On 11/26/20 5:57 PM, Thomas Deutschmann wrote: > > I disagree here: Packages installing tmpfiles configs requiring > recursive chown on each boot are doing something wrong from my P.O.V.
No argument there, but me thinking they're wrong doesn't stop people from doing it. > Note that hardlinks aren't even fixed for systemd's tmpfiles provider. > It will always rely on fs.protected_hardlinks for example. And checking > for hardlinks like happened to address CVE-2017-18078 will create > another TOCTOU race. Where is the follow-up report for this? Systemd only supports Linux, and sets fs.protected_hardlinks=1 itself. There's not much more we can ask from them. I normally err on the side of caution, but if someone goes out of their way to disable a security setting, I don't consider it CVE-worthy if the thing that setting was preventing is now exploitable. > In short: As long as it is possible for attacker to write to directory > you are working on you can never do mentioned things in a safe way. You > first have to revoke access for everyone except you and then you can > start checking file per file... but *no* implementation is doing > something like that. This came up in the old (late 1990s, early 2000s) LKML discussions about the protected_* sysctls. The Right Thing To Do is to drop privileges to the user who owns the directory if you need to do stuff in a directory that a user owns or can write to. To quote your earlier message: > Rule of thumb: Just make sure that you only create top level directories. ...and then drop privileges.