Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

Wols Lists wrote:
> On 07/12/20 04:24, Dale wrote:
>> I visited with my friend who recently got the same type of internet I'll
>> be getting.  Odds are, the boxes will be the same.  She has hers through
>> a power company and that's what I'm getting, just a different power
>> company.  Anyway, as I suspected, it has a little box which is the
>> modem.  It looks a lot like a old AT Westel modem.  It's a little bit
>> smaller but other than that, almost identical.
> Can't comment. If you've already got a cat-5 link from your router to
> the internet modem, chances are you're okay.
>
> My two routers looked pretty much identical too - the only difference
> was the first had an RJ-11 WAN uplink, the second has an RJ-45. Other
> than that they are the exact same model.
>
> Cheers,
> Wol
>
>


According to my friend, she's never even had to access the modem or
router. They set everything up for her.  I asked her to access the modem
so I could see the modem's web page, she didn't know how to do it.  I
plan to do as much of my own as I can. 

I'm hoping to use my router since it is already set up and passwords are
already in everything that uses wifi.  Plus, I haven't had this modem
very long.  I bought some larger ears for it so that my printer and such
will get a signal.  I can get a signal about 400 feet down the road with
my cell phone.  lol 

I'm excited about the faster download speed for sure but I'm also very
happy that I have the same speed going up.  I can do some sort of cloud
backup if I want but even better, I can upload videos to video sites
much faster. 

Overall, this is better than I imagined several months ago when it was
first being mentioned.  Hardware and connections seems simple enough,
fast speeds and a company that is awesome.  Price is really good too. 
Only $4.00 a month more than what I have now. 

Thanks for the info.  Now for the waiting part. 

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Wols Lists]

On 07/12/20 04:24, Dale wrote:
> I visited with my friend who recently got the same type of internet I'll
> be getting.  Odds are, the boxes will be the same.  She has hers through
> a power company and that's what I'm getting, just a different power
> company.  Anyway, as I suspected, it has a little box which is the
> modem.  It looks a lot like a old AT Westel modem.  It's a little bit
> smaller but other than that, almost identical.

Can't comment. If you've already got a cat-5 link from your router to
the internet modem, chances are you're okay.

My two routers looked pretty much identical too - the only difference
was the first had an RJ-11 WAN uplink, the second has an RJ-45. Other
than that they are the exact same model.

Cheers,
Wol

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

antlists wrote:
> On 04/12/2020 01:40, Dale wrote:
>> Also, our local power company is about to start rolling out internet
>> service.  It's done with fiber and the slowest package, 200MBs/sec, is
>> over 100 times faster than my current DSL.  It only costs $4.00 a month
>> more than what I'm paying now.  Their fastest package is 1GBs/sec.
>> Dang, I can't even imagine that sort of speed.  Another good thing, same
>> speed BOTH ways.  I can upload videos just as fast as I can download
>> one. Yeppie!!
>>
>> My only thing now, I hope it works like DSL/cable/etc and just requires
>> me to plug in a ethernet cable.  In other words, OS doesn't matter.  I
>> suspect it does but we will see.
>
> We went to fibre recently. They put a new box on the wall which takes
> an RJ-45 instead of the previous situation where ADSL took an RJ-11.
>
> All the blurb says "works with BT Hub 6", which we already had, so I
> didn't bother getting a new router (you had to pay for the "latest and
> greatest" Hub 7).
>
> When the guy installed it - "where's you new router, it won't work
> with this one". No apparently you can't just plug it into any old
> network port, the router needs a dedicated WAN link and the Hub 6 came
> in two versions, one with an ADSL modem and one with a fibre uplink.
>
> So it sounds like you need to swap your ADSL router for a cable router
> or whatever it is, but apart from that you'll be fine.
>
> (And then some sales guy working on behalf of BT knocked on the door,
> was surprised to find we were already BT customers, and rigged up some
> deal that (a) threw in a Hub-7 free, (b) changed our calling plan to
> remove the one-hour limit and add free calls to mobiles, and (c)
> knocked about £2 off our monthly bill!!!)
>
> Cheers,
> Wol
>
>


