To obtain root privileges on a Linux distribution that utilizes systemd for initialization, start with an invalid user name in the systemd.unit file.
Linux usernames are not supposed to begin with numbers, to avoid ambiguity between numeric UIDs and alphanumeric user names. Nevertheless, some modern Linux distributions, like RHEL7 and CentOS, allow this.
The systemd software will not allow unit files to be created with an invalid user name. But other tools can create such files.
Curiously, if systemd encounters an invalid name in a unit file, like “0day,” it will ignore the parameter and create the requested service. As the documentation states, “If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.”
But it will run the unit with root privileges instead of rejecting it or adopting more restrictive permissions.
Source: Create a user called ‘0day’, get bonus root privs – thanks, Systemd!
Systemd claims it’s not a bug!
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft