# Linux's Systemd can be pwned via an evil DNS query



## Maxnix (Jun 29, 2017)

This is the systemd DNS service that Poettering & co. recommended to use...
https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dns_query/

Some others considerations about resolvd from Andrew Ayer's blog:


> DNS is a complicated, security-sensitive protocol. In August 2014, Lennart Poettering declared that "systemd-resolved is now a pretty complete caching DNS and LLMNR stub resolver." In reality, systemd-resolved failed to implement any of the documented best practices to protect against DNS cache poisoning. It was vulnerable to Dan Kaminsky's cache poisoning attack which was fixed in every other DNS server during a massive coordinated response in 2008 (and which had been fixed in djbdns in 1999). Although systemd doesn't force you to use systemd-resolved, it exposes a non-standard interface over DBUS which they encourage applications to use instead of the standard DNS protocol over port 53. If applications follow this recommendation, it will become impossible to replace systemd-resolved with a more secure DNS resolver, unless that DNS resolver opts to emulate systemd's non-standard DBUS API.


----------



## SirDice (Jun 29, 2017)

I'm just waiting patiently for that whole systemd debacle to massively implode by itself. Seems like it's bound to happen sooner or later.


----------



## ekingston (Jun 29, 2017)

SirDice said:


> I'm just waiting patiently for that whole systemd debacle to massively implode by itself. Seems like it's bound to happen sooner or later.



I'm _hoping_ for the same thing. I wish I had your insight to see that it is bound to happen. But now we are getting pretty far off-topic.


----------



## scottro (Jun 29, 2017)

Apparently only Debian based systems, RedHat says it doesn't affect their version.


----------



## Spartrekus (Jun 29, 2017)

hopefully FreeBSD will not finish like Linux.

I fully moved to FreeBSD to have Unix, and not a Pottering MS Window evil system.


----------



## sko (Jun 29, 2017)

Well, maybe Poettering just recycled his Avahi mDNS? This thing also had at least one nasty RCE vuln. Other parts of the Avahi-bloatwork also had some pretty ugly CVEs and so did pulseaudio - so I guess it runs in the family 

The nice thing about systemd: It never fails to deliver at least one highly amusing "facepalm-moment" each week. E.g. last week it was the DoS by setting an environment Variable: https://github.com/systemd/systemd/issues/6152
Also very high on the scoreboard: A PHP library for managing services: https://github.com/mjanser/php-systemctl  (what could possibly go wrong?)

Looking at the cadence of critical bugs and CVEs for the various parts of systemd, it seems meltdown is imminent - so prepare some popcorn and grab a cold beer


----------



## Spartrekus (Jun 29, 2017)

sko said:


> Well, maybe Poettering just recycled his Avahi mDNS? This thing also had at least one nasty RCE vuln. Other parts of the Avahi-bloatwork also had some pretty ugly CVEs and so did pulseaudio - so I guess it runs in the family
> 
> The nice thing about systemd: It never fails to deliver at least one highly amusing "facepalm-moment" each week. E.g. last week it was the DoS by setting an environment Variable: https://github.com/systemd/systemd/issues/6152
> Also very high on the scoreboard: A PHP library for managing services: https://github.com/mjanser/php-systemctl  (what could possibly go wrong?)
> ...



the most fascinating thing about Linux is that it proves that most Linux distros do not have any possible interests in preserving Unix like systems and following Unix philosophy.
+ Linux does takes whatever looks modern and cool, without caring at all if it can be stable or not.


----------



## recluce (Jun 29, 2017)

SirDice said:


> I'm just waiting patiently for that whole systemd debacle to massively implode by itself. Seems like it's bound to happen sooner or later.



It _probably _will at some point, but not before adding "sytemd-desktopd" and "systemd-kerneld" to make the Poettering ecosystem complete and eliminate any resemblance with Unix. 

Anyway, as support for non-systemd Linux distros runs out, I will deploy more FreeBSD and Manjaro OpenRC (on notebooks) installations.


----------



## ralphbsz (Jun 30, 2017)

SirDice said:


> I'm just waiting patiently for that whole systemd debacle to massively implode by itself. Seems like it's bound to happen sooner or later.


Possible.  I had the misfortune to have to use systemd on very large IO servers (the kind of machine which has every PCI slot stuffed with either SAS or Infiniband cards, and connects to many hundreds of disks).  It was very amusing.  You need an angel-like patience and a good sense of humor to live with a systemd-based system.

On the other hand: The Linux ecosystem (which contains many large companies, such as IBM and RedHat) has enough people, they can get anything to work.  My prediction is different from yours: I don't think Linux with systemd will implode; instead it will become weirder and weirder, and be kept working with more and more (software-) duct tape and shoestring, until it becomes something like Windows: Impenetrable, weird, illogical, but actually functions.  But at that point, any logical structure and simplicity will be gone.

The problem with Linux is that there is no technical authority any longer, who can shout "uncle" when the pain gets to be too great.  It is out of control, in the literal sense of the words.