I visited with my friend who recently got the same type of internet I'll
be getting.  Odds are, the boxes will be the same.  She has hers through
a power company and that's what I'm getting, just a different power
company.  Anyway, as I suspected, it has a little box which is the
modem.  It looks a lot like a old AT Westel modem.  It's a little bit
smaller but other than that, almost identical.  Then there is a bigger
box that is a router.  I'm not sure of the brand but I don't think I've
ever seen one like that before.  It includes wifi as well as the usual 4
ethernet plugins.  My friend only uses wifi.  She has a TV, laptop and
cell phone.  Me, I'm desktop so I'd have a ethernet plug for mine.  Wifi
for my cell phone tho.  Oh, printer too.  I assume I can use my router. 
It has a ethernet cable going from modem to router.  Looks pretty simple
to me.  If I can use my existing router, don't know why I can't, then it
should be as simple as unplug cable from router, plug into new modem
from power company and surf the internet, at blazingly fast speeds. 
Whoooshhh. 

I have links to pics I took.  One is modem and one is the router. 
Anyone recognize the router?  Anything special about it? 

https://freeimage.host/i/KBNa6b
https://freeimage.host/i/KBNYMu

I hope that site doesn't annoy anyone.  I upload there but rarely go
there for anything else.  I need to have me a server thingy somewhere I
can upload to and keep things safe.  With this new internet, it is
possible.  It uploads and downloads at 200MB/sec.  First backup may take
a while but after that, it wouldn't be bad.  I wouldn't think of doing
that with current DSL tho. 

I'm excited to see this coming.  This is as good as when I went from
dial-up to DSL. 

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

Michael Orlitzky wrote:
> On 12/4/20 12:02 PM, Dale wrote:
>>
>> So basically, that package would have to start over from scratch to be
>> fixed.  That's not very likely if history means anything.
>>
>
> I think the opentmpfiles devs are planning to copy/paste the
> systemd-tmpfiles C code into opentmpfiles eventually. That will make
> it safe on Linux, obviously, since systemd-tmpfiles is... but will
> leave the hardlink problem unsolved on other kernels.
>
> There's no way to make opentmpfiles both cross-platform and safe. It's
> possible to do so with OpenRC more generally, but that's a larger
> undertaking that I suspect no one is interested in taking under:
>
>   1. Give up on tmpfiles entirely
>   2. Replace "checkpath" in OpenRC with something that drops privileges
>   3. Rewrite all of the init scripts that rely on tmpfiles
>   4. Rework any packages that use tmpfiles without an OpenRC service
>
>
>> Sounds like switching is the best path and really, about the only path.
>> Until something better comes along or the default is redone from
>> scratch, not switching leaves a door open for a bad guy.
>
> Exactly.
>
>
>> Do you know if the systemd devs manage this or is this package done
>> outside of them?  Since some don't like systemd, myself being one of
>> them, I'd like to know what group maintains that package.
>
> Lennart "fuck Gentoo" Poettering is still in charge of
> systemd-tmpfiles, but there's nothing bad to be said about him in this
> regard. Compare his immediate and complete response to these issues,
>
>   * https://github.com/systemd/systemd/issues/7736
>   * https://github.com/systemd/systemd/issues/7986
>
> with the fact that the opentmpfiles bugs have sat there unaddressed
> for three years.
>
>


It sounds like both packages will end up being the same.  Sort of. 
Switching it is. 

I read through those links.  I admit, a lot of it went over my head but
I did get a somewhat better understanding of how it is insecure. It
seems to me like it would be a difficult thing to accomplish but if one
does, it could get bad. 

Thanks much for all the info.  It helped me and I hope it helped others
as well. 

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael Orlitzky]

On 12/4/20 12:02 PM, Dale wrote:


So basically, that package would have to start over from scratch to be
fixed.  That's not very likely if history means anything.



