A bug found in systemd has caught a lot of attention within the past few days. As it has become known, an invalid username in the systemd Unit file may allow user to obtain root-level privileges on a Linux distribution, which uses systemd for initialization.
What’s the catch?
First things first, Linux usernames should not start with digits. Otherwise, it would be problematic to differentiate between alphanumeric user names and numeric UIDs. Yet, a couple of Linux distributions, including RHEL7 and CentOS, go for it.
The systemd software itself does not allow creating Unit files, using invalid usernames. Unfortunately, you can create such kind of files with the help of other tools.
In case there is an invalid username in the systemd Unit file, such as “0day”, the software will simple ignore it, proceeding with the requested service. According to the documentation: “If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.” Moreover, the unit will get root privileges.
Approximately a week ago, users brought attention to the problem via a GitHub Issues submission. Lennart Poettering, the lead maintainer of systemd, stated quite the opposite, assuring there were no issues with the software.
Poettering refused to make any changes, saying: “I don’t think there’s anything to fix in systemd here. I understand this is annoying, but still: The username is clearly not valid.” However, a number of Linux users did not play along, giving Lennart’s statement forty down-votes.
On Sunday, Mattias Geniar, a senior Linux engineer, shared some thoughts on the topic in his blog post. According to Geniar, the issue may be indeed considered as a bug. “Systemd’s parsing of the User= parameter in unit files falls back on root privileges when user names are invalid,” the specialist mentioned.
On the other hand, Geniar pointed out that the overall threat to security is minor. An attacker would have to edit a Unit file and put a username starting with a digit. However, he would also need to obtain root-level privileges as well as reload systemd to be able to use the Unit file at all.