----------



## ShelLuser (Jun 30, 2017)

Not to worry though, I'm sure they'll soon add firewall functionality into systemd, something which the Linux masses have no doubt long waited for


----------



## sko (Jun 30, 2017)

ShelLuser said:


> Not to worry though, I'm sure they'll soon add firewall functionality into systemd, something which the Linux masses have no doubt long waited for



Already happened: https://cgit.freedesktop.org/systemd/systemd/commit/?id=76917807eb50ccde58901e8bec7ed3d408d1cc22
And also IP forwarding: https://cgit.freedesktop.org/systemd/systemd/commit/?id=5a8bcb674f71a20e95df55319b34c556638378ce

Yes, these were features I always missed in my init system


----------



## aht0 (Jun 30, 2017)

quite enlightening reading
https://lists.dns-oarc.net/pipermail/dns-operations/2016-June/014964.html


```
- It uses nsswitch to basically take over gethostbyname*() and
   getaddrinfo(). This means any software using a DNS library like ldns,
    unbound, bind, knot, etc bypasses this system and gets an inconsistent
    DNS view from the rest of the system. It explictely does not support
    those kind of applications. Due to its issues below, this is a problem
    for applications insisting on DNSSEC answers (eg postfix). It does not
    supply a "local DNS server" that those dns libraries could use to get
    a consistent view.

- it fudges with /etc/resolv.conf, but it does not provide a DNS server.
    So it cannot put 127.0.0.1 in resolv.conf. This means ANY application
    using /etc/resolv.conf that does not use glibc is going to go around
    systemd-resolvd. Yet systemd-resolvd messes with resolv.conf.

- The process turns a request for binary DNS data into into XML, feeds it
    into the sytemd/dus ecosystem, which turns it into binary DNS to send
    it to the forwarder. The binary DNS answer then gets turned into XML
    goes through systemd/dbus, then is turned back into binary DNS to feed
    back into glibc. Apart from errors in this process, like last year's
    CVE on cache poisoning attacks, this means the systemd people need to
    very actively maintain their code whenever a new feature or RRTYPE is
    added to the DNS protocol. Maintenance and bugfixes is not systemd's
    strong point. This architecture is overly complex and unneccessary.

- It won't work well with applications that have their own DNS code
    itside. Such as browsers. This becomes worse when you think about
    browsers supporting draft-shore-tls-dnssec-chain-extension.

- It is yet another program/daemon that runs races with other software
    in controlling /etc/resolv.conf. Eg VPN software adding nameservers.

- There is no option to become a full recursive DNS server. It depends
    on a forwarder being obtained via DHCP. This means any broken
    forwarder leads to a broken setup. eg an upstream that strips DNSSEC.

- It accepts DNS forwarders for all its interfaces. That means if you
    are on wifi and 3g, or ethernet and wifi, you have more than one
    DNS server from logically different networks. With no way of
    guaranteeing which logical network you asking.

- It sends out a DNS queries over all its obtained DNS servers all the
    time. This means DNS queries for split-DNS view resources leak all
    over the internet.

- It accepts the first valid answer. This could be an unsigned answer.
    This means a local attacker (eg wifi hotspot) has an advantage over
    the actual real DNS forwarders.

- It prefers an answer over an NXDOMAIN as workaround for the above.
    So if some A record does not exist, the NXDOMAIN is ignored in
    favour of a forged, or rogue wildcard type, answer.

- It does not implement RFC-5011 properly. It might remove trusted keys
    upon seeing the revoke bit instead of waiting the time period
    specified in RFC-5011.

- I believe it does not support DNS-over-TLS

- I _believe_ it does not support network changes that requre a cache
    flush, for instance a VPN network with an internal *.corp.company.com
    whose entries need to be removed from the cache when the network is
    lost.

- I _believe_ it does not handle trust anchors linked to DNS nameserver
    IP addreses. Needed for DHCP servers relaying multiple domain names
    for resolving and VPN situations like draft-pauly-ipsecme-split-dns-01

- I _believe_ it will not able to reconfigure forwarders on the fly.
```


----------



## forquare (Jun 30, 2017)

Spartrekus said:


> the most fascinating thing about Linux is that it proves that most Linux distros do not have any possible interests in preserving Unix like systems and following Unix philosophy.


Not that RMS governs GNU/Linux, but he's said he was "never a supporter of the Unix design philosophy" (via reddit: https://www.reddit.com/r/linux/comments/63mo8p/rms_on_systemd_and_the_unix_philosophy/ ), given his influence I'm not surprised that the wider Linux world doesn't care about it...


----------



## ShelLuser (Jun 30, 2017)

sko said:


> Already happened: https://cgit.freedesktop.org/systemd/systemd/commit/?id=76917807eb50ccde58901e8bec7ed3d408d1cc22


That moment when you lose even more faith in humanity 

At moments like these I'm really happy that I discovered FreeBSD several years ago. Linux is most definitely going into the same directions as Windows it seems when it comes to bizarre and unneeded changes to the system. I can somewhat understand this for Windows (change = new = potential selling point), also because most changes happen in the GUI and not so much the underlying admin tools (msc.exe anyone?).

But Linux is (or was?) mostly targeted at sysadmins to begin with


----------



## ralphbsz (Jun 30, 2017)

ShelLuser said:


> That moment when you lose even more faith in humanity


Fortunately, there are still Linux distros that don't use systemd.  Unfortunately, in the enterprise and server space (with good paid support), there is no way around RHEL (and SUSE to a lesser extent).