I think the opentmpfiles devs are planning to copy/paste the 
systemd-tmpfiles C code into opentmpfiles eventually. That will make it 
safe on Linux, obviously, since systemd-tmpfiles is... but will leave 
the hardlink problem unsolved on other kernels.


There's no way to make opentmpfiles both cross-platform and safe. It's 
possible to do so with OpenRC more generally, but that's a larger 
undertaking that I suspect no one is interested in taking under:


  1. Give up on tmpfiles entirely
  2. Replace "checkpath" in OpenRC with something that drops privileges
  3. Rewrite all of the init scripts that rely on tmpfiles
  4. Rework any packages that use tmpfiles without an OpenRC service



Sounds like switching is the best path and really, about the only path.
Until something better comes along or the default is redone from
scratch, not switching leaves a door open for a bad guy.


Exactly.



Do you know if the systemd devs manage this or is this package done
outside of them?  Since some don't like systemd, myself being one of
them, I'd like to know what group maintains that package.


Lennart "fuck Gentoo" Poettering is still in charge of systemd-tmpfiles, 
but there's nothing bad to be said about him in this regard. Compare his 
immediate and complete response to these issues,


  * https://github.com/systemd/systemd/issues/7736
  * https://github.com/systemd/systemd/issues/7986

with the fact that the opentmpfiles bugs have sat there unaddressed for 
three years.

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

Michael Orlitzky wrote:
> On 12/4/20 1:44 AM, Dale wrote:
>>
>> Will opentmpfiles be fixed at some point or is it true that it can't be
>> fixed?  On -dev, I think I read where one person said it can't be
>> fixed.  In that case, switching is likely a good idea since the insecure
>> package can't be fixed.
>>
>
> The answer is a bit complicated. The first thing we need to understand
> that opentmpfiles is supposed to be a cross-platform (i.e. POSIX)
> implementation of the systemd-tmpfiles program. Systemd itself only
> runs on newer versions of linux, and since it has control of the
> entire system, it can enable those non-standard symlink and hardlink
> protections. So,
>
>   * systemd-tmpfiles is secure, but only on linux, and only if you let
>     it enable fs.protected_hardlinks for you.
>
> The security there comes from two places. The first is that everything
> was implemented carefully in C to avoid these problems, and the second
> is that fs.protected_hardlinks solves the otherwise-unavoidable
> hardlink exploits.
>
> Now for contrast, opentmpfiles is INsecure for two reasons:
>
>   (1) It's written in shell script, so it doesn't have the ability to
>   pass e.g. O_NOFOLLOW to all of the calls that might follow
>   symlinks. And shell programs all operate on path names as opposed
>   to file descriptors, so race conditions are impossible to avoid.
>
>   (2) The fs.protected_hardlinks sysctl is not cross-platform, so if
>   it's to fulfill its stated design goals, opentmpfiles can't rely
>   on fs.protected_hardlinks.
>
> The first problem is fixable, but the second is not. If opentmpfiles
> is rewritten in C, it could be just as secure as systemd-tmpfiles...
> but **only on linux with fs.protected_hardlinks enabled**.
>
> It will never be both secure and cross-platform. The design of the
> whole tmpfiles.d thing is flawed in that regard.
>
>

So basically, that package would have to start over from scratch to be
fixed.  That's not very likely if history means anything. 


>>
>> root@fireball / # sysctl -n fs.protected_hardlinks
>> 1
>> root@fireball / #
>>
>>
>> Does that improve things any or does that not really help anything?
>>
>
> It completely fixes one of the problems (hardlinks), but does nothing
> for the other (non-terminal symlinks).
>
>


Sounds like switching is the best path and really, about the only path. 
Until something better comes along or the default is redone from
scratch, not switching leaves a door open for a bad guy. 

Do you know if the systemd devs manage this or is this package done
outside of them?  Since some don't like systemd, myself being one of
them, I'd like to know what group maintains that package. 

Thanks much for the info.  At least now I have a better understanding of
the issue.  It gives me info to decide what is best and I hope it does
the same for others reading this thread. 

