Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

How to avoid stealth installation of systemd?

Here you can discuss every aspect of Debian. Note: not for support requests!
Message
Author
timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#21 Post by timbgo »

I found this superb recount in the thread previously suggested by naednaem:

Re: SV: MATE 1.8 has now fully arrived in Debian
https://lists.debian.org/debian-devel/2 ... 00455.html
Simon McVittie wrote:
On 25/06/14 15:43, Svante Signell wrote wrote: Regarding mate desktop policykit-1 build-depends on libsystemd-login-dev only for linux-any. What functionality is missing for other architectures?
The interesting dependency chain is:

Code: Select all

policykit-1 Depends libpam-systemd [linux-any] (degraded functionality
                                                on !linux)
libpam-systemd Depends systemd (i.e. systemd binaries are installed)
libpam-systemd Depends systemd-sysv (i.e. systemd is pid 1)
                    or systemd-shim (i.e. systemd-logind runs, but
                                          systemd is probably not pid 1)
Runtime dependencies on systemd support libraries like libsystemd-login0 are harmless for people who don't want to run the systemd-logind daemon, the same way a dependency on libselinux0 has no effect on people who don't boot Linux with SELinux enabled.

At a guess, the desired capability here is the ability to have policies of the form "users may $verb, but only if they are logged-in locally, not from a remote login or a cron job". $verb might be something like "suspend the computer", "reconfigure networking" or "use the microphone/webcam to record the local user of the computer", for instance; it's fine for a sysadmin to be able to set up users who can do those things remotely, but the sensible default for all of them is "only if you're logged-in locally".

In Debian 7, PolicyKit could answer the question "is Svante logged-in locally?" by asking ConsoleKit. ConsoleKit is no longer maintained upstream, so in the current version of PolicyKit, the only implementation of an answer to that question is asking systemd-logind, which CK's upstream maintainers consider to have superseded CK. In the absence of systemd (or an actively-maintained ConsoleKit code path), the best available answer to "is Svante logged-in locally?" is "I have no idea, assume 'no'".

#751028 (policykit-1's dependency on libpam-systemd, which is the component that tells systemd-logind that you are logged in locally, and depends on systemd-logind itself) is marked wontfix. I would guess that this is because the maintainers of policykit-1 are not willing to deal with the support burden of users opening bugs of the form "PolicyKit won't let me $verb" which turn out, after investigation, to be because they do not have libpam-systemd installed.

In practice, many (most?) of the actions controlled by PK have a default policy of "only if you're logged-in locally", so the lack of logind is a significant functionality loss: you'd need to give the root password or add additional local group-based PK policies to be able to do a lot of "reasonable desktop things" like suspending, configuring networking, using audio.

Upstream developers in various projects increasingly oppose group-based access, because membership of many "desktop stuff" groups essentially means "can ssh in and do bad things to a local user". For instance, putting desktop users in group 'audio' or 'video' is no longer a requirement for access to sound cards on systems with systemd-logind (it hands out access using temporary ACLs instead) - which is just as well, because putting those users in a group with permanent rw access to the sound device or webcam would essentially mean they can ssh in while someone else is using a computer, and spy on what is said near it.
Svante Signell wrote:What about libselinux for olicykit-1, this dependency is also linux-any.
The ability to have policies of the form "users may $verb if they do so from a process in the foo_t SELinux context", presumably.

S
That is one of the main points of the thread, so far (another huge read in my quest)... I hope you readers like it too.

EDIT START: I think I make the first four posts of mine at the start of this topic much much clearer and easier to read, just now.
I allow that the objections were partly justified.
I hope anyone studying this thread will later not find _so_ many objections (some of the things, such as on my search, I can't find time (I really input a lot work in this improvement), to properly improve...

EDIT END

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Last edited by timbgo on 2014-08-20 06:01, edited 3 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

confuseling
Posts: 2121
Joined: 2009-10-21 01:03

Re: How to avoid stealth installation of systemd?

#22 Post by confuseling »

Is it too much to ask that you write a comprehensive post first, edit it to your satisfaction, then post it? And secondly, that you try to avoid mixing subjects, to the extent that that's possible?

Nobody objects to you posting your opinions. But the length and meandering content makes them hard to read.

And it is preferable for the board (in my opinion, which doesn't carry any weight, so there you go, but I reckon quite a few people would agree), that the two sides of this are kept separate: threads that are technical in nature (how you do stuff) contain as little politics as possible, and threads that are political in nature (why you should do stuff) contain as little technical description as possible. There's nothing wrong with linking between relevant threads, but writing a single giant thread about everything creates an unnecessary headache for the poor benighted souls trying to keep this board organised...
The Forum's search box is terrible. Use site specific search, e.g.
https://www.google.com/search?q=site%3A ... terms+here

jonathon1982
Posts: 10
Joined: 2014-08-19 17:01

Re: How to avoid stealth installation of systemd?