> But Linux is (or was?) mostly targeted at sysadmins to begin with


Initially, it wasn't targeted at anything.  It was a bunch of college students that wanted to play with computers, and the i386 made serious Unix-like playing possible.  Since the 80s, we had all been dreaming of bringing up full 32-bit machines with virtual memory and demand paging, but the problem was that one couldn't get an unencumbered source tree.  Minix sort of fixed that, but it was way too small, a toy system intended for academic instruction, not use.

At that time (late 80s, early 90s), the i386 for the first time brought inexpensive compute power with sufficient memory addressing to the masses.  Before that, running serious software was expensive, because it needed expensive hardware (mainframes, VAXes, Sun, HP and IBM RISC machines), and the 68K and 32x32 based systems never became mainstream and affordable (with the exception of the Mac, but that was a closed system).  Through the magic combination of DOS/Windows and Intel/AMD, in the early 90s there was suddenly compute power at a price point that really opened it to lots more people and applications: You could get a 32-bit machine with a MMU, multiple MB of memory, and a video card that enabled a GUI, for about $1000 to $2000.  That caused a giant vacuum of inexpensive operating systems that could get serious work done on x86 machines, without the hassle and cost of licensing and having to pay support (both for hobbyists, and for commercial low-end use).

Linux filled that void.  In those days, Linus was a fun and approachable person (I remember going to drink beer with him at "99 bottles of beer" in Santa Cruz a few times, long before he was married or moved to the US permanently), and a large army of people quickly built the infrastructure around his kernel that was necessary to build production systems (making distributions, setting up FTP servers, porting software, getting XWindows to work, and moving useful software to it).  I remember the days when we first ported Fortran codes to it (initially using f2c), and ran X-based data analysis tools such as PAW, on a machine that cost less than a car.

The competition was on the commercial end system 5, but getting a license for it was punishingly difficult and expensive.  In the BSD space, there was BSDI (which wasn't free, but very affordable, and the people who handled support contracts were friendly, unlike the SysV vendors).  Then Bill and Lynn Jolitz completed 386BSD without using the AT&T encumbered pieces; but that was "too little too late", held back by a variety of factors: Linux was already succeeding, the Jolitz'es were famously obnoxious, the BSD core team was still in the Berkeley ivory tower (and not interested in x86 ports and at war with the Jolitz'es), and there were various lawsuits that kept all *BSD operating systems were under a legal cloud.  In my view, *BSD didn't became a viable "competitor" until the early 2000s, by which point Linux had won the free operating system war (saying "competitor" is funny, given that until the rise of the RedHat business model neither made money, and that they actually more complement each other than compete).

But what is definitely true is that Linux, as usually distributed today, has gone down the path Windows blazed in the 90s and 2000s with NT: It's very complex, it's very black box, hard to manage and understand.  The only difference is that you can run it without paying anyone; although in practice, if you want to use it in (commercial) production, you will need a support contract unless you are a superhero, because it is too complex to just work.  From this viewpoint, systemd is exactly what the commercial Linux support ecosystem needs: it makes it more bizarre and complex, meaning that paid support becomes even more important.  Note that Poettering's employer is also the largest vendor of Linux support.


----------



## ShelLuser (Jul 1, 2017)

ralphbsz said:


> Note that Poettering's employer is also the largest vendor of Linux support.


That part I wasn't aware off. Interesting, reeks like a double agenda as well


----------



## Maxnix (Jul 1, 2017)

ShelLuser said:


> That moment when you lose even more faith in humanity


Do you want to lose even more? 
https://cfp.systemd.io/en/systemdconf_2016/public/events/21


----------



## sidetone (Jul 1, 2017)

Maxnix said:


> Do you want to lose even more?
> https://cfp.systemd.io/en/systemdconf_2016/public/events/21


It's probably a self-signed certificate without a third party ensuring there are no imitators acting as either party. Or, that happens whenever going to an https site that's not even set up. If that's the case, they did not set up their .htaccess file to redirect from https to http.

I think a lot of Linux and GNU does is good, but relying too heavily on GPL causes inefficiency. It's good, for when a few organizations are using GPL, but when those projects get too big, it just draws clutter when people don't want to give up their work to make it better, benefiting mainly the owning parties of that code.

I found Systemd archaic when I tried using it. It's set up as: what do you want to start on runlevel 1, to runlevel 3 or 5? I just want it to start.


----------



## Spartrekus (Jul 7, 2017)

forquare said:


> Not that RMS governs GNU/Linux, but he's said he was "never a supporter of the Unix design philosophy" (via reddit: https://www.reddit.com/r/linux/comments/63mo8p/rms_on_systemd_and_the_unix_philosophy/ ), given his influence I'm not surprised that the wider Linux world doesn't care about it...



This is sad because they could have a better system.

My server runs flawlessly well running FreeBSD, it is clean, stable and I feel in security.


----------



## sko (Jul 7, 2017)

Spartrekus said:


> My server runs flawlessly well running FreeBSD, it is clean, stable and I feel in security.



THIS is exactly why I completely migrated our whole infrastructure and all servers to FreeBSD. No surprises, no weird behaviour - set it up and forget it; it just works.


