unsafe systemd setup in Fedora
by Marius Schwarz
Hi Guys,
running a hardening tool I stumpled about systemd own security analysis,
which doesn't look good:
$ systemd-analyze security
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty(a)tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
lines 1-35...skipping...
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty(a)tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
nvidia-powerd.service 9.6 UNSAFE 😨
plymouth-start.service 9.5 UNSAFE 😨
polkit.service $ systemd-analyze security
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty(a)tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
lines 1-35...skipping...
UNIT EXPOSURE PREDICATE HAPPY
NetworkManager.service 7.8 EXPOSED 🙁
abrt-journal-core.service 9.6 UNSAFE 😨
abrt-oops.service 9.6 UNSAFE 😨
abrt-xorg.service 9.6 UNSAFE 😨
abrtd.service 9.6 UNSAFE 😨
accounts-daemon.service 9.6 UNSAFE 😨
alsa-state.service 9.6 UNSAFE 😨
atd.service 9.6 UNSAFE 😨
auditd.service 8.7 EXPOSED 🙁
avahi-daemon.service 9.6 UNSAFE 😨
chronyd.service 8.9 EXPOSED 🙁
colord.service 8.8 EXPOSED 🙁
crond.service 9.6 UNSAFE 😨
cups.service 9.6 UNSAFE 😨
dbus-:1.8-org.freedesktop.problems@0.service 9.6 UNSAFE 😨
dbus-broker.service 8.7 EXPOSED 🙁
dm-event.service 9.5 UNSAFE 😨
emergency.service 9.5 UNSAFE 😨
fail2ban.service 9.6 UNSAFE 😨
fcoe.service 9.6 UNSAFE 😨
flatpak-system-helper.service 9.6 UNSAFE 😨
gdm.service 9.8 UNSAFE 😨
getty(a)tty1.service 9.6 UNSAFE 😨
irqbalance.service 6.2 MEDIUM 😐
iscsid.service 9.5 UNSAFE 😨
iscsiuio.service 9.5 UNSAFE 😨
libvirtd.service 9.6 UNSAFE 😨
lvm2-lvmpolld.service 9.5 UNSAFE 😨
mdmonitor.service 9.6 UNSAFE 😨
multipathd.service 9.5 UNSAFE 😨
network.service 9.6 UNSAFE 😨
nmb.service 9.6 UNSAFE 😨
nscd.service 9.6 UNSAFE 😨
ntpd.service 9.2 UNSAFE 😨
nvidia-powerd.service 9.6 UNSAFE 😨
plymouth-start.service 9.5 UNSAFE 😨
polkit.service 9.6 UNSAFE 😨
rasdaemon.service 9.6 UNSAFE 😨
rc-local.service 9.6 UNSAFE 😨
rescue.service 9.5 UNSAFE 😨
restorecond.service 9.6 UNSAFE 😨
rngd.service 9.6 UNSAFE 😨
rpcbind.service 9.5 UNSAFE 😨
rsyslog.service 9.6 UNSAFE 😨
rtkit-daemon.service 7.1 MEDIUM 😐
smb.service 9.6 UNSAFE 😨
sshd.service 9.6 UNSAFE 😨
switcheroo-control.service 7.6 EXPOSED 🙁
systemd-ask-password-console.service 9.4 UNSAFE 😨
systemd-ask-password-plymouth.service 9.5 UNSAFE 😨
systemd-ask-password-wall.service 9.4 UNSAFE 😨
systemd-initctl.service 9.4 UNSAFE 😨
systemd-journald.service 4.3 OK 🙂
systemd-logind.service 2.8 OK 🙂
systemd-machined.service 6.2 MEDIUM 😐
systemd-oomd.service 1.8 OK 🙂
systemd-rfkill.service 9.4 UNSAFE 😨
systemd-timesyncd.service 2.1 OK 🙂
systemd-udevd.service 6.7 MEDIUM 😐
udisks2.service 9.6 UNSAFE 😨
upower.service 2.4 OK 🙂
user(a)1000.service 9.4 UNSAFE 😨
virtlockd.service 9.6 UNSAFE 😨
virtlogd.service 9.6 UNSAFE 😨
winbind.service 9.6 UNSAFE 😨
wpa_supplicant.service 9.6 UNSAFE 😨
9.6 UNSAFE 😨
rasdaemon.service 9.6 UNSAFE 😨
rc-local.service 9.6 UNSAFE 😨
rescue.service 9.5 UNSAFE 😨
restorecond.service 9.6 UNSAFE 😨
rngd.service 9.6 UNSAFE 😨
rpcbind.service 9.5 UNSAFE 😨
rsyslog.service 9.6 UNSAFE 😨
rtkit-daemon.service 7.1 MEDIUM 😐
smb.service 9.6 UNSAFE 😨
sshd.service 9.6 UNSAFE 😨
switcheroo-control.service 7.6 EXPOSED 🙁
systemd-ask-password-console.service 9.4 UNSAFE 😨
systemd-ask-password-plymouth.service 9.5 UNSAFE 😨
systemd-ask-password-wall.service 9.4 UNSAFE 😨
systemd-initctl.service 9.4 UNSAFE 😨
systemd-journald.service 4.3 OK 🙂
systemd-logind.service 2.8 OK 🙂
