To get the superuser rights on a Linux distribution that uses the systemd system manager to initialize, you can use the invalid username in the systemd file. Unit.

In Linux, to avoid confusion between numeric user identifiers (UIDs) and alphanumeric usernames, the latter should not begin with numbers. However, in some modern distributions, such as RHEL7 and CentOS, this is allowed. Systemd does not allow creating unit files with an invalid user name, however other tools can create such files. If systemd encounters an invalid user name in the unit file, for example, "0day", the manager will ignore the parameter and create the requested service. In this case, the unit-file will be launched with superuser rights.

Messages about the problem began to appear on GitHub a week ago. Nevertheless, one of the main developers of the systemd Lennart Poettering (Lennart Poettering) said that the software works as expected and refused to make any changes. "I do not consider it necessary to correct something in systemd. I understand, it's annoying, but still: the username is obviously invalid, "- said the developer.

In the Linux community with the opinion of Potetring not all agree. According to the Belgian developer Mattias Geniar, the problem can be considered a vulnerability, because the systemd parsing of the User = parameter in unit files with an invalid user name gives superuser privileges. It's another matter if the user's rights were granted, said Geniar.

As noted by the developer, the vulnerability causes some concerns, but is not critical because of the limited vector of attacks (administrator rights are required to exploit the vulnerability).

Systemd is the system manager, the daemon for initializing other daemons in Linux, which replaced the previously used SysV. Its peculiarity is intensive parallelization of service startup during the system boot process, which allows to significantly accelerate the launch of the operating system.