BTW: 
I think I know why linux had to get rid of sysVinit - it had a critical CVE in 1999:
https://nvd.nist.gov/vuln/search/st...ype=statistics&search_type=all&query=sysvinit

Oh wait.... nevermind 
https://nvd.nist.gov/vuln/search/st...&pub_date_end_month=11&pub_date_end_year=2017


----------



## SirDice (Jul 12, 2017)

It never ceases to amaze me: https://www.theregister.co.uk/2017/07/05/linux_systemd_grants_root_to_invalid_user_accounts/


----------



## ekingston (Jul 13, 2017)

SirDice said:


> It never ceases to amaze me: https://www.theregister.co.uk/2017/07/05/linux_systemd_grants_root_to_invalid_user_accounts/



Is that the article that also mentions Poettering says it will not be fixed because it is working as intended? ... yes, it is.


----------



## SirDice (Jul 13, 2017)

ekingston said:


> Is that the article that also mentions Poettering says it will not be fixed because it is working as intended? ... yes, it is.


Isn't that his standard response to everything?


----------



## Birdy (Jul 13, 2017)

SirDice said:


> I'm just waiting patiently for that whole systemd debacle to massively implode by itself. Seems like it's bound to happen sooner or later.


Looking forward to systemd-imploded, systemd-exploded is fine too.


----------



## ekingston (Jul 13, 2017)

SirDice said:


> Isn't that his standard response to everything?



I believe so, yes. But it doesn't always make it into the articles.


----------



## forquare (Jul 13, 2017)

SirDice said:


> It never ceases to amaze me: https://www.theregister.co.uk/2017/07/05/linux_systemd_grants_root_to_invalid_user_accounts/



CVE Page here:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000082
9.8, Critical severity…


----------



## ekingston (Jul 17, 2017)

SirDice said:


> I'm just waiting patiently for that whole systemd debacle to massively implode by itself. Seems like it's bound to happen sooner or later.



I stumbled across an article you might like.

https://www.theregister.co.uk/2017/07/17/linux_4_13_rc1/


----------



## ShelLuser (Jul 18, 2017)

Next stop: adding the samba stack into systemd, I know the devs. are up to that!


----------



## sko (Jul 18, 2017)

ShelLuser said:


> Next stop: adding the samba stack into systemd, I know the devs. are up to that!



With SMBv1 support i guess? Because you know, there is so much legacy crap systems out there that need to be supported


----------



## rufwoof (Jul 27, 2017)

Wont systemD have a tendency to produce more eyes working on the same thing rather than doing one thing well, 101 different ways

https://upload.wikimedia.org/wikipedia/commons/1/1b/Linux_Distribution_Timeline.svg

Can't help wonder if all of those eyes (man hours) had instead been put to a common focus !!!


----------



## Deleted member 9563 (Jul 27, 2017)

rufwoof said:


> Wont systemD have a tendency to produce more eyes working on the same thing


I think the systemd philosophy is to be EVERYTHING to everybody. That's hardly "the same thing".  So instead of getting specialist eyes looking at this we're going to get a bunch of generalists. Some think that's a recipe for disaster.


----------



## rufwoof (Jul 27, 2017)

OJ said:


> I think the systemd philosophy is to be EVERYTHING to everybody. That's hardly "the same thing".  So instead of getting specialist eyes looking at this we're going to get a bunch of generalists. Some think that's a recipe for disaster.


Maybe, maybe not. Debian encompasses something like 50,000+ 'programs' in its main repository and as a collective set if you stick with just that it works very well IMO .. and encompasses a vast range of choices (from small dedicated installations up to large servers and everything between).

You can still specialise within that, just a matter of opting for which choice of services to include or not, or even write your own (within that structure).

Could go the other way and more program producers focus their code/structure on that, leaving those on the outside with fewer choices to piggyback off (fewer options/programs in their own repositories).

Back in the day, many said Betamax was superior to VHS, however VHS won through. I guess systemD is like VHS was back then. SysV is considered as even less viable than SystemD going forward and a alternative is required ... and so far SysD is prevailing, despite perhaps not being up to the mark (yet).

As a end user not really that familiar with the intricacies I'm impartial to either. The other day when I hit problems with Slim I looked around at how to implement auto gui login 

create a file at /etc/systemd/system/getty@tty1.service.d/override.conf with content
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin <user name> --noclear %I $TERM

and run systemctl set-default multi-user.target to activate that service or systemctl set-default graphical.target to flip back again. (It also suggested adding [ "$(tty)" = "/dev/tty1" ] && exec startx to ~/.profile

i.e. easy enough, and not vastly different to the kind of edits that would be required to implement the same function under SysV.