#23 Post by jonathon1982 »

It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.

Sound like that to anyone else?

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: How to avoid stealth installation of systemd?

#24 Post by golinux »

jonathon1982 wrote:It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.

Sound like that to anyone else?
Sounds like you're a little late to the party . . .
May the FORK be with you!

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: How to avoid stealth installation of systemd?

#25 Post by Randicus »

jonathon1982 wrote:It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.

Sound like that to anyone else?
And which problems are those?

User avatar
golinux
Posts: 1579
Joined: 2010-12-09 00:56
Location: not a 'buntard!
Been thanked: 1 time

Re: How to avoid stealth installation of systemd?

#26 Post by golinux »

Randicus wrote:
jonathon1982 wrote:It sounds like a lot of what systemd tries to fix is problems you would find in an enterprise environment rather than anything related to a home user.
And which problems are those?
Faster boot times is the one most often mentioned.
May the FORK be with you!

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: How to avoid stealth installation of systemd?

#27 Post by Randicus »

Indeed. If I could only solve the problem of reducing that one minute boot time once day, the world would be perfect.

jonathon1982
Posts: 10
Joined: 2014-08-19 17:01

Re: How to avoid stealth installation of systemd?

#28 Post by jonathon1982 »

Randicus wrote: And which problems are those?
Rather than saying problems I should of said features that would benefit enterprise solutions, things like login management, console management, device management, fine grained permissions via ACLs, and so forth. Not to mention unifying a lot of separate components.

That isn't to say I am interested in it, then again I am not sure I will have a choice anyway.

Randicus
Posts: 2663
Joined: 2011-05-08 09:11

Re: How to avoid stealth installation of systemd?

#29 Post by Randicus »

Remove the need for CLI from system administration?

User avatar
buntunub
Posts: 591
Joined: 2011-02-11 05:23

Re: How to avoid stealth installation of systemd?

#30 Post by buntunub »

sunrat wrote:TL:DR
I get the gist of it, but I suggest the best answer to "How to avoid stealth installation of systemd?" is "Stick with Wheezy".
You can stick with Squeeze too, now that its long term support.

User avatar
/tmp
Posts: 426
Joined: 2011-12-31 08:39
Location: GNU Userlands
Has thanked: 1 time
Been thanked: 3 times

Re: How to avoid stealth installation of systemd?

#31 Post by /tmp »

From a thread on linuxquestions.org's forums called "What are the advantages/disadvantages of using systemd versus sysvinit?":
IMHO a dynamic init is better for desktops where reboot speed is more important...
<rant>This reminds me of certain hardware vendors offering "gaming" SSDs that "allow you to boot in less than ten seconds"...to the tune of ~$400 USD. How often do you need to reboot, and if so, why is the miniscule savings in time worth $400?</rant>
Bookworm | Intel I7-3667U | Apple Macbook Air 5,2 (Mid 2012) (Laptop) | 8 GB RAM | 3rd Gen Intel Core Graphics

adenukolnis
Posts: 459
Joined: 2012-02-24 18:36

Re: How to avoid stealth installation of systemd?

#32 Post by adenukolnis »

I use

Code: Select all

Package: libsystemd-*
Pin: origin ""
Pin-Priority: -1

in /etc/apt/preferences to be certain no parts of systemd get installed

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#33 Post by timbgo »

timbgo wrote: This is who I sent the message Saturday 14:58 CET (which I believe is GMT+2):
That was around August 16 give or take a day. Not looking it up, but from memory and the files available (I keep the publictimestamped files of what I post).
wookey _at_ wookware dot org
tg _at_ debian dot org
alex904633 _at_ mail dot ru
vorlon _at_ debian dot org
jch _at_ pps dot univ-paris-diderot.fr
steve _at_ einval dot com
alessio _at_ debian dot org
stse+debian _at_ fsing dot rootsland.net
preining _at_ logic dot at

And this is what I sent:

http://www.croatiafidelis.hr/gnu/pts/De ... RAPPED.txt

( there are other files in that directory:
http://www.croatiafidelis.hr/gnu/pts/
all starting with "Deb_DD_mail_140816cor", some are signatures, some publictimestamps. The domain is fine, the hosting is great, just if some leviathans, read below on those, start eating small fry and you can't open those, pls., do tell here openly!
...[snip]...
A leviathan, of a smaller kind but to which I am sill just small fry, probably discovered.

At least a clear suspect is there! I am being tragicomical, because it's both sad and comical really. Read on.
However, like I haven't seen in long time, last night and today: no messages, and knowing that some of the above, like Wookey and mirabilos (the first two addresses), the Russian (third address)... and also Juliusz who started the thread, would probably have replied to my message...

Knowing their concern and their views in regard to the matter of this topic, I worry that they may have not received my electronic mail.