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael Orlitzky]

On 12/4/20 1:44 AM, Dale wrote:


Will opentmpfiles be fixed at some point or is it true that it can't be
fixed?  On -dev, I think I read where one person said it can't be
fixed.  In that case, switching is likely a good idea since the insecure
package can't be fixed.



The answer is a bit complicated. The first thing we need to understand 
that opentmpfiles is supposed to be a cross-platform (i.e. POSIX) 
implementation of the systemd-tmpfiles program. Systemd itself only runs 
on newer versions of linux, and since it has control of the entire 
system, it can enable those non-standard symlink and hardlink 
protections. So,


  * systemd-tmpfiles is secure, but only on linux, and only if you let
it enable fs.protected_hardlinks for you.

The security there comes from two places. The first is that everything 
was implemented carefully in C to avoid these problems, and the second 
is that fs.protected_hardlinks solves the otherwise-unavoidable hardlink 
exploits.


Now for contrast, opentmpfiles is INsecure for two reasons:

  (1) It's written in shell script, so it doesn't have the ability to
  pass e.g. O_NOFOLLOW to all of the calls that might follow
  symlinks. And shell programs all operate on path names as opposed
  to file descriptors, so race conditions are impossible to avoid.

  (2) The fs.protected_hardlinks sysctl is not cross-platform, so if
  it's to fulfill its stated design goals, opentmpfiles can't rely
  on fs.protected_hardlinks.

The first problem is fixable, but the second is not. If opentmpfiles is 
rewritten in C, it could be just as secure as systemd-tmpfiles... but 
**only on linux with fs.protected_hardlinks enabled**.


It will never be both secure and cross-platform. The design of the whole 
tmpfiles.d thing is flawed in that regard.





root@fireball / # sysctl -n fs.protected_hardlinks
1
root@fireball / #


Does that improve things any or does that not really help anything?



It completely fixes one of the problems (hardlinks), but does nothing 
for the other (non-terminal symlinks).

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael Orlitzky]

On 12/4/20 5:47 AM, Michael wrote:


If sys-apps/opentmpfiles is installed on openrc profiles, will this be
depracated and replaced with sys-apps/systemd-tmpfiles, or is this something
we should do manually ourselves?



Only the default is being changed for now, so you should swap them yourself.

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael Orlitzky]

On 12/4/20 3:55 AM, tastytea wrote:


 From what I could gather, opentmpfiles is only vulnerable when an
attacker is able to put a config file into /etc/tmpfiles.d/, so they
have to be already root.


The exploit does require an entry in /etc/tmpfiles.d, but many packages 
install perfectly innocent files there that happen to be exploitable 
because opentmpfiles handles them insecurely.

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael]

On Friday, 4 December 2020 02:18:49 GMT Michael Orlitzky wrote:
> On 12/3/20 8:40 PM, Dale wrote:
> > Howdy,
> > 
> > I've mentioned I follow -dev to see what is coming around the corner.
> > There is a thread on there about switching tmpfiles packages for
> > security reasons.  I currently have sys-apps/opentmpfiles installed.  I
> > guess that is the default for openrc.  Someone mentioned
> > systemd-tmpfiles as a alternative that doesn't have the same security
> > problems.
> 
> There's a full explanation here:
> 
>http://michael.orlitzky.com/cves/cve-2017-18925.xhtml
> 
> I'm a champion systemd hater, but you should switch to systemd-tmpfiles.
> There's no downside other than the name.

If sys-apps/opentmpfiles is installed on openrc profiles, will this be 
depracated and replaced with sys-apps/systemd-tmpfiles, or is this something 
we should do manually ourselves?

