Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How to avoid stealth installation of systemd?

Here you can discuss every aspect of Debian. Note: not for support requests!
Post Reply
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#16 Post by timbgo »

keithpeter wrote:
sunrat wrote:TL:DR
I get the gist of it, but I suggest the best answer to "How to avoid stealth installation of systemd?" is "Stick with Wheezy".
Especially if there is a Wheezy LTS following on from Squeeze LTS, and a non-systemd Jessie might be possible which gives another 3 to 5 years with LTS. Slackware would allow compilation from source for any more recent applications that themselves do not have systemd dependencies. The slackers seem to support releases for around 5 years or so. EL6 distros have support until 2020. The bsd based distros can't be using systemd I gather because of deps on Linux kernel (I might have that wrong).
More food for thought! Thanks!
keithpeter wrote:Interesting times but choices will exist I think.
But, keithpeter, if we lose that choice in Debian, even though systemd was introduced only as default, and not as the sole option, GNU/Linux loses huge!
Aarghhhh!... It's my slowliness. I will need more time to study more info given here generally, esp. because also busy elsewhere.
naednaem wrote:
timbgo wrote: find the string "systemd-must-die" there.
I highly doubt that anyone will get a package like that into the debian repo so you will need to get that package from a 3rd party repository.
naednaem wrote:But it sounds as if the only thing that package does is try to block the installation of systemd as well as anything that relies on systemd. I would suspect that unless you pin/hold that package that it will likely just be removed if you try to install something systemd related. You could just as easily pin/hold the proper sysv packages and.or pin the systemd packages so that they arent installed.

Having a system without systemd probably isnt that hard...having a system with software you are familiar with without systemd is probably going to be the problem.
Just like I said: I will need more time to study more info like this one given here.

If I make it, which can not be soon, my intellectual resources, and free time, are unlikely to allow me coming up with any solution soon. But if I make it, I'll check with people like you guys, and if no one else will, I'll make a tip of the same (EDIT: or maybe better just similar) name as this topic in the Tips and Tricks section of Debian Forums (where I already have tips that are followed somewhat, such as with the jigdo-automate-script and on grsecurity install).

But if anyone else does such a thing so Debian remains non-systemd as option for hopefully multitude of users, a big thanks to him or her!

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: How to avoid stealth installation of systemd?

#17 Post by edbarx »

I think an attempt at a solution may be implementing an interface between init and the superstructure above it so that whatever is dependent upon systemd sees it but gets any services from init instead. This is done in WINE for MS Windows executables which expect to find MS Windows. A reimplementation of init or systemd is quite a daunting task, that is why I think a compatibilty layer is a more feasible solution.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

User avatar
llivv
Posts: 5340
Joined: 2007-02-14 18:10
Location: cold storage

Re: How to avoid stealth installation of systemd?

#18 Post by llivv »

edbarx wrote:I think an attempt at a solution may be implementing an interface between init and the superstructure above it so that whatever is dependent upon systemd sees it but gets any services from init instead. This is done in WINE for MS Windows executables which expect to find MS Windows. A reimplementation of init or systemd is quite a daunting task, that is why I think a compatibilty layer is a more feasible solution.
edbarx- I just got a 64 bit /uefi system to replace my 12 year old i386 box and wanted to ask you what you thought the possibilities of switching my i386 installs to amd64 which I have just now installed my first 64 bit kernel on.
With a two hard disk, backed - up, grub legacy booting all installs from either disk.
I want to try adding uefi capabilities to both disks while keeping grub-legacy compatibility ( if I ever want to switch out the mobos again and boot normally on the old non-uefi mobo using my current grub legacy boot menus.
I'll search for your post where you explained uefi in a way that looked like the best most basic concept I've read so far for uefi and post my questions above to that thread with output of disk stats and more definitions, later as time permits.

