Any security-related reasons to choose one init over another?

Topic: Any security-related reasons to choose one init over another? (Read 987 times) previous topic - next topic

0 Members and 1 Guest are viewing this topic.

Any security-related reasons to choose one init over another?

17 August 2022, 17:25:10

I know systemd sucks because of its lack of security. Is there any difference between the init systems you offer or is it just about how it's configure and imperceptible performance differences?

Re: Any security-related reasons to choose one init over another?

Reply #1 – 17 August 2022, 18:11:26

One quick way to decide what init to use for security is it's code count.

Systemd is huge with 1.3 million LOC, so yeah definitely not that.

In general, the simpler the init, the more secure it tends to be.

Though don't rely solely on that, I can still write a 1000 line init absolutely filled with security bugs.

Re: Any security-related reasons to choose one init over another?

Reply #2 – 17 August 2022, 18:28:57

Quote from: Lancia – on 17 August 2022, 18:11:26

One quick way to decide what init to use for security is it's code count.

Systemd is huge with 1.3 million LOC, so yeah definitely not that.

In general, the simpler the init, the more secure it tends to be.

Though don't rely solely on that, I can still write a 1000 line init absolutely filled with security bugs.

That's logical. Which one would you recommend of the ones offered by Artix?

Re: Any security-related reasons to choose one init over another?

Reply #3 – 17 August 2022, 18:39:29

It would probably be dinit since it the simplest option Artix gives you.

Hell if you really want absolute simplicity, it would have to be suckless init ( https://git.suckless.org/sinit/ ) although you have to know C since it might be required.

Re: Any security-related reasons to choose one init over another?

Reply #4 – 17 August 2022, 18:51:04

Quote from: Lancia – on 17 August 2022, 18:39:29

It would probably be dinit since it the simplest option Artix gives you.

Hell if you really want absolute simplicity, it would have to be suckless init ( https://git.suckless.org/sinit/ ) although you have to know C since it might be required.

Thanks! I don't know any C unfortunately and since I'm working and have other obligations, I do not have time to learn it in any effective manner.

I'll trust your adivce and use dinit. Consider this topic resolved!

Re: Any security-related reasons to choose one init over another?

Reply #5 – 19 August 2022, 02:39:45

If you had a clear idea of why systemd is bad for security, you'd have criteria to weight inits against each other.

For instance, s6's author considers reading textual service definitions inherently bad for security, so he avoids that in s6 and would find dinit (and OpenRC) worse than runit or s6 in that regard. (Of course, dinit's author disagrees, and both have 20+ years of experience programming).

I've even seen people argue systemd is actually better for security since it subsumes many functions on a single codebase audited by many people instead of trusting individual distro packagers not to write faulty scripts.

Re: Any security-related reasons to choose one init over another?

Reply #6 – 20 August 2022, 14:52:47

Laurent Bercot (s6's author): A word about systemd, Why s6-rc?. I remember one of the arguments against systemd was privileged (not total) LOC count (specifically, in init process). Although I don't see exactly this argument by the links above.

UPD. s6 is very elegant and ultimately feature-complete, but I wouldn't say it's for newbies. From what I've read while I was deciding what to choose, next time I want something simple I'll try runit. Its development stopped years ago and it's still used by many (e.g. by VoidLinux), that means something: I know about and pretty happy with another such program: openbox.

Re: Any security-related reasons to choose one init over another?

Reply #7 – 07 March 2024, 08:28:54

Selecting an init system depends on security needs. SysVinit offers simplicity, reducing potential attack surfaces. Systemd, while feature-rich, may face criticism for its complexity. Evaluate your system's requirements; prioritize reliability and simplicity for enhanced security or opt for advanced features with careful configuration for specific use cases.

Re: Any security-related reasons to choose one init over another?

Reply #8 – 07 March 2024, 14:59:45

With all due respect SysV is obsolete by all means and we're only discussing worthy alternatives to systemd, from the most important down which have been talked about the most recently.

Re: Any security-related reasons to choose one init over another?

Reply #9 – 11 March 2024, 21:33:20

Quote from: amanda86 – on 07 March 2024, 08:28:54

Selecting an init system depends on security needs. SysVinit offers simplicity, reducing potential attack surfaces. Systemd, while feature-rich, may face criticism for its complexity. Evaluate your system's requirements; prioritize reliability and simplicity for enhanced security or opt for advanced features with careful configuration for specific use cases.

Don't necrobump please, make a new thread instead.