How to avoid stealth installation of systemd?

Here you can discuss every aspect of Debian. Note: not for support requests!

Re: How to avoid stealth installation of systemd?

Postby timbgo » 2014-09-08 18:35

I enjoy reading your lines. That's a very accurate description of the state of GNU/Linux and the perils we face as free community.

But there is more.

Tell me, you, edbarx, or other readers, what is there to derive from:

False Boundaries and Arbitrary Code Execution
https://forums.grsecurity.net/viewtopic.php?f=7&t=2522

Don't miss to take notice, if you skim through there, lines like "backdooring a system" and such.

M.R.
timbgo
 
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

Postby edbarx » 2014-09-08 19:16

As I see it, security is a never ending battle. The level of security of a system also depends on the purpose of the system and what data that system holds. This is how experts on security view it which is more than logical. If you want to lift 1000 Kgs a vertical height of 10 stories, you don't hire a crane that can lift 300 tons.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5398
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: How to avoid stealth installation of systemd?

Postby timbgo » 2014-09-08 20:03

Yeah, well... I don't reckon users' privacy unimportant.

I was reading a few days ago a fine, unmaintained but historical short series of articles by Daniel Robbins, the man who started Gentoo, but is not anymore the leader.

Here's the article:
OpenSSH key management, Part 1
http://www.gentoo.org/doc/en/articles/o ... ent-p1.xml
and it's easy find the remaining part 2 and 3, links in bottom.

Sadly, oldish as I am, I would now need to reread it to have fresh arguments in mind...

Never mind. I can offer what I do find amazing about him (what I wonder is how could he have, it appears, left Gentoo in some harder times, and spent time with Microsoft?...)... But what I find amazing about him is how he admits wen things go wrong in a program of his.

Find on Part 3:
http://www.gentoo.org/doc/en/articles/o ... ent-p3.xml

Daniel Robbins wrote:I received an e-mail from Charles Karney of Sarnoff Corporation, who politely informed me of OpenSSH's new authentication agent forwarding abilities, which we'll take a look at in a bit. In addition, Charles emphasized that running ssh-agent on untrusted machines is quite dangerous: if someone manages to get root access on the system, then your decrypted keys can be extracted from ssh-agent. Even though extracting the keys would be somewhat difficult, it is within the skill of professional crackers. And the mere fact that private key theft is possible means that we should take steps to guard against it happening in the first place.

and an interested reader can read more there.

On the other hand, when, back then, that is quite a few days ago actually, last month, when I was looking into keychain and things, I was surprised to find it used by dbus.

This is currently running on my system, this one that I connect to internet with:
Code: Select all
$ ps aux | grep ssh
root      2184  0.0  0.0  54976  1004 ?        Ss   Sep06   0:00 /usr/sbin/sshd
mr        2447  0.0  0.0  10592    32 ?        Ss   Sep06   0:00 /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session x-session-manager
mr       15141  0.0  0.0  19980  1796 pts/9    S+   21:48   0:00 grep ssh
mr@naibd6:/Cmn/mr$

And this is not something I installed, but probably a dbus "requirement"...

I doubt that a user can get a completely truthful explanation so easily, publically, on why is this needed, what does it do, and the rest. Not such open explanation like in Daniel's article.
M.R.
Last edited by timbgo on 2014-09-08 21:20, edited 2 times in total.
timbgo
 
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

Postby edbarx » 2014-09-08 20:20

Actually, privacy is sacrosanct, let alone it being unimportant.

What I said, means that security measures have to be in proportion with the purpose of the machine. On my home computer, I have arno-iptables-firewall, privoxy, adblock plus and no-script installed. I also clear cokies every session automatically. With this, still some websites refuse to give me access because of my 'stringent' security. A shining example is disqus.com. I think, disqus thinks my system is used for cracking although I never did anything of the sort. I remember another website that refuse me access: comcast.com.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5398
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: How to avoid stealth installation of systemd?