Its reporting is good also IMO, for instance running systemd-analyze blame shows potential bootup bottlenecks and you can even get a nice graphical timeline chart printed out if you so need/desire.

```
ff@debian:~$ systemd-analyze blame
          2.782s wicd.service
          2.503s keyboard-setup.service
          2.456s systemd-fsck@dev-sda2.service
          1.379s ufw.service
           909ms systemd-logind.service
           901ms rc-local.service
           899ms rsync.service
           634ms networking.service
           627ms systemd-fsck@dev-sda3.service
           606ms dev-hugepages.mount
           595ms sys-kernel-debug.mount
           569ms dev-mqueue.mount
           483ms kbd.service
           430ms systemd-tmpfiles-setup-dev.service
           426ms systemd-user-sessions.service
           420ms kmod-static-nodes.service
           414ms rsyslog.service
           342ms systemd-udev-trigger.service
           321ms systemd-modules-load.service
           316ms systemd-fsck@dev-sda4.service
           266ms systemd-update-utmp.service
           249ms mnt-sda4.mount
           230ms sys-fs-fuse-connections.mount
......
```

or how long startup took in total

```
ff@debian:~$ systemd-analyze
Startup finished in 10.240s (kernel) + 10.648s (userspace) = 20.888s
```

... etc.

From the traffic on the Devuan forum following its Release 1.0 the resistance to SysD would seem to be pretty light.


----------



## Deleted member 9563 (Jul 28, 2017)

rufwoof said:


> From the traffic on the Devuan forum following its Release 1.0 the resistance to SysD would seem to be pretty light.


You could be right, but forums are generally not very popular these days - seems people just refuse to use them. I'm seeing lots of Devuan interest and action in other places.


----------



## sko (Jul 28, 2017)

I'm still running devuan on 2 legacy linux boxes (until I find the time to finally replace them). They were switched from debian to devuan around the release of Debian jessie, just when the shit hit the fan systemd was introduced as the default init on debian and already got lots of (unneccessary and stupid) hard dependencies from some packages - e.g. clamAV and even postfix at some time. Especially for postfix this was completely unneccessary - the upstream version was still the same - the *only* difference for the 'newer' debian package was the hard dependency on systemd and the added service file.
Devuan had lots of these service packages with removed systemd-dependencies early on - even if sometimes still with dependencies to their systemd-shim, but at least you didn't have to run the full systemd travesty show on your servers. I also got some help at the IRC channel when I was removing dependencies from some packages I needed back then for our HORDE server.

Back then there was no forum for Devuan, only the mailing list and irc channels and they were quite busy. I suspect most (especially long term) devuan users still prefer these communication channels over the new forum - especially because the main target group is sysadmins, not the typical "pointy-clicky" desktop users.


----------



## ronaldlees (Jul 28, 2017)

sko said:


> I'm still running devuan on 2 legacy linux boxes (until I find the time to finally replace them). ....



When I have to use Linux, I've been using Alpine Linux recently.  No systemd, and no GNU C library either (musl instead).  The distro has some very interesting backers/contributors.  It seems that not all the big corps have bought into systemd


----------



## Deleted member 30996 (Jul 28, 2017)

I'm not a fan of Linux but did have Debian on one of the spare HDD for my Thinkpads till recently. Of all the Linux distros I've tried it's what I liked best. When I heard that OpenBSD was going to implement KARL I wiped that drive in favor of it and will probably never use anything but BSD again.

BSD is superior in every way IMO and like that it can trace its roots back to Bell Labs UNIX.

I'm growing my beard out too so I can be a real neckbeard.


----------



## sko (Jul 28, 2017)

Alpine is what I also use on our smartOS host when I absolutely have to run Linux because of $some_reason. 
The lean architecture of Alpine makes it really easy and insanely fast to set up LX-Zones via ansible or even manually for testing - a small manifest file is all thats needed to get a working Linux-Zone within a few seconds. As a bonus you also get all the benefits of ZFS and DTrace through the illumos/smartOS host


----------



## rufwoof (Jul 28, 2017)

Trihexagonal said:


> I'm not a fan of Linux but did have Debian on one of the spare HDD for my Thinkpads till recently. Of all the Linux distros I've tried it's what I liked best. When I heard that OpenBSD was going to implement KARL I wiped that drive in favor of it and will probably never use anything but BSD again.
> 
> BSD is superior in every way IMO and like that it can trace its roots back to Bell Labs UNIX.
> 
> I'm growing my beard out too so I can be a real neckbeard.


You've hit the nail on the head there. More for geeks, nostalgia and backend (servers), much less so for general use. Debian is vastly superior on that front. As systemD expands Debian will ride that wave whilst FreeBSD will increasingly become a niche ... as the next gen of developers/maintainers have a tendency towards familiarity and will be more familiar with Linux/sysD. The tendency towards "sysD is shit" and "piss off desktop users/non-geeks" doesn't serve FreeBSD well. Redirection towards TrueOS ... is hardly a good first impression either IMO.


----------



## Deleted member 30996 (Jul 28, 2017)

rufwoof said:


> More for geeks, nostalgia and backend (servers), much less so for general use. Debian is vastly superior on that front.



My use of FreeBSD _is_ for general use. Surfing the web, listening to music while doing so, using The Gimp to manipulate images, downloading files, working with text files and a file manager. I can do anything on my FreeBSD machines I could on my Debian box. The pkg system is every bit as easy to use as apt-get, I just like using ports. There is a long list of ISP's that use FreeBSD as a server and my desktop has all the security and stability of one. I like building it from scratch as then I have a customized desktop with only the programs I choose to be on it, and a rock solid one at that.