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael]

On Friday, 4 December 2020 09:09:36 GMT antlists wrote:
> On 04/12/2020 01:40, Dale wrote:
> > Also, our local power company is about to start rolling out internet
> > service.  It's done with fiber and the slowest package, 200MBs/sec, is
> > over 100 times faster than my current DSL.  It only costs $4.00 a month
> > more than what I'm paying now.  Their fastest package is 1GBs/sec.
> > Dang, I can't even imagine that sort of speed.  Another good thing, same
> > speed BOTH ways.  I can upload videos just as fast as I can download
> > one. Yeppie!!
> > 
> > My only thing now, I hope it works like DSL/cable/etc and just requires
> > me to plug in a ethernet cable.  In other words, OS doesn't matter.  I
> > suspect it does but we will see.
> 
> We went to fibre recently. They put a new box on the wall which takes an
> RJ-45 instead of the previous situation where ADSL took an RJ-11.
> 
> All the blurb says "works with BT Hub 6", which we already had, so I
> didn't bother getting a new router (you had to pay for the "latest and
> greatest" Hub 7).
> 
> When the guy installed it - "where's you new router, it won't work with
> this one". No apparently you can't just plug it into any old network
> port, the router needs a dedicated WAN link and the Hub 6 came in two
> versions, one with an ADSL modem and one with a fibre uplink.
> 
> So it sounds like you need to swap your ADSL router for a cable router
> or whatever it is, but apart from that you'll be fine.
> 
> (And then some sales guy working on behalf of BT knocked on the door,
> was surprised to find we were already BT customers, and rigged up some
> deal that (a) threw in a Hub-7 free, (b) changed our calling plan to
> remove the one-hour limit and add free calls to mobiles, and (c) knocked
> about £2 off our monthly bill!!!)
> 
> Cheers,
> Wol

The full fibre to the premises (FTTP) connection requires a different port and 
modem to the ADSL broadband.

The basic functionality of an (A)DSL broadband modem is to convert electrical 
signals coming down the copper telephone wire to ethernet frames.  The basic 
functionality of a fibre modem is to convert the optical signals arriving 
through the fibre cable to ethernet frames.

In the UK, the old copper telephone wires coming into the customer premises 
terminated on an RJ11 connector, which was plugged into the corresponding RJ11 
socket of the ADSL modem, or into the more frequently provided by the ISP 
modem+router+WiFi combo box.

With fibre the modem, now called an Optical Network Terminal (ONT), no longer 
has a RJ11 port.  Instead it has an optical port to receive the fibre cable 
coming into the premises.  The ONT also has an RJ45 ethernet port for the LAN 
side - where you connect the router's WAN port with an ethernet cable.  It 
also has a telephone port for VoIP and a power connection.  It may also have a 
UPS connection to provide power to keep the phone working when the mains power 
supply suffers an outage - some ONT boxes have an internal battery for this 
purpose.

It follows that an old ADSL router combo box with an RJ11 WAN port is no good 
for fibre - although it can be used as a dumb switch or a WiFi Access Point in 
your LAN.  Instead a router with an RJ45 ethernet WAN port is required.  More 
expensive routers/switches come with SFP transceiver ports, in which you can 
plug either optical or ethernet cables.

Prices for fibre are more expensive depending on the ISP and a new contract is 
required.  Initial discounts are meant to entice earlier migration to fibre, 
but prices will increase by 30% or more after the discount period expires.  If 
you want to stay at the same speed as ADSL or use fibre for telephone only, 
then the price could be the same as the old copper connection, but again it 
depends on the ISP.

signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

antlists wrote:
> On 04/12/2020 01:40, Dale wrote:
>> Also, our local power company is about to start rolling out internet
>> service.  It's done with fiber and the slowest package, 200MBs/sec, is
>> over 100 times faster than my current DSL.  It only costs $4.00 a month
>> more than what I'm paying now.  Their fastest package is 1GBs/sec.
>> Dang, I can't even imagine that sort of speed.  Another good thing, same
>> speed BOTH ways.  I can upload videos just as fast as I can download
>> one. Yeppie!!
>>
>> My only thing now, I hope it works like DSL/cable/etc and just requires
>> me to plug in a ethernet cable.  In other words, OS doesn't matter.  I
>> suspect it does but we will see.
>
> We went to fibre recently. They put a new box on the wall which takes
> an RJ-45 instead of the previous situation where ADSL took an RJ-11.
>
> All the blurb says "works with BT Hub 6", which we already had, so I
> didn't bother getting a new router (you had to pay for the "latest and
> greatest" Hub 7).
>
> When the guy installed it - "where's you new router, it won't work
> with this one". No apparently you can't just plug it into any old
> network port, the router needs a dedicated WAN link and the Hub 6 came
> in two versions, one with an ADSL modem and one with a fibre uplink.
>
> So it sounds like you need to swap your ADSL router for a cable router
> or whatever it is, but apart from that you'll be fine.
>
> (And then some sales guy working on behalf of BT knocked on the door,
> was surprised to find we were already BT customers, and rigged up some
> deal that (a) threw in a Hub-7 free, (b) changed our calling plan to
> remove the one-hour limit and add free calls to mobiles, and (c)
> knocked about £2 off our monthly bill!!!)
>
> Cheers,
> Wol
>
>