Regarding your quoted post above, It seems to me that you are thinking along the lines of how it's done using windows and suggestioning using windows type method(s) to fix systemd compatibility when using Debian.
Call me nuts, but I'll bet that is close to the core of the issue with systemd in the first place.
At least that is my opinion, currently.
Yes, probably easier to add a compatibility layer, but should we be using windows methods to build Linux workarounds?
In memory of Ian Ashley Murdock (1973 - 2015) founder of the Debian project.

newgnudude
Posts: 5
Joined: 2014-08-19 13:13

Re: How to avoid stealth installation of systemd?

#19 Post by newgnudude »

edbarx wrote:I think an attempt at a solution may be implementing an interface between init and the superstructure above it so that whatever is dependent upon systemd sees it but gets any services from init instead.
Any idea how hard that would be?

I noticed you stated the same thing in http://forums.debian.net/viewtopic.php?f=20&t=116860 but did not reply again.

Maybe you would like to answer some of the concerns brought up in the other thread since you are still proposing the same idea as a solution?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#20 Post by timbgo »

Hi, Maltese (that's edbarx, my fellow European)!

I first wish to inform the reading public there is another one topic on basically the same issue as this topic that you are reading right now. The other one is:

The future with Systemd
http://forums.debian.net/viewtopic.php?f=20&t=116860

(and the Maltese started it).

I think I concur with llivv that we should not be
llivv wrote:using windows methods to build Linux workarounds
and also Wine would introduce more vulnerabilities into my system.

Also, I fear it is not a solution tha can be so easily explained and recommended, like I managed, with some success, to explain, for beginners or early inremediate level users, how to compile Grsecurity enabled kernel. I'll give a link to it:

Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php? ... 96#p550383

I gave the link, because it really would be great if someone made a your-machine-without-systemd-howto Tip, that people could use.

Probably if one would wait for me to do it, it would be weeks if not months, and could already be late, if it would be at all.

My wish is that regular Joe users [1] be given tips from you more capable guys on how to free their machines from systemd if they want to, because that is what is sorely missing (as far as simple Joe users) [2].

That also would make for some democratic pressure on developers to give us a non-systemd option, exactly the kind of pressure some of them are actually craving for, and would finally make that option maistream.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[1] including me to large extent as far as Debian; I know the way to free me of it in Gentoo
[2] But a genuine Debian way to do it, not through Wine
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#21 Post by timbgo »

I found this superb recount in the thread previously suggested by naednaem:

Re: SV: MATE 1.8 has now fully arrived in Debian
https://lists.debian.org/debian-devel/2 ... 00455.html
Simon McVittie wrote:
On 25/06/14 15:43, Svante Signell wrote wrote: Regarding mate desktop policykit-1 build-depends on libsystemd-login-dev only for linux-any. What functionality is missing for other architectures?
The interesting dependency chain is:

Code: Select all

policykit-1 Depends libpam-systemd [linux-any] (degraded functionality
                                                on !linux)
libpam-systemd Depends systemd (i.e. systemd binaries are installed)
libpam-systemd Depends systemd-sysv (i.e. systemd is pid 1)
                    or systemd-shim (i.e. systemd-logind runs, but
                                          systemd is probably not pid 1)
Runtime dependencies on systemd support libraries like libsystemd-login0 are harmless for people who don't want to run the systemd-logind daemon, the same way a dependency on libselinux0 has no effect on people who don't boot Linux with SELinux enabled.

At a guess, the desired capability here is the ability to have policies of the form "users may $verb, but only if they are logged-in locally, not from a remote login or a cron job". $verb might be something like "suspend the computer", "reconfigure networking" or "use the microphone/webcam to record the local user of the computer", for instance; it's fine for a sysadmin to be able to set up users who can do those things remotely, but the sensible default for all of them is "only if you're logged-in locally".

In Debian 7, PolicyKit could answer the question "is Svante logged-in locally?" by asking ConsoleKit. ConsoleKit is no longer maintained upstream, so in the current version of PolicyKit, the only implementation of an answer to that question is asking systemd-logind, which CK's upstream maintainers consider to have superseded CK. In the absence of systemd (or an actively-maintained ConsoleKit code path), the best available answer to "is Svante logged-in locally?" is "I have no idea, assume 'no'".

