On 11/26/20 5:37 PM, Peter Stuge wrote: > Georgy Yakovlev wrote: >> I'll be switching default tmpfiles provider to sys-apps/systemd-tmpfiles >> by the end of the week by updating virtual/tmpfiles ebuild. > > Michael Orlitzky wrote: >> Corollary: the tmpfiles.d specification can only be implemented (safely) >> on Linux after all. > > So should virtual/tmpfiles differentiate based on system? >
There's no scenario where opentmpfiles is preferable. systemd-tmpfiles with the fs.protected_hardlinks=1 sysctl is secure on Linux. On other kernels, you're out of luck -- none of the options are secure. Securing the service manager on other kernels would require dropping tmpfiles entirely, and major changes to OpenRC.
