[svlug] (forw) [DNG] Linux system can be brought down by sending SIGILL to Systemd

Steve Litt slitt at troubleshooters.com
Sat May 25 12:07:43 PDT 2019

On Sat, 25 May 2019 09:47:26 -0700
Michael Eager <eager at eagerm.com> wrote:

> On 5/25/19 1:18 AM, Rick Moen wrote:

> It looks like the problem is in kill(2) not in init or systemd.  It
> is kill(2) man page that says that it will only send "good" signals
> to proc 1.  It isn't the init process that seems broken.
> > Expecting tools not to blow up contrary to their documentation and
> > take down the entire system is not 'doing stupid shit'.  You
> > shouldn't have to fear shrapnel just because you ran 'cd' as root,
> > and it shouldn't happen just because you ran /bin/kill, either.  
> Which tool are you talking about?  It's not init which should handle
> all signals, it's kill which should be filtering them, as its man
> page sort of says.
> > Yes, the root privilege is deliberately dangerous.  But it shouldn't
> > be accidentally fatal to the system just from carrying out a routine
> > operation that's documented to _not_ do that.  
> So, someone should file a bug against kill(2).  Right?

My understanding is that, in an edge case, kill -s ILL 1 will severely
mess up PID1 or even stop it, and might stop the whole computer. I
think that edge case is what we're all writing about.

On the Debian-User mailing list I see all sorts of excuse-making for
systemd. Some centers around failures to reproduce this problem. Some
mention "hey, you're root, be careful." You yourself mention that it's
kill's fault for sending that signal to PID1.

And truth be told, even I don't think it's a big deal. If my runit init
brought down the OS upon receiving a SIGILL once in a great while,
usually my fault, I wouldn't care.

But see, here's the thing. Imagine if it were *sysvinit* that crashed
on receiving a SIGILL. Maaaaan, those same Debian-User guys would have
a field day gloating about how bad sysvinit is, and how smart they were
to go with systemd. And they'd bring out that even if it *can* be
reproduced by kill -s ILL 1 , it could also be created by a malware
laden daemon that runs as root, or just by some chance.

So let's go with the Debian-User folks,  and file a bug on systemd,
which under certain conditions crashes the whole box on receiving a
SIGILL. Also filing a bug on kill is a separate issue.


Steve Litt 
June 2019 featured book: Thriving in Tough Times

More information about the svlug mailing list