#751028 (policykit-1's dependency on libpam-systemd, which is the component that tells systemd-logind that you are logged in locally, and depends on systemd-logind itself) is marked wontfix. I would guess that this is because the maintainers of policykit-1 are not willing to deal with the support burden of users opening bugs of the form "PolicyKit won't let me $verb" which turn out, after investigation, to be because they do not have libpam-systemd installed.

In practice, many (most?) of the actions controlled by PK have a default policy of "only if you're logged-in locally", so the lack of logind is a significant functionality loss: you'd need to give the root password or add additional local group-based PK policies to be able to do a lot of "reasonable desktop things" like suspending, configuring networking, using audio.

Upstream developers in various projects increasingly oppose group-based access, because membership of many "desktop stuff" groups essentially means "can ssh in and do bad things to a local user". For instance, putting desktop users in group 'audio' or 'video' is no longer a requirement for access to sound cards on systems with systemd-logind (it hands out access using temporary ACLs instead) - which is just as well, because putting those users in a group with permanent rw access to the sound device or webcam would essentially mean they can ssh in while someone else is using a computer, and spy on what is said near it.
Svante Signell wrote:What about libselinux for olicykit-1, this dependency is also linux-any.
The ability to have policies of the form "users may $verb if they do so from a process in the foo_t SELinux context", presumably.

S
That is one of the main points of the thread, so far (another huge read in my quest)... I hope you readers like it too.

EDIT START: I think I make the first four posts of mine at the start of this topic much much clearer and easier to read, just now.
I allow that the objections were partly justified.
I hope anyone studying this thread will later not find _so_ many objections (some of the things, such as on my search, I can't find time (I really input a lot work in this improvement), to properly improve...

EDIT END

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Last edited by timbgo on 2014-08-20 06:01, edited 3 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

confuseling
Posts: 2121
Joined: 2009-10-21 01:03

Re: How to avoid stealth installation of systemd?

#22 Post by confuseling »

Is it too much to ask that you write a comprehensive post first, edit it to your satisfaction, then post it? And secondly, that you try to avoid mixing subjects, to the extent that that's possible?

Nobody objects to you posting your opinions. But the length and meandering content makes them hard to read.

And it is preferable for the board (in my opinion, which doesn't carry any weight, so there you go, but I reckon quite a few people would agree), that the two sides of this are kept separate: threads that are technical in nature (how you do stuff) contain as little politics as possible, and threads that are political in nature (why you should do stuff) contain as little technical description as possible. There's nothing wrong with linking between relevant threads, but writing a single giant thread about everything creates an unnecessary headache for the poor benighted souls trying to keep this board organised...
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here

jonathon1982
Posts: 10
Joined: 2014-08-19 17:01

Re: How to avoid stealth installation of systemd?

#23 Post by jonathon1982 »

It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.

Sound like that to anyone else?

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: How to avoid stealth installation of systemd?

#24 Post by golinux »

jonathon1982 wrote:It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.

Sound like that to anyone else?
Sounds like you're a little late to the party . . .
May the FORK be with you!

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: How to avoid stealth installation of systemd?

#25 Post by Randicus »

jonathon1982 wrote:It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.

Sound like that to anyone else?
And which problems are those?

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: How to avoid stealth installation of systemd?

#26 Post by golinux »

Randicus wrote:
jonathon1982 wrote:It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.
And which problems are those?
Faster boot times is the one most often mentioned.
May the FORK be with you!

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: How to avoid stealth installation of systemd?

#27 Post by Randicus »

Indeed. If I could only solve the problem of reducing that one minute boot time once day, the world would be perfect.

jonathon1982
Posts: 10
Joined: 2014-08-19 17:01

Re: How to avoid stealth installation of systemd?

#28 Post by jonathon1982 »

Randicus wrote: And which problems are those?
Rather than saying problems I should of said features that would benefit enterprise solutions, things like login management, console management, device management, fine grained permissions via ACLs, and so forth. Not to mention unifying a lot of separate components.