Postby timbgo » 2014-09-08 21:07

Maybe I worry too much, but given the easiness an expert can own your system today, because of the treason, yes, allowing such hooks into the kernel is Linus' own treason on the users of his kernel...

What did he think? That no one would read out what those software architecture that goes by the name linux capabilities is for, apart from what it is on the surface?

I thank whom you name (us Christians, and Muslims and other religions, thank God), but if you want me to, I thank the god GNU, if you want, for the fact that such honesty is there in such genius, Brad Spender Spengler, which is maybe the sole match to Linus Torvalds in among the known security experts, for us the general GNU/Linux population, to have that article available for reading.

To me that is one of the most important revelations in computing ever!

Go read it again, whoever is reading this post. There's so much in there!

And couple that with the fact that dbus, which is part of poetteringware architecture, uses ssh-agent for some arcane purposes... Which purposes? ssh is for encryption, and I am allowed to encrypt things in my computer... Only me.

But dbus, consolekit (which may have gone away, replaced with same functionality in systemd itself, whatever)... and such stuff... Uh-uh! I don't like them encrypting, because such programs are done for multiple "seats" (that is their terminology). That is, not just the user sitting at his computer, but other "seats" as well!

I'm scared. Scared for losing my privacy in my own computer.

This is not off topic. Systemd is there for such purposes as I claim above. The plutocracy few people who started those false GNU projects, that can go by the name poetteringware just fine, the unknown to the public small bunch supported by a multitude who care solely/predominantly/sufficiently for their interests more than for the common interest (which, the common good, the GNU was all about since its inception, the freedom and the common good)...

Those tiny fraction of the one percent kind of people who got these projects going, through corporate capital, and with that huge support they are getting from people who care for common good from too little to up to being able to outright easily sell their neighbor, let alone common good!...

...They are taking away all the freedom and common good away from our GNU/Linuces...

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

Postby timbgo » 2014-09-09 00:27

How can systemd be uninstalled?
viewtopic.php?f=5&t=117276

I need some help there (will be useful to others in similar circumstances: many)

Miroslav Rovis
Zagreb, Croatia
www.CroatiaFidelis.hr
timbgo
 
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

Postby edbarx » 2014-09-09 08:23

For those who want to remove systemd, it can be removed but there is an outstanding bug that prevents the complete setup of sysvinit. The approach is to:
a) first install sysvinit and sysvinit-core
b) reboot and remove systemd. I tried to explicitly pass init=/sbin/init to the kernel without success.
c) reboot to start using sysvinit and reinstall both packages to correct any errors.
d) search for any remaining systemd fragments.

Do not forget to update your system before doing this.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5398
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: How to avoid stealth installation of systemd?

Postby adenukolnis » 2014-09-09 09:07

edbarx wrote:... there is an outstanding bug that prevents the complete setup of sysvinit.

Has it been reported? Do you have a link to the report?

I do not recall having any problems whatsoever. In fact I repeatedly installed/removed both of them and had no issues. Then again I do not have anything on my system that relies on any systemd packages so that would probably make things go a bit smoother.
adenukolnis
 
Posts: 459
Joined: 2012-02-24 18:36

Re: How to avoid stealth installation of systemd?

Postby timbgo » 2014-09-09 10:31

I thought I was doing the right thing posting the hands-on question in the System cofiguration... I still think so.
So guys, I hope you don't mind if I quote your suggestions there, not here.
M.R.
timbgo
 
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

Postby goulo » 2014-09-09 10:47

Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff which (in my limited understanding) depend on them and are pretty commonly considered "essential" even for those using using a light WM or desktop like LXDE instead of Gnome or other heavy desktops directly requiring systemd, right?

I'm trying to research just how necessary/unnecessary dbus is.
The music/video player VLC seems to depend on it, for example (but see https://stackoverflow.com/questions/216 ... c-needs-it )

aptitude -s remove dbus on my system show various stuff depending on it, e.g. inkscape, midori, aeskulap

And in a bsd forum there was this discussion suggesting that some "normal" desktop stuff might work wonkily without dbus:
https://forums.freebsd.org/viewtopic.php?&t=24589

...or am I misunderstanding something?

