On Fri, Jan 3, 2020 at 9:41 AM Michael Orlitzky <[email protected]> wrote: > > On 1/3/20 9:40 AM, Toralf Förster wrote: > > On 1/3/20 3:37 PM, Michael Orlitzky wrote: > >> The gentoo-sources aren't 100% safe either, but the exploitable scenario > >> is less common thanks to fs.protected_{hardlinks,symlinks}=1. > > > > But this can be easily achieved w/o installing gentoo-sources, or? > > > > Yes, if you know how to do it. And the hard part: if you know that you > *should* do it. >
If OpenRC contains a vulnerability wouldn't it make more sense to set this as part of OpenRC, then to assume somebody is running a kernel patch that does it, especially since OpenRC doesn't in any way ensure that gentoo-sources is actually being used? Of course, fixing the vulnerability seems like a better option. At least on Linux based on your one bug description it sounds like systemd has a Linux-specific fix already. Obviously it would be best to secure this on all kernels but there is no reason not to at least use that fix on Linux. You could also try to convince the entire world not to use tmpfiles.d but since it is only a problem if you aren't using systemd I suspect you won't get much traction there. In any case this seems more like an OpenRC issue than a Gentoo issue. -- Rich