Surely some of the above DDs may have been busy to even look up their mailbox. Sure. But how likely is it that all of them have?
Also worth noting, although less likely the case (I am inclined to suspect my mail in question was not sent at all):
Or, if these fine Debian Developers have replied, I worry that they could be led to believe how I might not be serious about the matter.

I have regard for other Debian Developers who I wrote to above, even if I tell some of them off a little sometimes. I actually chose who to write to based on who discussed the matter, not only who I agree with on the matter discussed. I don't talk behind people's back.

And I am earnest about this matter which I wrote to them about.
Pls. dear Debianers, take heed of this necessity of mine:
So I hereby kindly ask the friends and acquantainces of the above developers, who will recognize their email addresses, to call their attention to the message that I sent them, and to the other facts about the strange lack of any emails arriving in my mailbox, almost none from anywhere, for the latest some cca 24 hours.
Thanks in advance!
The following is still standing. It's my slow work, I'm oldish, not fresh like most of you... although I'm getting really tired in getting to make any progress in this no-systemd-Debian-as-option-please matter:
Else, regardless of previously having decided that I wasn't qualified to participate in the discussion on the debian-devel, I will have to try and inform the DD list briefly of this topic "How to avoid stealth installation of systemd?" on this System configuration section on our Debian Forums, that is started by me with the input of hours upon hours long sifting through their discussions in the same-name topic on debian-devel list.
As I said above, a smaller kind of an mail-eating leviathan discovered. The post where you can check on it, and even be provided more solid proofs by me, under circumstances there explained, is the Gentoo topic further below.

That topic is rather marginally dedicated to that mail-eating leviathan, because its eating of mail was discovered by pure chance of the circumstance of the mail perfectly correctly sent by my programs and ready to be perfectly correctly received to be processed at the mail gateway of my hoster of domain CroatiaFidelis.hr, not being let through.

Because this smaller bread of mail-eater leviathan wouldn't let my support question, my one mail to one address through, and that one mail was to the hoster of my domain which I also pay for... that mail-eater, Iskon.hr, a Croatian provider, wouldn't let that mail through in the name of, wait, pause for breath:

spam

################################################################
Postfix smtp-tls-wrapper, Bkp/Cloning Mthd, a Zerk Provider
https://forums.gentoo.org/viewtopic-t-999436.html
################################################################

So that kind of provider certainly did not reliably send my mail to the addresses above. Nope!

Pls. dear Debianers, somebody take heed of this necessity of mine, and do the following (I'll give the little sed scriplet here so even less advanced users can more easily help):

Select the code below with a mouse or otherwise.

Code: Select all

#!/bin/bash
echo "wookey _at_ wookware dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "tg _at_ debian dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "alex904633 _at_ mail dot ru" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "vorlon _at_ debian dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "jch _at_ pps dot univ-paris-diderot.fr" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "steve _at_ einval dot com" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "alessio _at_ debian dot org" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "stse+debian _at_ fsing dot rootsland.net" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
echo "preining _at_ logic dot at" | sed 's/ _at_ /@/' | sed 's/ dot /./' 
Next, in a terminal, do:

Code: Select all

$ cat > real_mail_addresses.sh
The command prompt won't be returning. It is awaiting for you input. Now paste
what you have just copied into that terminal.

Next:

Code: Select all

$ chmod 755 real_mail_addresses.sh
And simply run the scriplet:

Code: Select all

$ ./real_mail_addresses.sh
There you have the addresses to send the topic in which you are reading this here text, which is best to send because it has all the references, and the news how the mail was very probably not really sent by my provider, and without any notice to me the paying customer of theirs as to why it wasn't sent.

Pls. notice that this is only the probable course of events that had taken place back then. The likelihood that it happened so indeed, now that I have caught this completely sick case of censorship, can be said to be pretty high though.

So simply just send to those addresses these two lines, please:

How to avoid stealth installation of systemd?
http://forums.debian.net/viewtopic.php? ... 84#p552484

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
======= cut off from this line to end if verifying hashes =======
File corresponding to this post: Deb_no_LPware_140908_from_140817.txt,
has Publictimestamp # 1240778
--
publictimestamp.org/ptb/PTB-21565 sha256 2014-09-08 00:01:45
28465A93D3A5549FB6FCA47AC54AFD30D4DDF904683856906997011AAE71F4CA
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#34 Post by timbgo »

adenukolnis wrote:I use

Code: Select all

Package: libsystemd-*
Pin: origin ""
Pin-Priority: -1

in /etc/apt/preferences to be certain no parts of systemd get installed
Tired, wee hours here. Excuse me for not checking...
Is that what, IIRC, the Russian Vasily suggested on the same-name thread on the DD mail-list?

I guess. As soon as I find time will try it.

But I've used Debian less, am more familiar with Gentoo emerge, than Debian apt (and I don't like aptitude so much)...

I have that systemd in there. If I put those lines where they need to be put (once I find time and refresh and recollect), will that do the trick to remove systemd?

Or is it just for systems without systemd, so that it would not get installed?

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: How to avoid stealth installation of systemd?

#35 Post by edbarx »

I am afraid those lines tell apt what it must not install. Probably, you need to do some research to verify whether init is supported by your system.

On my Jessie system I explicitly removed systemd.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

adenukolnis
Posts: 459
Joined: 2012-02-24 18:36

Re: How to avoid stealth installation of systemd?

#36 Post by adenukolnis »

timbgo wrote: Is that what, IIRC, the Russian Vasily suggested on the same-name thread on the DD mail-list?
Probably. Or something similar.

will that do the trick to remove systemd?
No, you use apt or your favorite package manager to switch from systemd to sysv.


Or is it just for systems without systemd, so that it would not get installed?
It would block installation of libsystemd.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#37 Post by timbgo »

adenukolnis wrote:
will that do the trick to remove systemd?
No, you use apt or your favorite package manager to switch from systemd to sysv.
C'mon adenukolnis, I know I need to use apt to install things 8) .
adenukolnis wrote:
Or is it just for systems without systemd, so that it would not get installed?
It would block installation of libsystemd.
Yeah, it might not uninstall anything.... yeah, although...
edbarx wrote:I am afraid those lines tell apt what it must not install. Probably, you need to do some research to verify whether init is supported by your system.
On my Jessie system I explicitly removed systemd.
...Although I might probably be simply able to remove it.
Thanx, adenukolnis, and thanx, edbarx.

I'll report back here if I am able it uninstall it successfully (it's my slowliness which is dragging me currently on other non-related things that I do, though).

Ah, if anyone could try and tell those people that got us this howto draft (that's what it is). We could improve the fate of many a Debian user, if we get those experts, esp. Wookey and mirabilos, to help us with their advice... Maybe. Anyone could send to those my probably not-really-sent letter?:
http://forums.debian.net/viewtopic.php? ... 85#p552484

And, if I can revive the suggestion that I made here:

[ same topic that you a re reading ]
http://forums.debian.net/viewtopic.php? ... 15#p550749
timbgo wrote: Grsecurity/Pax installation on Debian GNU/Linux
http://forums.debian.net/viewtopic.php? ... 96#p550383

I gave the link, because it really would be great if someone made a your-machine-without-systemd-howto Tip, that people could use.

Probably if one would wait for me to do it, it would be weeks if not months, and could already be late, if it would be at all.
We must try and get users to understand these issues. I'm simply having common goods, freedom, attitude here, nothing else.

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

User avatar
edbarx
Posts: 5401
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E
Been thanked: 2 times

Re: How to avoid stealth installation of systemd?

#38 Post by edbarx »

Discontent with systemd will inevitably motivate those who can create alternatives to code new solutions. It has always worked that way, not only where software and computers are involved, but in many other unrelated areas. Discontent was what caused dictators and emperors to fall. There is nothing, apart from death, that can stop human beings from devising alternatives. Desktops, together with their software, need not be tied to one 'server', that is, systemd. This can be coded in many ways as follows: (this is a proof of concept, so the function and file names are not real)

Let us assume this is the original file hardwired to use systemd explicitly.

Code: Select all

#include <systemd.h>
....
var_ex = getSystemdService();
....
The modified code would only contain a replacement of the systemd.h header leaving the code intact.

Code: Select all

#include "replacesystemd.h"
....
var_ex = getSystemdService();
....
Then, replacesystem.h would use the same function name to implement it in some other way as to avoid the hard dependence of systemd.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.

timbgo
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

#39 Post by timbgo »

edbarx wrote:Discontent with systemd will inevitably motivate those who can create alternatives to code new solutions. It has always worked that way, not only where software and computers are involved, but in many other unrelated areas. Discontent was what caused dictators and emperors to fall. There is nothing, apart from death, that can stop human beings from devising alternatives. Desktops, together with their software, need not be tied to one 'server', that is, systemd.
+1
M.R.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Anyone can dismiss these: kernel hooks for rootkits
linux capabilities for intrusion?

adenukolnis
Posts: 459
Joined: 2012-02-24 18:36

Re: How to avoid stealth installation of systemd?

#40 Post by adenukolnis »

edbarx wrote:Discontent ....... will inevitably motivate those who can create alternatives to code new solutions.
Isn't that how we got systemd?


I still have to wonder why anyone would want to use systemd-this-part, systemd-that-part, systemd-some-other-part, and then instead of just using systemd as init as designed and intended, they instead count on some magical shim to act as a go between. The latter sounds nuts to me. Sounds even crazier considering the shim project is only a year old, and cgmanager even younger.

Post Reply