That isn't to say I am interested in it, then again I am not sure I will have a choice anyway.

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: How to avoid stealth installation of systemd?

#29 Post by Randicus »

Remove the need for CLI from system administration?

User avatar
buntunub
Posts: 591
Joined: 2011-02-11 05:23

Re: How to avoid stealth installation of systemd?

#30 Post by buntunub »

sunrat wrote:TL:DR
I get the gist of it, but I suggest the best answer to "How to avoid stealth installation of systemd?" is "Stick with Wheezy".
You can stick with Squeeze too, now that its long term support.

User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Re: How to avoid stealth installation of systemd?

#31 Post by /tmp »

From a thread on linuxquestions.org's forums called "What are the advantages/disadvantages of using systemd versus sysvinit?":
IMHO a dynamic init is better for desktops where reboot speed is more important...
<rant>This reminds me of certain hardware vendors offering "gaming" SSDs that "allow you to boot in less than ten seconds"...to the tune of ~$400 USD. How often do you need to reboot, and if so, why is the miniscule savings in time worth $400?</rant>
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

adenukolnis
Posts: 459
Joined: 2012-02-24 18:36

Re: How to avoid stealth installation of systemd?

#32 Post by adenukolnis »

I use

Code: Select all

Package: libsystemd-*
Pin: origin ""
Pin-Priority: -1

in /etc/apt/preferences to be certain no parts of systemd get installed

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#33 Post by timbgo »

timbgo wrote: This is who I sent the message Saturday 14:58 CET (which I believe is GMT+2):
That was around August 16 give or take a day. Not looking it up, but from memory and the files available (I keep the publictimestamped files of what I post).
wookey _at_ wookware dot org
tg _at_ debian dot org
alex904633 _at_ mail dot ru
vorlon _at_ debian dot org
jch _at_ pps dot univ-paris-diderot.fr
steve _at_ einval dot com
alessio _at_ debian dot org
stse+debian _at_ fsing dot rootsland.net
preining _at_ logic dot at

And this is what I sent:

http://www.croatiafidelis.hr/gnu/pts/De ... RAPPED.txt

( there are other files in that directory:
http://www.croatiafidelis.hr/gnu/pts/
all starting with "Deb_DD_mail_140816cor", some are signatures, some publictimestamps. The domain is fine, the hosting is great, just if some leviathans, read below on those, start eating small fry and you can't open those, pls., do tell here openly!
...[snip]...
A leviathan, of a smaller kind but to which I am sill just small fry, probably discovered.

At least a clear suspect is there! I am being tragicomical, because it's both sad and comical really. Read on.
However, like I haven't seen in long time, last night and today: no messages, and knowing that some of the above, like Wookey and mirabilos (the first two addresses), the Russian (third address)... and also Juliusz who started the thread, would probably have replied to my message...

Knowing their concern and their views in regard to the matter of this topic, I worry that they may have not received my electronic mail.

Surely some of the above DDs may have been busy to even look up their mailbox. Sure. But how likely is it that all of them have?
Also worth noting, although less likely the case (I am inclined to suspect my mail in question was not sent at all):
Or, if these fine Debian Developers have replied, I worry that they could be led to believe how I might not be serious about the matter.

I have regard for other Debian Developers who I wrote to above, even if I tell some of them off a little sometimes. I actually chose who to write to based on who discussed the matter, not only who I agree with on the matter discussed. I don't talk behind people's back.