Linux has word of mouth going for it. That and pre-rolled distros where everything is already there when you finish the install process. Ubuntu is known for its ease of use and a lot of n00bs gravitate toward it. Mint is the most popular distro, No 1 at distro watch, and I hear people in other forums who use it talk about how they have difficulty switching from one Desktop Environment to another. WTF? You have 10 years experience with Linux and don't fall into that category.

The first computer I used was an Apple II. I moved on to Windows, to Puppy on a 100MB Zip Disk, Mandrake, distro hopped, discovered PC-BSD and help beta test it. That gave me the experience to make the move to FreeBSD. If TrueOS can work the bugs out and they can get their act together it could well be the Linux of the BSD world. TrueOS is No.14 at distrowatch and rising. I think a lot of people who get their feet wet with TrueOS will eventually make the move to FreeBSD like I did.

FreeBSD is a real Operating System with a small but dedicated team of people working toward one goal and its roots in UNIX proper. Linux is a kernel invented by Linus with some apps on top, more distros than you can shake a slide rule at and no coherency. I know nothing of Pottering and very little about systemD, but what I hear is not good.

You'll hear the expression "FreeBSD is a professional OS for professionals". Yes, I'm a geek, an old one at that, but I am not an IT guy. Just a self-taught guy sitting at home in his apartment with 4 BSD laptops purring along. I am far from the smartest guy in the forum and only know a fraction of what others know about FreeBSD but for the most part I have mastery of my desktops.


----------



## Deleted member 9563 (Jul 29, 2017)

Trihexagonal said:


> My use of FreeBSD _is_ for general use.



Same here. I use Linux for dedicated use and other miscellaneous machines.



Trihexagonal said:


> You'll hear the expression "FreeBSD is a professional OS for professionals". Yes, I'm a geek, an old one at that, but I am not an IT guy. Just a self-taught guy sitting at home in his apartment with 4 BSD laptops purring along. I am far from the smartest guy in the forum and only know a fraction of what others know about FreeBSD but for the most part I have mastery of my desktops.



I wouldn't describe myself as a geek either. At least not just because I hang here and have a special relationship with mister Google. I'm an artist, and computers is an extension of that - not the other way around.


----------



## Deleted member 30996 (Jul 29, 2017)

rufwoof said:


> The tendency towards "sysD is shit" and "piss off desktop users/non-geeks" doesn't serve FreeBSD well. Redirection towards TrueOS ... is hardly a good first impression either IMO.



BTW, I welcome new users and am glad to see new people using FreeBSD as a desktop OS. Far from trying deter them, I've shared my experience and done my best to help make it easier for them to make the transition.

Beginners Guide - How To Set Up A FreeBSD Desktop From Scratch


----------



## Deleted member 9563 (Jul 29, 2017)

Regardless of what people here think about systemd, it nevertheless won an award at Blackhat. (article here).


----------



## rufwoof (Jul 29, 2017)

OJ said:


> Regardless of what people here think about systemd, it nevertheless won an award at Blackhat. (article here).


Should perhaps have been awarded to Dumber


> To exploit the issue, an attacker would have to convince an administrator – someone who already has root access – to install...


But I guess that would defeat the sheer deflamation of systemD intent. Pretty much everyone agreed that sysV needed to be replaced, some don't like SysD as one such alternative, many others have accepted/adopted it. Of (sleep 3) all the choices (sleep 10) SysV (sleep 5) is the last choice (great, sleeps worked, this time, and no post jumped in to disrupt the intended flow).


----------



## Deleted member 9563 (Jul 29, 2017)

rufwoof said:


> Should perhaps have been awarded to Dumber


Who is Dumber?


----------



## Deleted member 30996 (Jul 30, 2017)

rufwoof, I understand your bias toward Linux and systemD and wanting to defend it, you do have a history of 10 years using it from what I understand, just as my 12 years use of FreeBSD tends mine toward it. You're entitled to your opinion, but this being a FreeBSD forum you're not going to find much love for Linux or systemD here. I hope that doesn't influence your decision to use FreeBSD.

However, when I spoke of what I had heard about systemD not being good, I was not referring to this thread alone. There are many such threads in forums dominated by Linux users, some closed due to the tone they took, with Linux user sporting taglines such as "systemD is evil". I usually just don't pay much attention to them and why I know little about it since they don't effect me and discord is something I try to avoid in a forum.


----------



## paw (Aug 2, 2017)

The expoit is amusing. I want to play with this later.

I really can't fault FreeBSD. thought I would throw that in. To recompile the kernel was a dobble, unlike for Linux. It just works, it feels solid, pkg and ports are fantasic and I could see why gentoo was the hype back then but to-date ports win.

Linux is linux, and totally agree with the past. During times where I was pulling scrap 486's from the local tip for script-kiddie uses, linux was excellent. I knew that other OS's exist. BeOS, which is now Hiaku looks fun and promising; I need to get round and installing that.

Linux is bloated, over corperatised (Google~Android, RedHat, Canonical) and over sponsered. This has allowed to push Linux and make future visions happen but again no authority exists to control and so it becomes a power struggle. Someone will get upset and cause drama or someone will come up with something and the majority won't want and will push anyway because they decided to pay $.

People reinventing the wheel, that's cool, you should always have people create their own version, because why not. But sadly, these are normally for personal and the mainstream dominates over these setting the tone of creating your own is bad. It's not bad, its great.