I knew the modem or internet connection box would be different.  They
generally are unless we go back to dial-up days.  A friend of mine has a
similar service but with a different power company.  I suspect tho they
will use the exact same box since the service is the same.  If I can, I
may look at hers.  She has two boxes.  Pretty sure one is modem and
other is a router of some sort, likely with wi-fi as well.  She said she
watches HD video on her laptop and TV without it ever pausing to cache
or anything.  She pulled up a video on youtube that was HD and it
started playing as soon as she clicked on it and the little line at the
bottom that shows the cache and video time location filled up really
fast.  I suspect you could set it to play at 10X and it still load it
faster than it can play.  It is seriously fast. 

Given the speed, I have no complaints on the price.  I won't notice the
extra $4.00 a month. I'll notice the speed increase tho. 

I can't wait until it gets here.  It will be a bit but it's on the way.

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[antlists]

On 04/12/2020 01:40, Dale wrote:

Also, our local power company is about to start rolling out internet
service.  It's done with fiber and the slowest package, 200MBs/sec, is
over 100 times faster than my current DSL.  It only costs $4.00 a month
more than what I'm paying now.  Their fastest package is 1GBs/sec.
Dang, I can't even imagine that sort of speed.  Another good thing, same
speed BOTH ways.  I can upload videos just as fast as I can download
one. Yeppie!!

My only thing now, I hope it works like DSL/cable/etc and just requires
me to plug in a ethernet cable.  In other words, OS doesn't matter.  I
suspect it does but we will see.


We went to fibre recently. They put a new box on the wall which takes an 
RJ-45 instead of the previous situation where ADSL took an RJ-11.


All the blurb says "works with BT Hub 6", which we already had, so I 
didn't bother getting a new router (you had to pay for the "latest and 
greatest" Hub 7).


When the guy installed it - "where's you new router, it won't work with 
this one". No apparently you can't just plug it into any old network 
port, the router needs a dedicated WAN link and the Hub 6 came in two 
versions, one with an ADSL modem and one with a fibre uplink.


So it sounds like you need to swap your ADSL router for a cable router 
or whatever it is, but apart from that you'll be fine.


(And then some sales guy working on behalf of BT knocked on the door, 
was surprised to find we were already BT customers, and rigged up some 
deal that (a) threw in a Hub-7 free, (b) changed our calling plan to 
remove the one-hour limit and add free calls to mobiles, and (c) knocked 
about £2 off our monthly bill!!!)


Cheers,
Wol

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[tastytea]

On 2020-12-03 19:40-0600 Dale  wrote:

> Howdy,
> 
> I've mentioned I follow -dev to see what is coming around the corner. 
> There is a thread on there about switching tmpfiles packages for
> security reasons.  I currently have sys-apps/opentmpfiles installed.
> I guess that is the default for openrc.  Someone mentioned
> systemd-tmpfiles as a alternative that doesn't have the same security
> problems.  My question is, is this big enough a problem to switch or
> is it safe enough for us to use the same we have been?  It sounds
> like a rather rare problem.  Maybe even only during boot up.  I'm not
> 100% sure what it does or anything really.  I guess that's why I
> con't make sense of switching or not since I'm not sure what the
> package does or how serious the security problem is.