Concretely, I see that I currently have installed these 3 libsystemd files:
ii libsystemd-id128-0:i386 208-8 i386 systemd 128 bit ID utility library
ii libsystemd-journal0:i386 208-8 i386 systemd journal utility library
ii libsystemd-login0:i386 208-8 i386 systemd login utility library
which all show a maze of things depending on them...
goulo
 
Posts: 47
Joined: 2012-01-19 09:52

Re: How to avoid stealth installation of systemd?

Postby edbarx » 2014-09-09 10:52

adenukolnis wrote:
edbarx wrote:... there is an outstanding bug that prevents the complete setup of sysvinit.

Has it been reported? Do you have a link to the report?

It was reported just after I invoked apt-get install sysvinit-core sysvinit by apt-listbugs.
Debian == { > 30, 000 packages }; Debian != systemd
The worst infection of all, is a false sense of security!
It is hard to get away from CLI tools.
User avatar
edbarx
 
Posts: 5398
Joined: 2007-07-18 06:19
Location: 35° 50 N, 14 º 35 E

Re: How to avoid stealth installation of systemd?

Postby timbgo » 2014-09-09 11:37

edbarx wrote:
adenukolnis wrote:
edbarx wrote:... there is an outstanding bug that prevents the complete setup of sysvinit.

Has it been reported? Do you have a link to the report?

It was reported just after I invoked apt-get install sysvinit-core sysvinit by apt-listbugs.

And is there a link, for the non-so-Debian-ways-initiated like me?

goulo wrote:Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff

which is exactly the poetteringware stuff.
Ummh, how I'd like to live without those! I managed to get rid of those in Gentoo:
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
https://forums.gentoo.org/viewtopic-t-992146.html

Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
timbgo
 
Posts: 265
Joined: 2013-04-14 12:17

Re: How to avoid stealth installation of systemd?

Postby adenukolnis » 2014-09-09 12:06

goulo wrote:Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff

That sounds about right. Obviously each case will be different, especially in regards to various other stuff


goulo wrote:which (in my limited understanding) depend on them and are pretty commonly considered "essential" even for those using using a light WM or desktop like LXDE instead of Gnome or other heavy desktops directly requiring systemd, right?
I do not know what others consider essential.


...or am I misunderstanding something?
You do not seem to be.


Concretely, I see that I currently have installed these 3 libsystemd files:
ii libsystemd-id128-0:i386 208-8 i386 systemd 128 bit ID utility library
ii libsystemd-journal0:i386 208-8 i386 systemd journal utility library
ii libsystemd-login0:i386 208-8 i386 systemd login utility library
which all show a maze of things depending on them...

Correct. Those are the parts that a LOT of stuff depends on. None of those is systemd the init system. So you can have those and still not be using systemd as the init ssytem.
adenukolnis
 
Posts: 459
Joined: 2012-02-24 18:36

Re: How to avoid stealth installation of systemd?

Postby goulo » 2014-09-09 12:25

OK, thanks for the confirmation, guys.
goulo
 
Posts: 47
Joined: 2012-01-19 09:52

Re: How to avoid stealth installation of systemd?

Postby adenukolnis » 2014-09-09 21:54

goulo wrote:Just to sanity-check - if you remove all libsystemd* files, then you're necessarily giving up dbus, policykit, and various other stuff which (in my limited understanding) depend on them and are pretty commonly considered "essential" even for those using using a light WM or desktop like LXDE instead of Gnome or other heavy desktops directly requiring systemd, right?


working on a list of software that doesnt depend on any systemd software
http://www.debianuserforums.org/viewtop ... =11&t=3014
adenukolnis
 
Posts: 459
Joined: 2012-02-24 18:36

PreviousNext

Return to General Discussion

Who is online

Users browsing this forum: No registered users and 7 guests

fashionable