Page 4 of 12

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-08 18:35
by timbgo
I enjoy reading your lines. That's a very accurate description of the state of GNU/Linux and the perils we face as free community.

But there is more.

Tell me, you, edbarx, or other readers, what is there to derive from:

False Boundaries and Arbitrary Code Execution
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522

Don't miss to take notice, if you skim through there, lines like "backdooring a system" and such.

M.R.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-08 19:16
by edbarx
As I see it, security is a never ending battle. The level of security of a system also depends on the purpose of the system and what data that system holds. This is how experts on security view it which is more than logical. If you want to lift 1000 Kgs a vertical height of 10 stories, you don't hire a crane that can lift 300 tons.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-08 20:03
by timbgo
Yeah, well... I don't reckon users' privacy unimportant.

I was reading a few days ago a fine, unmaintained but historical short series of articles by Daniel Robbins, the man who started Gentoo, but is not anymore the leader.

Here's the article:
OpenSSH key management, Part 1
http://www.gentoo.org/doc/en/articles/o ... ent-p1.xml
and it's easy find the remaining part 2 and 3, links in bottom.

Sadly, oldish as I am, I would now need to reread it to have fresh arguments in mind...

Never mind. I can offer what I do find amazing about him (what I wonder is how could he have, it appears, left Gentoo in some harder times, and spent time with Microsoft?...)... But what I find amazing about him is how he admits wen things go wrong in a program of his.

Find on Part 3:
http://www.gentoo.org/doc/en/articles/o ... ent-p3.xml

Daniel Robbins wrote:I received an e-mail from Charles Karney of Sarnoff Corporation, who politely informed me of OpenSSH's new authentication agent forwarding abilities, which we'll take a look at in a bit. In addition, Charles emphasized that running ssh-agent on untrusted machines is quite dangerous: if someone manages to get root access on the system, then your decrypted keys can be extracted from ssh-agent. Even though extracting the keys would be somewhat difficult, it is within the skill of professional crackers. And the mere fact that private key theft is possible means that we should take steps to guard against it happening in the first place.

and an interested reader can read more there.

On the other hand, when, back then, that is quite a few days ago actually, last month, when I was looking into keychain and things, I was surprised to find it used by dbus.

This is currently running on my system, this one that I connect to internet with:
Code: Select all
$ ps aux | grep ssh
root      2184  0.0  0.0  54976  1004 ?        Ss   Sep06   0:00 /usr/sbin/sshd
mr        2447  0.0  0.0  10592    32 ?        Ss   Sep06   0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager
mr       15141  0.0  0.0  19980  1796 pts/9    S+   21:48   0:00 grep ssh
mr@naibd6:/Cmn/mr$

And this is not something I installed, but probably a dbus "requirement"...

I doubt that a user can get a completely truthful explanation so easily, publically, on why is this needed, what does it do, and the rest. Not such open explanation like in Daniel's article.
M.R.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-08 20:20
by edbarx
Actually, privacy is sacrosanct, let alone it being unimportant.

What I said, means that security measures have to be in proportion with the purpose of the machine. On my home computer, I have arno-iptables-firewall, privoxy, adblock plus and no-script installed. I also clear cokies every session automatically. With this, still some websites refuse to give me access because of my 'stringent' security. A shining example is disqus.com. I think, disqus thinks my system is used for cracking although I never did anything of the sort. I remember another website that refuse me access: comcast.com.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-08 21:07
by timbgo
Maybe I worry too much, but given the easiness an expert can own your system today, because of the treason, yes, allowing such hooks into the kernel is Linus' own treason on the users of his kernel...

What did he think? That no one would read out what those software architecture that goes by the name linux capabilities is for, apart from what it is on the surface?

I thank whom you name (us Christians, and Muslims and other religions, thank God), but if you want me to, I thank the god GNU, if you want, for the fact that such honesty is there in such genius, Brad Spender Spengler, which is maybe the sole match to Linus Torvalds in among the known security experts, for us the general GNU/Linux population, to have that article available for reading.

To me that is one of the most important revelations in computing ever!

Go read it again, whoever is reading this post. There's so much in there!

And couple that with the fact that dbus, which is part of poetteringware architecture, uses ssh-agent for some arcane purposes... Which purposes? ssh is for encryption, and I am allowed to encrypt things in my computer... Only me.

But dbus, consolekit (which may have gone away, replaced with same functionality in systemd itself, whatever)... and such stuff... Uh-uh! I don't like them encrypting, because such programs are done for multiple "seats" (that is their terminology). That is, not just the user sitting at his computer, but other "seats" as well!

I'm scared. Scared for losing my privacy in my own computer.

This is not off topic. Systemd is there for such purposes as I claim above. The plutocracy few people who started those false GNU projects, that can go by the name poetteringware just fine, the unknown to the public small bunch supported by a multitude who care solely/predominantly/sufficiently for their interests more than for the common interest (which, the common good, the GNU was all about since its inception, the freedom and the common good)...