Things feel sloppy on Linux as it just a old-dated kernel which Linus created and which sits on like it's his throne, like a asshat. Linux feels like Its like trying to make a beer pong cup tower, good for the first few cups, but has no support and just starts to topple. The desktop expirence is meh. I wouldn't use it for a desktop any more. i've tried but it's just not there, its clunky, noisey and just meh, it's not satisfying which is why I don't use or like android. Microsoft is Microsoft, but to be fair their UI has always felt more confident, same with Apple.

RedHat annoys me in the smug of they see themselves as the King of Linux and sure, they're created major things, but it's like google of the linux world. They're heavely proceeded by money and just seem corrupt.  If you don't follow their ways you it kind of feels like you have a power of evil agaisn't you.

SystemMD is failure. Fair concept but over compicated and in the end usless. People have they tried to apply their approach because they think theirs is better and so you have a lumpy piece or a wonky distro. It works when applications have been created designed for it but normally they've not and so you end up waiting at shutdown with a message of "Stopping service: ETA: 2minutes"
i hate it, if it's going to take an estimated 2minutes, give me kill -9 and it will be ended in seconds. Which is one of the reasons I've swapped to FreeBSD and wish I had sooner.

I have FreeBSD running it on my colocated server which I hopefully soon be pushing to selling Jails and bhyve VM's. Expiremental but I like expiremental. Even then you still kind of feel safe which is nice. Bhyve has a really good potentinal to put FreeBSD back on the map. 

Sure it was shrouded by past history and I'm glad thats all over but it's not a bad thing. Linux won that race, but look where it's at now. Linux is a mess, and FreeBSD is now starting to bloom which is great for the future.

Oops, I should get back to work. six years sysadmin for Linux, two years for freebsd


----------



## Deleted member 9563 (Aug 2, 2017)

paw said:


> Linux is a mess


In a way, that's a good thing. Diversity is an excellent thing in many, though not all, ways. Systemd makes the assumption that everyone wants to do things the same way.

PS: rufwoof You still didn't answer. It's not the kind of name that's "Googlable".


----------



## rigoletto@ (Aug 2, 2017)

What is happening with Linux (and from a long time already) is exactly what (will) happen with anything (service, goods, etc.) when it decide to pursuit a large/diverse user/client base, or even worse "everyone".

The only way to archive that is compromising everywhere, and the first point/characteristic to suffer is the quality. Quality costs money and time.

One can argue that in the past, lets say 50's, there were high quality products everywhere, but a few changes happened with time:


a large user/client base currently means a completely different thing, as the world population grown up exponentially;

the changes in the production resources took us from a time (50's) when the manpower was cheap and the raw material expensive, to the complete opposite. Today manpower is expensive and raw material is cheap.
We changed from a business mentality of "we need to built it right at first" because the source material is expensive and will be expensive to fix (rma) it later, to "we need to build it everything fast", because manpower is expensive, and if anything goes wrong it will be cheap to fix (rma) later.

The same behavior could easy be adapted to software business.


----------



## Deleted member 30996 (Aug 2, 2017)

OJ said:


> rufwoof You still didn't answer. It's not the kind of name that's "Googlable".



I'm sure he meant me since I slammed Linux. He had already posted a farewell thread saying FreeBSD wasn't for him and was going back to Debian.

Posed with his previous proclamation that UNIX is primarily of interest for nostalgia purposes, prejudice of UNIX Philosophy in preference of the Pottering Principal, perturbed protection of systemD despite the preponderance of evidence and plethora of exploits presented, and as a penchant for an impregnable Operating System isn't paramount on his panel of priorities, perhaps FreeBSD isn't the proper choice for a person in his position, would possibly perceive perdured use of Linux preferable and the Pwnie for that prize more appropriately placed in his possession in perpetuity.


----------



## rufwoof (Aug 2, 2017)

@ Trihexagonal  Indeed I don't so servers, just purely a single user desktop setup, primarily for browsing and spreadsheets/docs. From my perspective Debian provides the entirity ...operating system and all the programs I require/use, from and maintained by a single provider, that collectively all work well with each other. For instance install Openshot and that also requires Blender and Inkscape in order to be fully functional. The FreeBSD combination however don't work together as Openshot is sensitive to Blender versions and FreeBSD contains a mismatch, whilst in Debian ... it all just works as expected. Installing things in FreeBSD I see a number of 'no package maintainer' type information messages, the more that are driven away from FreeBSD the more packages that won't be maintained. Increasingly so if packages otherwise borrowed from the likes of Debian are developed so as to be more aligned to work with (be a integral part of) SysD.

@ OJ ... Dumber out of Dumb and Dumber. The award for poor security amounts to sys admin failure ... i.e. convince a sys admin to install something they shouldn't. Paramount to just a pure dig for the sake of it. Mostly the likes of Debian welcome other choices/variations whereas the other way around is more inclined to hatred and insults.


----------



## Deleted member 30996 (Aug 3, 2017)

rufwoof said:


> Dumber out of Dumb and Dumber. The award for poor security amounts to sys admin failure ... i.e. convince a sys admin to install something they shouldn't. Paramount to just a pure dig for the sake of it. Mostly the likes of Debian welcome other choices/variations whereas the other way around is more inclined to hatred and insults.