And I am earnest about this matter which I wrote to them about.
Pls. dear Debianers, take heed of this necessity of mine:
So I hereby kindly ask the friends and acquantainces of the above developers, who will recognize their email addresses, to call their attention to the message that I sent them, and to the other facts about the strange lack of any emails arriving in my mailbox, almost none from anywhere, for the latest some cca 24 hours.
Thanks in advance!
The following is still standing. It's my slow work, I'm oldish, not fresh like most of you... although I'm getting really tired in getting to make any progress in this no-systemd-Debian-as-option-please matter:
Else, regardless of previously having decided that I wasn't qualified to participate in the discussion on the debian-devel, I will have to try and inform the DD list briefly of this topic "How to avoid stealth installation of systemd?" on this System configuration section on our Debian Forums, that is started by me with the input of hours upon hours long sifting through their discussions in the same-name topic on debian-devel list.
As I said above, a smaller kind of an mail-eating leviathan discovered. The post where you can check on it, and even be provided more solid proofs by me, under circumstances there explained, is the Gentoo topic further below.

That topic is rather marginally dedicated to that mail-eating leviathan, because its eating of mail was discovered by pure chance of the circumstance of the mail perfectly correctly sent by my programs and ready to be perfectly correctly received to be processed at the mail gateway of my hoster of domain CroatiaFidelis.hr, not being let through.

Because this smaller bread of mail-eater leviathan wouldn't let my support question, my one mail to one address through, and that one mail was to the hoster of my domain which I also pay for... that mail-eater, Iskon.hr, a Croatian provider, wouldn't let that mail through in the name of, wait, pause for breath:

spam

################################################################
Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, a Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html
################################################################

So that kind of provider certainly did not reliably send my mail to the addresses above. Nope!

Pls. dear Debianers, somebody take heed of this necessity of mine, and do the following (I'll give the little sed scriplet here so even less advanced users can more easily help):

Select the code below with a mouse or otherwise.

Code: Select all

#!/bin/bash
echo "wookey _at_ wookware dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "tg _at_ debian dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "alex904633 _at_ mail dot ru" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "vorlon _at_ debian dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "jch _at_ pps dot univ-paris-diderot.fr" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "steve _at_ einval dot com" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "alessio _at_ debian dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "stse+debian _at_ fsing dot rootsland.net" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "preining _at_ logic dot at" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
Next, in a terminal, do:

Code: Select all

$ cat > real_mail_addresses.sh
The command prompt won't be returning. It is awaiting for you input. Now paste
what you have just copied into that terminal.

Next:

Code: Select all

$ chmod 755 real_mail_addresses.sh
And simply run the scriplet:

Code: Select all

$ ./real_mail_addresses.sh
There you have the addresses to send the topic in which you are reading this here text, which is best to send because it has all the references, and the news how the mail was very probably not really sent by my provider, and without any notice to me the paying customer of theirs as to why it wasn't sent.

Pls. notice that this is only the probable course of events that had taken place back then. The likelihood that it happened so indeed, now that I have caught this completely sick case of censorship, can be said to be pretty high though.

So simply just send to those addresses these two lines, please:

How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php? ... 84#p552484

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
======= cut off from this line to end if verifying hashes =======
File corresponding to this post: Deb_no_LPware_140908_from_140817.txt,
has Publictimestamp # 1240778
--
publictimestamp.org/ptb/PTB-21565 sha256 2014-09-08 00:01:45
28465A93D3A5549FB6FCA47AC54AFD30D4DDF904683856906997011AAE71F4CA
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#34 Post by timbgo »

adenukolnis wrote:I use

Code: Select all

Package: libsystemd-*
Pin: origin ""
Pin-Priority: -1

in /etc/apt/preferences to be certain no parts of systemd get installed
Tired, wee hours here. Excuse me for not checking...
Is that what, IIRC, the Russian Vasily suggested on the same-name thread on the DD mail-list?

I guess. As soon as I find time will try it.

But I've used Debian less, am more familiar with Gentoo emerge, than Debian apt (and I don't like aptitude so much)...

I have that systemd in there. If I put those lines where they need to be put (once I find time and refresh and recollect), will that do the trick to remove systemd?

Or is it just for systems without systemd, so that it would not get installed?

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: How to avoid stealth installation of systemd?

#35 Post by edbarx »

I am afraid those lines tell apt what it must not install. Probably, you need to do some research to verify whether init is supported by your system.

On my Jessie system I explicitly removed systemd.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

Post Reply