Those tiny fraction of the one percent kind of people who got these projects going, through corporate capital, and with that huge support they are getting from people who care for common good from too little to up to being able to outright easily sell their neighbor, let alone common good!...

...They are taking away all the freedom and common good away from our GNU/Linuces...

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 00:27
by timbgo
How can systemd be uninstalled?
viewtopic.php?f=5&t=117276

I need some help there (will be useful to others in similar circumstances: many)

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 08:23
by edbarx
For those who want to remove systemd, it can be removed but there is an outstanding bug that prevents the complete setup of sysvinit. The approach is to:
a) first install sysvinit and sysvinit-core
b) reboot and remove systemd. I tried to explicitly pass init=/sbin/init to the kernel without success.
c) reboot to start using sysvinit and reinstall both packages to correct any errors.
d) search for any remaining systemd fragments.

Do not forget to update your system before doing this.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 09:07
by adenukolnis
edbarx wrote:... there is an outstanding bug that prevents the complete setup of sysvinit.

Has it been reported? Do you have a link to the report?

I do not recall having any problems whatsoever. In fact I repeatedly installed/removed both of them and had no issues. Then again I do not have anything on my system that relies on any systemd packages so that would probably make things go a bit smoother.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 10:31
by timbgo
I thought I was doing the right thing posting the hands-on question in the System cofiguration... I still think so.
So guys, I hope you don't mind if I quote your suggestions there, not here.
M.R.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 10:47
by goulo
Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff which (in my limited understanding) depend on them and are pretty commonly considered "essential" even for those using using a light WM or desktop like LXDE instead of Gnome or other heavy desktops directly requiring systemd, right?

I'm trying to research just how necessary/unnecessary dbus is.
The music/video player VLC seems to depend on it, for example (but see https://stackoverflow.com/questions/216 ... c-needs-it )

aptitude -s remove dbus on my system show various stuff depending on it, e.g. inkscape, midori, aeskulap

And in a bsd forum there was this discussion suggesting that some "normal" desktop stuff might work wonkily without dbus:
https://forums.freebsd.org/viewtopic.php?&t=24589

...or am I misunderstanding something?

Concretely, I see that I currently have installed these 3 libsystemd files:
ii libsystemd-id128-0:i386 208-8 i386 systemd 128 bit ID utility library
ii libsystemd-journal0:i386 208-8 i386 systemd journal utility library
ii libsystemd-login0:i386 208-8 i386 systemd login utility library
which all show a maze of things depending on them...

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 10:52
by edbarx
adenukolnis wrote:
edbarx wrote:... there is an outstanding bug that prevents the complete setup of sysvinit.

Has it been reported? Do you have a link to the report?

It was reported just after I invoked apt-get install sysvinit-core sysvinit by apt-listbugs.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 11:37
by timbgo
edbarx wrote:
adenukolnis wrote:
edbarx wrote:... there is an outstanding bug that prevents the complete setup of sysvinit.

Has it been reported? Do you have a link to the report?

It was reported just after I invoked apt-get install sysvinit-core sysvinit by apt-listbugs.

And is there a link, for the non-so-Debian-ways-initiated like me?

goulo wrote:Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff

which is exactly the poetteringware stuff.
Ummh, how I'd like to live without those! I managed to get rid of those in Gentoo:
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146.html

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 12:06
by adenukolnis
goulo wrote:Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff

That sounds about right. Obviously each case will be different, especially in regards to various other stuff


goulo wrote:which (in my limited understanding) depend on them and are pretty commonly considered "essential" even for those using using a light WM or desktop like LXDE instead of Gnome or other heavy desktops directly requiring systemd, right?
I do not know what others consider essential.


...or am I misunderstanding something?
You do not seem to be.


Concretely, I see that I currently have installed these 3 libsystemd files:
ii libsystemd-id128-0:i386 208-8 i386 systemd 128 bit ID utility library
ii libsystemd-journal0:i386 208-8 i386 systemd journal utility library
ii libsystemd-login0:i386 208-8 i386 systemd login utility library
which all show a maze of things depending on them...

Correct. Those are the parts that a LOT of stuff depends on. None of those is systemd the init system. So you can have those and still not be using systemd as the init ssytem.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 12:25
by goulo
OK, thanks for the confirmation, guys.

Re: How to avoid stealth installation of systemd?

PostPosted: 2014-09-09 21:54
by adenukolnis
goulo wrote:Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff which (in my limited understanding) depend on them and are pretty commonly considered "essential" even for those using using a light WM or desktop like LXDE instead of Gnome or other heavy desktops directly requiring systemd, right?


working on a list of software that doesnt depend on any systemd software
http://www.debianuserforums.org/viewtop ... =11&t=3014