From what I could gather, opentmpfiles is only vulnerable when an
attacker is able to put a config file into /etc/tmpfiles.d/, so they
have to be already root.
Nevertheless I switched to systemd-tmpfiles and it just works and
doesn't pull any other systemd-stuff in.

I don't think it really matters which one you use.

Kind regards, tastytea

-- 
Get my PGP key with `gpg --locate-keys tasty...@tastytea.de` or at
.


pgp9ycZr_oRLi.pgp
Description: Digitale Signatur von OpenPGP

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

Kusoneko wrote:
> On December 4, 2020 1:40:57 AM UTC, Dale  wrote:
>
> Highly doubt OS matters at all for ISPs. Internet service is standardized you 
> could say, at least at the end points where a device connects to a home 
> network or to the ISP, so there's no reason why a Linux-based OS wouldn't be 
> able to connect.
>
>> Any thoughts on tmpfiles?  What are other doing?  Switching?  Nothing? 
> Waiting for more info + whether a fix will come and if not what the 
> alternatives are, and if the only alternative is systemd then I'll wait still 
> for something that isn't systemd.
>
> Kusoneko.
>


That's my thinking too.  I think most all of them are OS neutral.  They
just have a web page to manage them and that's it.  I'm getting giddy
about that sort of speed coming here tho.  Not long ago, you had to be
in town close to a provider and pay a arm and leg to get that sort of
speed.  Now, a little guy can have it.  One that lives out in the sticks
at that.  I'm going to see if I can get more info about the box I
connect too.  That'll give me something to google for and find info about. 

I did think of one thing tho.  I got to find a network card that is
faster.  The one I have now tops out at 100MBs.  It's a old school
type.  I'll have to get a fancy 1GB version I guess.  H, I think my
router is 1GB ready.  I may have to recheck that. 

Michael is posting more info on this.  Even tho the alternative has
systemd in the name, I don't think it is coded by the systemd devs.  It
just happens to work with and be tailored around systemd. 

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

Michael Orlitzky wrote:
> On 12/3/20 8:40 PM, Dale wrote:
>> Howdy,
>>
>> I've mentioned I follow -dev to see what is coming around the corner.
>> There is a thread on there about switching tmpfiles packages for
>> security reasons.  I currently have sys-apps/opentmpfiles installed.  I
>> guess that is the default for openrc.  Someone mentioned
>> systemd-tmpfiles as a alternative that doesn't have the same security
>> problems.
>
> There's a full explanation here:
>
>   http://michael.orlitzky.com/cves/cve-2017-18925.xhtml
>
> I'm a champion systemd hater, but you should switch to
> systemd-tmpfiles. There's no downside other than the name.
>
>


Will opentmpfiles be fixed at some point or is it true that it can't be
fixed?  On -dev, I think I read where one person said it can't be
fixed.  In that case, switching is likely a good idea since the insecure
package can't be fixed. 

At the bottom of one of the links, it had this.


Mitigation

On Linux, the fs.protected_hardlinks sysctl should be enabled:

    root # sysctl --write fs.protected_hardlinks=1


So, I first figured out how to see what mine was set at.  Little man
page digging later and got this. 


root@fireball / # sysctl -n fs.protected_hardlinks
1
root@fireball / #


Does that improve things any or does that not really help anything? 

While at it, I tend to do updates/switches in Konsole, while logged into
KDE.  Is this deep enough a package it should be done in a console and
in the boot runlevel or safe to do like anything else?  I read somewhere
that while this works on systemd, I don't think it is maintained by the
systemd folks.  Can't recall where I read that tho. 

I still don't quite get what the package does.  I read the links but
it's still murky. 

Thanks for the info.  Could be this helps others as well. 

