libgnutls30      3.6.9-5
ii  libgpg-error0    1.36-7
ii  libidn2-0        2.2.0-2
ii  libip4tc2        1.8.3-2
ii  libkmod2         26-3
ii  liblz4-1         1.9.1-2
ii  liblzma5         5.2.4-1+b1
ii  libmount1        2.34-0.1
ii  libpam0g         1.3.1-5
ii  libpcre2-8-0     10.32-5+b1
ii  libseccomp2      2.4.1-2
ii  libselinux1      2.9-2+b2
ii  libsystemd0      242-7
ii  mount            2.34-0.1
ii  util-linux       2.34-0.1

Versions of packages systemd recommends:
ii  dbus            1.12.16-2
ii  libpam-systemd  242-7

Versions of packages systemd suggests:
ii  policykit-1        0.105-26
pn  systemd-container  <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.135
ii  udev             242-7

-- Configuration Files:
/etc/systemd/journald.conf changed:
[Journal]
Storage=persistent

/etc/systemd/system.conf changed:
[Manager]
DefaultTimeoutStopSec=20s


-- no debconf information

More information about the Pkg-systemd-maintainers mailing list