Hacker News new | past | comments | ask | show | jobs | submit login

I don't understand the initial motivation for converting regular dynamic library dependencies to dlopen dependencies. How does that help with reducing the footprint?



It makes the presence of those libraries optional: you no longer need them to execute the relevant tool at all. It'll just mean you can't use features which depend on those libraries. For libraries that are only pulled in for less-commonly used features it makes a lot of sense (the specific case they are doing it for is generating the initrd, which needs a copy of any libraries used by anything running in the initrd, which is almost always going to include systemd, but the systemd in the initrd is very unlikely to use any of these optional features)


dynloading libraries can have some side effects.

Which the recent xz attack used to mess with `sshd`, even if it never actually used functions from the library.

dlopen loading only loads the library *when it's actually used*, and doesn't include everything and the kitchen sink on startup.

If the libraries are used seldomly enough, it might also allow to make more dependencies optional in package management.


I think it's also relevant that the xz exploit made use of the fact that by running code before main, they could modify areas of memory that later get turned read-only. Any library that does get loaded with dlopen can of course still attack the process it's in, but it has less tools available to it for evading detection.


So... I repeat the GP.

What you gain is that the vulnerabilities will be harder to track down?


The specific way sshd was infected would not have happened with libxz as dlopen library.

Debian's sshd only uses libsystemd for the notify api. I.e. it doesn't need any feature that uses libxz. If it's dlopen()ed, it does not need to be loaded into the process context to use an unrelated feature.

FWIW, IMO upstream systemd should split their monolithic library and allow users to pick better that way, but this has other implications on DX.


> FWIW, IMO upstream systemd should split their monolithic library and allow users to pick better that way, but this has other implications on DX.

FWIW, upstream systemd has the opinion that no-one should load the library for startup notification, instead they should use the well documented api and just write a message to a socket.


Indeed, that's what the Debian maintainer of OpenSSH did soon after the quick security fix. He replaced the dependency on libsystemd with some hand-made code that notifies systemd by socket. https://salsa.debian.org/ssh-team/openssh/-/commit/cc5f37cb8...


That's not what they said in their update to the documentation[0] last week, which says that "although using libsystemd is a good choice, this protocol can also be reimplemented without external dependencies".

It calls it a "good choice". Did they say somewhere else that no-one should do it despite it supposedly being a good choice?

[0] https://github.com/systemd/systemd/pull/32030/files


Yes- https://mastodon.social/@pid_eins/112202696589971319


sshd should not have used libsystemd in the first place for the trivial notification. And the ifunc stuff is its own security nightmare. Papering over this by dlopen-ing some libs in libsystemd does not address the deeper issues.


FWIW, IMO upstream systemd should split their monolithic library and allow users to pick better that way, but this has other implications on DX.

They've done the exact opposite afaict. Libsysd used to be split up, now it is monolithic.


Upstream systemd should just cut the unused crap from their notification protocol and promise it's stable.

They probably couldn't change it anymore if they tried to.


The systemd notification protocol has been stable and documented as such for years (probably even a decade at this point): https://systemd.io/PORTABILITY_AND_STABILITY/


The whole protocol is "write READY=1 to the socket found in the NOTIFY_SOCKET environment variable".


> What you gain is that the vulnerabilities will be harder to track down?

No, they're just as easily tracked.

What you gain is that you can refuse to install optional dependencies because they are now optional when they used to be required.

That's a fairly big deal.

Of course, in practice all those optional dependencies will be installed anyways because of other things in the distro needing them. You can fairly object that not much changed, at least for now.

A better approach would be to eliminate a lot of these dependencies somehow. Another approach would be to sandbox the dependencies that cannot be eliminated.


It meant that had the bad xz version been shipped to distros, only some people would been vulnerable instead of everyone. That is valuable.


Though only with this particular approach to the backdoor. If systemd had always had this approach (or distros hadn't patched sshd to link it in), the attackers would have focused on a different path from delivering malicious code to widely-used distros which executes in a priviledged context to network RCE.


Wouldn't this systemd feature add a convenient centralized point of attack to inject libraries? Not as open at the user level, but similar to a LD_PRELOAD kind of vulnerability.


Not in a way that isn't otherwise accessible, IMHO. I mean, if you're really concerned about injected vulnerabilities into high-trust software (and you should be!) you should be suspicious of any dynamic linkage at all. But if you're going to do it, doing it late and under affirmative control is almost certainly the right choice.


It's because of how dynamic linking/loading works on Linux. An ELF dependency means that symbols in the library can override symbols in the binary or in other libraries. That doesn't work when the library is loaded with dlopen().




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: