[Bug 1153633] [NEW] [MIR] systemd-shim

Ryan Lortie desrt at desrt.ca
Mon Mar 11 15:30:20 UTC 2013 

Public bug reported:

* The package is in universe and built on all archs:
https://launchpad.net/ubuntu/+source/systemd-shim/0.0-0ubuntu1

* Rationale:

This is a necessary part of the work to have systemd-services replacing
ubuntu-system-services.

The service emuates a few select systemd interface on an ad hoc basis in
order to allow various things depending on systemd to work.  For now
this is the "Virtualization" property to detect if the system is a VM
(with code to do this copied from systemd itself) and the unit control
APIs for a faked "ntpd.service" unit.  This allows timedated to think
that it is requesting systemd to start and stop ntpd when really it is
executing the logic that used to be in the Debian-specific gnome-
settings-daemon patch we carried to setup and call ntpdate (but ntpd
support is also included).

Without this or the real systemd running, timedated won't even start.
We could patch that away, but I don't want to get into the business of
carrying large/ugly distro-specific patches to timedated when we can
just as easily do the compatibility along a documented and stable
interface (http://www.freedesktop.org/wiki/Software/systemd/dbus).

It is expected that a few more odds and ends will be discovered over
time that belong here.  logind work is somewhat likely to kick up a
thing or two.

* Security:

The code is small but it needs a full security review.  The parts that
enable/disable NTP were already running as root via the g-s-d
DateTimeMechanism (although the code has been refactored a bit).  The
virtualisation detection code is copied straight out of systemd, which
is being reviewed as part of the systemd MIR.  The rest of the code (ie:
mostly D-Bus logic) is newly-written.

This is a system service running as root (so that it can start/stop
NTP).  The primary mechanism for security control is the D-Bus policy
file.  Root-owned processes are allowed to call all methods (no help
there if they already have root).  Other processes are only allowed
access only to the standard D-Bus interfaces (Introspection, Peer) and
property getters.  The code dealing with property gets (there is only
one property) is extremely small and unlikely to contain exploitable
flaws.  The D-Bus interfaces (Introspection, Peer) are implemented by
GDBus and although it is complicated it is already running inside of
several other system services.

* Quality:
- not a user-visible component in any way
- no configuration settings
- no exotic hardware interaction (although it does attempt to use some nice tricks to detect virtualization, but those are copied straight from systemd)
- new code, no known bugs yet, but....
- when the bugs are found, I am the developer, so I'll fix them :)

The desktop bugs team is subscribed to the package in launchpad,
foundations/desktop will maintain the package and look to the bug
reports regularly.

** Affects: systemd-shim (Ubuntu)
     Importance: Undecided
         Status: New

** Package changed: systemd (Ubuntu) => systemd-shim (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to systemd in Ubuntu.
https://bugs.launchpad.net/bugs/1153633

Title:
  [MIR] systemd-shim

Status in “systemd-shim” package in Ubuntu:
  New

Bug description:
  * The package is in universe and built on all archs:
  https://launchpad.net/ubuntu/+source/systemd-shim/0.0-0ubuntu1

  * Rationale:

  This is a necessary part of the work to have systemd-services
  replacing ubuntu-system-services.

  The service emuates a few select systemd interface on an ad hoc basis
  in order to allow various things depending on systemd to work.  For
  now this is the "Virtualization" property to detect if the system is a
  VM (with code to do this copied from systemd itself) and the unit
  control APIs for a faked "ntpd.service" unit.  This allows timedated
  to think that it is requesting systemd to start and stop ntpd when
  really it is executing the logic that used to be in the Debian-
  specific gnome-settings-daemon patch we carried to setup and call
  ntpdate (but ntpd support is also included).

  Without this or the real systemd running, timedated won't even start.
  We could patch that away, but I don't want to get into the business of
  carrying large/ugly distro-specific patches to timedated when we can
  just as easily do the compatibility along a documented and stable
  interface (http://www.freedesktop.org/wiki/Software/systemd/dbus).

  It is expected that a few more odds and ends will be discovered over
  time that belong here.  logind work is somewhat likely to kick up a
  thing or two.

  * Security:

  The code is small but it needs a full security review.  The parts that
  enable/disable NTP were already running as root via the g-s-d
  DateTimeMechanism (although the code has been refactored a bit).  The
  virtualisation detection code is copied straight out of systemd, which
  is being reviewed as part of the systemd MIR.  The rest of the code
  (ie: mostly D-Bus logic) is newly-written.

  This is a system service running as root (so that it can start/stop
  NTP).  The primary mechanism for security control is the D-Bus policy
  file.  Root-owned processes are allowed to call all methods (no help
  there if they already have root).  Other processes are only allowed
  access only to the standard D-Bus interfaces (Introspection, Peer) and
  property getters.  The code dealing with property gets (there is only
  one property) is extremely small and unlikely to contain exploitable
  flaws.  The D-Bus interfaces (Introspection, Peer) are implemented by
  GDBus and although it is complicated it is already running inside of
  several other system services.

  * Quality:
  - not a user-visible component in any way
  - no configuration settings
  - no exotic hardware interaction (although it does attempt to use some nice tricks to detect virtualization, but those are copied straight from systemd)
  - new code, no known bugs yet, but....
  - when the bugs are found, I am the developer, so I'll fix them :)

  The desktop bugs team is subscribed to the package in launchpad,
  foundations/desktop will maintain the package and look to the bug
  reports regularly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/systemd-shim/+bug/1153633/+subscriptions

More information about the foundations-bugs mailing list