Dale

:-)  :-) 

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael Orlitzky]

On 12/3/20 9:18 PM, Michael Orlitzky wrote:


There's a full explanation here:

http://michael.orlitzky.com/cves/cve-2017-18925.xhtml



Just kidding, there were actually two:

  http://michael.orlitzky.com/cves/cve-2017-18188.xhtml

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Michael Orlitzky]

On 12/3/20 8:40 PM, Dale wrote:

Howdy,

I've mentioned I follow -dev to see what is coming around the corner.
There is a thread on there about switching tmpfiles packages for
security reasons.  I currently have sys-apps/opentmpfiles installed.  I
guess that is the default for openrc.  Someone mentioned
systemd-tmpfiles as a alternative that doesn't have the same security
problems.


There's a full explanation here:

  http://michael.orlitzky.com/cves/cve-2017-18925.xhtml

I'm a champion systemd hater, but you should switch to systemd-tmpfiles. 
There's no downside other than the name.

Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Kusoneko]

On December 4, 2020 1:40:57 AM UTC, Dale  wrote:
>Howdy,
>
>I've mentioned I follow -dev to see what is coming around the corner. 
>There is a thread on there about switching tmpfiles packages for
>security reasons.  I currently have sys-apps/opentmpfiles installed.  I
>guess that is the default for openrc.  Someone mentioned
>systemd-tmpfiles as a alternative that doesn't have the same security
>problems.  My question is, is this big enough a problem to switch or is
>it safe enough for us to use the same we have been?  It sounds like a
>rather rare problem.  Maybe even only during boot up.  I'm not 100%
>sure
>what it does or anything really.  I guess that's why I con't make sense
>of switching or not since I'm not sure what the package does or how
>serious the security problem is.

This is the first I've heard of this but I'm definitely not switching to 
systemd-anything, even if that's the only alternative.

>Also, our local power company is about to start rolling out internet
>service.  It's done with fiber and the slowest package, 200MBs/sec, is
>over 100 times faster than my current DSL.  It only costs $4.00 a month
>more than what I'm paying now.  Their fastest package is 1GBs/sec. 
>Dang, I can't even imagine that sort of speed.  Another good thing,
>same
>speed BOTH ways.  I can upload videos just as fast as I can download
>one. Yeppie!!

Good for you!

>My only thing now, I hope it works like DSL/cable/etc and just requires
>me to plug in a ethernet cable.  In other words, OS doesn't matter.  I
>suspect it does but we will see. 

Highly doubt OS matters at all for ISPs. Internet service is standardized you 
could say, at least at the end points where a device connects to a home network 
or to the ISP, so there's no reason why a Linux-based OS wouldn't be able to 
connect.

>Any thoughts on tmpfiles?  What are other doing?  Switching?  Nothing? 

Waiting for more info + whether a fix will come and if not what the 
alternatives are, and if the only alternative is systemd then I'll wait still 
for something that isn't systemd.

Kusoneko.



signature.asc
Description: PGP signature

[gentoo-user] Switching default tmpfiles and faster internet coming my way.

[Dale]

Howdy,

I've mentioned I follow -dev to see what is coming around the corner. 
There is a thread on there about switching tmpfiles packages for
security reasons.  I currently have sys-apps/opentmpfiles installed.  I
guess that is the default for openrc.  Someone mentioned
systemd-tmpfiles as a alternative that doesn't have the same security
problems.  My question is, is this big enough a problem to switch or is
it safe enough for us to use the same we have been?  It sounds like a
rather rare problem.  Maybe even only during boot up.  I'm not 100% sure
what it does or anything really.  I guess that's why I con't make sense
of switching or not since I'm not sure what the package does or how
serious the security problem is.

Also, our local power company is about to start rolling out internet
service.  It's done with fiber and the slowest package, 200MBs/sec, is
over 100 times faster than my current DSL.  It only costs $4.00 a month
more than what I'm paying now.  Their fastest package is 1GBs/sec. 
Dang, I can't even imagine that sort of speed.  Another good thing, same
speed BOTH ways.  I can upload videos just as fast as I can download
one. Yeppie!!

My only thing now, I hope it works like DSL/cable/etc and just requires
me to plug in a ethernet cable.  In other words, OS doesn't matter.  I
suspect it does but we will see. 

Any thoughts on tmpfiles?  What are other doing?  Switching?  Nothing? 

Thanks.

Dale

:-) :-)