Yours was the first mention of sysadmin failures in this thread unless I skimmed over them.

There was no hatred for Debian intended in my post. I had previously stated out of all the Linux distros I had used Debian was what I liked best. I had a Jessie box til about a month ago and tried out Stretch briefly. I also pointed out that your 10 years experience did not lump you in with n00bs and the seemingly trivial problems they encounter.

The rest was all documented fact, because when I construct an argument, facts are what I rely on as they indisputable and there is no valid retort.

Check out the Linux Questions forums for sysemD threads, you'll find plenty of them and user with anti-systemD taglines.

I have since educated myself on the subject of systemD and Lennart Pottering since ignorance of it was a shortcoming of mine


----------



## rufwoof (Aug 3, 2017)

Not sure where that 10 year experience came in Trihexagonal? I moved over to Linux as a desktop setup after XP support ceased, so around 3 years ago. Knoppix was my first, along with a mountain of other CD's being burnt/tried. Settled on 101 different variants of Puppy Linux mostly - until around a year or so ago when I moved over to Debian Jessie.

In a past life however (3+ decades ago) I had experience with a very wide range of OS, from the smallest DOS/Windows Workgroups/Visual Basic ... to the largest IBM/Amdahl mainframes (Cobol, TSO. JCL ..etc.), that included some Unix, Honeywell ...etc. (mid range).


----------



## Deleted member 30996 (Aug 3, 2017)

My mistake, I might have been thinking of Islamux. There have been a few new people lately and I might be wrong there, too.

I still hope you stay with FreeBSD instead of going back to Linux. I think as you become more familiar with it that it will be more to your liking


----------



## rufwoof (Aug 3, 2017)

I boot using grub4dos and my corresponding menu.lst has options to boot Debian Jessie either as though a full install or as a filesystem.squashfs (read only, good for testing); FreeBSD (11.1); Puppy Tahr; Puppy Xenial; Or a Puppy Debian Stretch that I Woof-CE'd myself. Fundamentally I use a data concentric approach - value invaluable/irreplaceable data much more highly that choice of (cheap, easily replaced) OS. Primarily I've been booting Debian Jessie into a restricted userid (rbash with very limited permissions), so that browsing the web is relatively safe, only switching to higher permission accounts for local/private documents (or booting a pristine browser with no addons/extensions to do online banking etc.). That choice uses Debian main repositories only, so no third party programs at all, I'm sticking with oldstable as that gets security updates whilst having been around a long time, so relatively few updates and very solid (repository programs all work well individually and together). As I see it, alongside USB and CD boot choices, just different ways to get at the core docs/personal stuff (with some pretty heavy backing up procedures (multiple copies, offsite etc.)), and the fun of learning/hobby.

Trying to develop my knowledge of FreeBSD so booting that quite a bit recently  Looking like it will be a keeper alongside the others. I used your installation guide as a template, but have installed everything via pkg rather than ports (no /usr/src or /usr/ports content), including nvidia-driver-340. Desktop wise I like xorg, jwm, pcmanfm as jwm takes care of the panel/tray/notifications whilst pcmanfm takes care of desktop icons and file manager. To that I add libreoffice, mpv and firefox-esr ... together with a bunch of other smaller programs (galculator, leafpad, mtpaint ...etc.). I've gone round the installation process a number of times now such that most of it is becoming easier. Your guide was a great help ... thanks. Greatly appreciated.


----------



## ronaldlees (Aug 14, 2017)

sko said:


> Alpine is what I also use on our smartOS host when I absolutely have to run Linux because of $some_reason.
> The lean architecture of Alpine makes it really easy and insanely fast to set up LX-Zones via ansible or even manually for testing - a small manifest file is all thats needed to get a working Linux-Zone within a few seconds. As a bonus you also get all the benefits of ZFS and DTrace through the illumos/smartOS host



RE Alpine: They are integrating ZFS too.    There's a forum post on their forum that really puts the _systemd_ thing in perspective.  I don't know what the policy is on Linux links, but this one is about _systemd_ as much as Linux, and a good over-all view for those just coming to the party ...

https://forum.alpinelinux.org/forum/general-discussion/alpine-plans-systemd


----------



## sko (Aug 21, 2017)

ronaldlees said:


> RE Alpine: They are integrating ZFS too.    There's a forum post on their forum that really puts the _systemd_ thing in perspective.  I don't know what the policy is on Linux links, but this one is about _systemd_ as much as Linux, and a good over-all view for those just coming to the party ...
> 
> https://forum.alpinelinux.org/forum/general-discussion/alpine-plans-systemd



I've used ZoL on debian/devuan and really have no intention in going that way ever again especially on VMs or servers in general which are supposed to be as much automated as possible, especially when it comes to deployment and configuration. ZoL involves way too much obstacles and manual intervention and the linux/alpine VMs are few in numbers, so there would be no benefit in taking that course instead of just using zvols and doing all the snapshotting/replication/backups directly via the host. This keeps the VMs as simple as possible as well as the backup infrastructure (AMANDA) which only has to access a minimum number of systems.

If one day native ZFS images for alpine on smartOS are available and delegation to LX-zones is implemented I'd be happy to use it - until then i'll stick to KISS.


----------

