Given that one of the common complaints about systemd is that it bundles too much functionality into PID 1, this makes me wonder.

Does this systemd timers thing inherently require root privileges or could it have been implemented on the un-privileged side of a browser-like privileged/sandbox split?

uahuahuah the apocalypse now!
not only this piece of s**t contains a root exploit, but the developers tried to hide this security breach to the community!
so much fun and thanks to all the people that included it by default in many distrib

It doesn't seem to say whether older versions are affected. CentOS 7 has 219. Debian 8 has 215.

The vulnerability looks to have been on systemd Git from November 2015 to January 2016.

All texts I find, including the CVE, say it was introduced with 228 and fixed with 229. So seem like only version 228 is affected by this vulnerability. A list of distros that ever included 228 would be good to have handy now!

That excludes anything older than 228 then, thanks.

Systemd is the reason that I moved to Windows for the first time in my life. (I went from Amiga to Slackware back in the mid-90s and have used Linux exclusively until last year.) But, I came here to defend the systemd developers after reading the headline. I was assuming the anti-systemd crowd (of which I've been a member since its introduction) would jump all over this as a reason that systemd sucks. But, all software has bugs, and system software tends to have security-related bugs. It's not like the kernel never had any security issues...

But, this is inexcusable. I could see not understanding that the bug was an exploit if it was an off-by-one or null pointer dereference or something of that nature, but WORLD WRITABLE SUID FILES?!? This is a trivial, obvious, root exploit. How could you possibly mark that as a denial of service bug? The only reason I can think of is that they didn't want people to know they'd made a bonehead mistake. This looks extremely unprofessional, and the misleading description is far worse than the actual bug.

On GNU/kFreeBSD, syslog-ng had a similar bug. But overwriting a setuid file resulted in it losing the setuid bit, so it wasn't exploitable like this. Does GNU/Linux not do the same thing? Or is that some FreeBSD-specific secuirity feature?

This is exactly when I started to laugh so loud that I could not read more of your post...