After a Recent SSH Vulnerability, Systemd Reduces Dependencies

Recent sshd/xz backdoor (CVE-2024-3094 ) reveals risks in systemd's libsystemd, sparking debate on dependency reduction.

In light of recent events, a significant debate has emerged about the vulnerabilities in which systemd is indirectly involved, especially during the sshd/xz backdoor incident (CVE-2024-3094), highlighted the potential security risks associated with the dependencies of libsystemd, a library crucial for integrating services with systemd.

The crux of the issue lies in the observation that libsystemd, by being linked to all systemd services and any third-party services wishing to communicate with systemd, introduces extra dependencies that may serve as sources of vulnerabilities.

The proposed solution to this vulnerability concern is a substantial reduction of libsystemd’s dependencies to only include libc, the standard C library, thereby minimizing the attack surface for potential security threats. Current implementations include several other libraries, which may not be necessary for implementing core libsystemd functionalities.

In response to these concerns, a feature request has been raised for systemd to minimize libsystemd’s dependencies to just libc. The rationale behind this request is to strip down libsystemd to its core functionalities, thereby reducing the risk of vulnerabilities that could compromise system security.

However, this approach may involve reorganizing libsystemd into multiple libraries, each catering to specific APIs, and ensuring that only the necessary dependencies are included where they are genuinely needed.

Lennart Poettering, a key figure behind systemd, addressed the concerns by highlighting recent changes that alleviate some of these security worries. According to him, libsystemd no longer mandates compression libraries as hard dependencies in the latest git main version.

Moreover, plans are underway to remove libgcrypt as a hard dependency, further streamlining libsystemd and enhancing system security. Additionally, it was noted that sshd has implemented the sd_notify() function independently, a move Poettering recommends for projects of such a nature.

Finally, the discussion also touched on the possibility of exposing dynamic loading (dlopen) information in a manner that could be read from ELF metadata, offering a more transparent way to understand and manage dependencies.

This proposal suggests a collaborative approach, encouraging input and support from various stakeholders in the Linux ecosystem, including package maintainers and system builders.

The details of the entire discussion and proposal are available for follow-up on the project’s GitHub repository.

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

Think You're an Ubuntu Expert? Let's Find Out!

Put your knowledge to the test in our lightning-fast Ubuntu quiz!
Ten questions to challenge yourself to see if you're a Linux legend or just a penguin in the making.

1 / 10

Ubuntu is an ancient African word that means:

2 / 10

Who is the Ubuntu's founder?

3 / 10

What year was the first official Ubuntu release?

4 / 10

What does the Ubuntu logo symbolize?

5 / 10

What package format does Ubuntu use for installing software?

6 / 10

When are Ubuntu's LTS versions released?

7 / 10

What is Unity?

8 / 10

What are Ubuntu versions named after?

9 / 10

What's Ubuntu Core?

10 / 10

Which Ubuntu version is Snap introduced?

The average score is 68%