systemd-machined.service 6.2 MEDIUM 😐
systemd-oomd.service 1.8 OK 🙂
systemd-rfkill.service 9.4 UNSAFE 😨
systemd-timesyncd.service 2.1 OK 🙂
systemd-udevd.service 6.7 MEDIUM 😐
udisks2.service 9.6 UNSAFE 😨
upower.service 2.4 OK 🙂
user(a)1000.service 9.4 UNSAFE 😨
virtlockd.service 9.6 UNSAFE 😨
virtlogd.service 9.6 UNSAFE 😨
winbind.service 9.6 UNSAFE 😨
wpa_supplicant.service 9.6 UNSAFE 😨
As an example:
-rw-r--r--. 1 root root 994 19. Aug 2021 upower.service
-rw-r--r--. 1 root root 177 29. Jan 2021 udisks.service
upower has severall restrictions set, udisks not even one of them.
Do those "insecure" units come from upstream projects, or is Fedora
lagging behind some patches?
Is there a way to find out, if missing restrictions options are a
problem for the service and if not, any way to tell that analyse tool
about it?
best regrads,
Marius
2 years, 1 month
Why I get some random notifications from discourse?
by Vít Ondruch
Is that intentional that i get some random notifications from Discourse
or what is going on? In past month, I was notified about following topics:
* Join us for the EPEL office hours every month [Fedora] epel
* Self-intro glaringgibbon [Fedora] introductions
* It's #FedoraShareYourScreen week [Fedora] events
* Tempted to switch full-time to Fedora, but I got some noob questions
[Fedora] introductions
And I wonder why? Does Discourse want to be completely muted or what?
Vít
2 years, 1 month
Possibly unexpcted soname change: liblept.so.5 ->
libleptonica.so.5.4.0
by Mamoru TASAKA
Hello, all:
On f37 / f36 leptonica made some packaging change:
https://src.fedoraproject.org/rpms/leptonica/c/e2486ca5bc2578ee629457b854...
This caused soname change: liblept.so.5 -> libleptonica.so.5.4.0 , which I guess is unexpected.
$ dnf repoquery --quiet --repo=koji-36 --qf '%{sourcerpm}' --whatrequires "liblept.so.5()(64bit)" | cat -n
1 leptonica-1.82.0-2.fc36.src.rpm
2 mupdf-1.19.0-5.fc36.src.rpm
3 python-PyMuPDF-1.19.4-2.fc36.src.rpm
4 tesseract-5.0.1-2.fc36.src.rpm
5 zathura-pdf-mupdf-0.3.7-5.fc36.src.rpm
$ dnf repoquery --quiet --repo=koji-37 --qf '%{sourcerpm}' --whatrequires "liblept.so.5()(64bit)" | cat -n
1 mupdf-1.19.0-5.fc36.src.rpm
2 python-PyMuPDF-1.19.5-1.fc37.src.rpm
3 zathura-pdf-mupdf-0.3.7-5.fc36.src.rpm
(Some of the package were rebuilt on f37 due to another reason, so depending packages' number
differs here)
Currently I am not sure if we can just revert the above change.
Regards,
Mamoru
2 years, 1 month
Is NetworkManager-wait-online.service necessary by default?
by Chris Murphy
Do any of Fedora desktop spins and Workstation edition need
NetworkManager-wait-online.service enabled by default?
Fedora 35 Workstation (updated, default "preset-all" service units)
$ systemd-analyze
Startup finished in 1.330s (kernel) + 1.284s (initrd) + 12.256s
(userspace) = 14.871s
graphical.target reached after 12.232s in userspace
Fedora 35 Workstation, same as above except
NetworkManager-wait-online.service is disabled
$ systemd-analyze
Startup finished in 1.294s (kernel) + 1.243s (initrd) + 5.704s
(userspace) = 8.242s
graphical.target reached after 5.670s in userspace
6.6s longer to wait for what? Is this service enabled just in case
someone adds an NFS or Samba mount to fstab? I'm not sure why this
service unit is enabled by default; and if we can either go without it
on the desktop, or if there's some other way to make it better,
because nearly doubling the boot time doesn't seem reasonable.
--
Chris Murphy
2 years, 1 month
Self Introduction: Yunmei Li
by Yunmei LI
Hi All: I am Yunmei Li and I am working at Zilliz as a DevOps engineer. I am an active contributor to the Milvus Vector Database project. Zilliz is an open-source software company dedicated to unstruc
2 years, 1 month
Orphaning a set of packages
by Fabian Deutsch
Hey,
due to the lack of time I'm orphaning the following set of packages:
augeas-vala
clpeak
gimp-fourier-plugin
gocl
python-uinput
Feel free to step up and take them.
Greetings
- fabian
2 years, 1 month
List of long term FTBFS packages to be retired tomorrow
by Miro Hrončok
Dear maintainers.
Based on the current fail to build from source policy, the following packages
should be retired from Fedora 36 approximately one week before branching.
However, 5 weekly reminders are required and I forgot to start this sooner,
hence the retirement will happen tomorrow, i.e. March 1st 2022.
Since this is after the Beta Freeze,
I will skip retiring components with depending packages.
Such components (if any) will be retired during the next release cycle,
and are included in this report for completeness.
Policy:
https://docs.fedoraproject.org/en-US/fesco/Fails_to_build_from_source_Fai...
The packages in rawhide were not successfully built at least since Fedora 33.
This report is based on dist tags.
Packages collected via:
https://github.com/hroncok/fedora-report-ftbfs-retirements/blob/master/ft...
If you see a package that was built, please let me know.
If you see a package that should be exempted from the process, please let me
know and we can work together to get a FESCo approval for that.
If you see a package that can be rebuilt, please do so.
Package (co)maintainers
==========================================================================
libicu65 pwalter
rubygem-cucumber-rails orphan
rubygem-sup dcallagh, jaruga, ruby-packagers-sig, shreyankg
tmux-top ttomecek
All listed packages are leaf packages, nothing depends on them.
Affected (co)maintainers
dcallagh: rubygem-sup
jaruga: rubygem-sup
pwalter: libicu65
ruby-packagers-sig: rubygem-sup
shreyankg: rubygem-sup
ttomecek: tmux-top
--
Miro Hrončok
--
Phone: +420777974800
IRC: mhroncok
2 years, 1 month
Release criteria proposal: networking requirements
by Adam Williamson
Hi folks!
So at this week's blocker review meeting, the fact that we don't have
explicit networking requirements in the release criteria really started
to bite us. In the past we have squeezed networking-related issues in
under other criteria, but for some issues that's really difficult,
notably VPN issues. So, we agreed we should draft some explicit
networking criteria.
This turns out to be a big area and quite hard to cover (who'd've
thought!), but here is at least a first draft for us to start from. My
proposal would be to add this to the Basic criteria. I have left out
some wikitext stuff from the proposal for clarity; I'd add it back in
on actually applying the proposed changes. It's just formatting stuff,
nothing that'd change the meaning. Anyone have thoughts, complaints,
alternative approaches, supplements? Thanks!
=== Network requirements ===
Each of these requirements apply to both installer and installed system
environments. For any given installer environment, the 'default network
configuration tools' are considered to be those the installer documents
as supported ways to configure networking (e.g. for anaconda-based
environments, configuration via kernel command line options, a
kickstart, or interactively in anaconda itself are included).
==== Basic networking ====
It must be possible to establish both IPv4 and IPv6 network connections
using DHCP and static addressing. The default network configuration
tools for the console and for release-blocking desktops must work well
enough to allow typical network connection configuration operations
without major workarounds. Standard network functions such as address
resolution and connections with common protocols such as ping, HTTP and
ssh must work as expected.
Footnote titled "Supported hardware": Supported network hardware is
hardware for which the Fedora kernel includes drivers and, where
necessary, for which a firmware package is available. If support for a
commonly-used piece or type of network hardware that would usually be
present is omitted, that may constitute a violation of this criterion,
after consideration of the [[Blocker_Bug_FAQ|hardware-dependent-
issues|normal factors for hardware-dependent issues]]. Similarly,
violations of this criteria that are hardware or configuration
dependent are, as usual, subject to consideration of those factors when
determining whether they are release-blocking
==== VPN connections ====
Using the default network configuration tools for the console and for
release-blocking desktops, it must be possible to establish a working
connection to common OpenVPN, openconnect-supported and vpnc-supported
VNC servers with typical configurations.
Footnote title "Supported servers and configurations": As there are
many different VPN server applications and configurations, blocker
reviewers must use their best judgment in determining whether
violations of this criterion are likely to be encountered commonly
enough to block a release, and if so, at which milestone. As a general
principle, the more people are likely to use affected servers and the
less complicated the configuration required to hit the bug, the more
likely it is to be a blocker.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net
2 years, 1 month