On 1/2/20 6:35 PM, Rolf Eike Beer wrote: > > I only run vanilla-sources since there are still lot of cache corruption > problems in hppa kernels, or whatever makes them flaky.
The vanilla-sources are unsafe to use on Gentoo. Many services have stupid-easy root exploits, since we install tmpfiles entries by default and OpenRC runs them insecurely: * https://github.com/OpenRC/opentmpfiles/issues/3 * https://github.com/OpenRC/opentmpfiles/issues/4 I've fixed similar exploits when I've found them in /etc/init.d and pkg_postinst[0][1], but they continue to be added to the tree. And there is no fix for opentmpfiles. The gentoo-sources aren't 100% safe either, but the exploitable scenario is less common thanks to fs.protected_{hardlinks,symlinks}=1. [0] http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_etc-init.d_great_again%29.xhtml [1] http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_pkg_postinst_great_again%29.xhtml
