Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-30 Thread Mike Gilbert
On Sun, Nov 29, 2020 at 4:50 PM William Hubbs wrote: > > On Thu, Nov 26, 2020 at 07:55:33AM +0100, Piotr Karbowski wrote: > > Hi, > > > > On 25/11/2020 22.57, Georgy Yakovlev wrote: > > > systemd-tmpfiles does not depend on any systemd-isms, does not need dbus, > > > and is just a drop-in

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-29 Thread William Hubbs
On Thu, Nov 26, 2020 at 07:55:33AM +0100, Piotr Karbowski wrote: > Hi, > > On 25/11/2020 22.57, Georgy Yakovlev wrote: > > systemd-tmpfiles does not depend on any systemd-isms, does not need dbus, > > and is just a drop-in replacement, the only step needed is to emerge the > > package. > > it's a

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-28 Thread Georgy Yakovlev
On 25.11.2020 13:57, Georgy Yakovlev wrote: > Hi, > > In case you don't know, opentmpfiles has an open CVE > CVE-2017-18925: root privilege escalation by symlink attack > https://github.com/OpenRC/opentmpfiles/issues/4 > It has been an issue for quite a while, reported 3 years ago, > and not much

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Michael Orlitzky
On 11/26/20 5:57 PM, Thomas Deutschmann wrote: > > I disagree here: Packages installing tmpfiles configs requiring > recursive chown on each boot are doing something wrong from  my P.O.V. No argument there, but me thinking they're wrong doesn't stop people from doing it. > Note that hardlinks

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread David Seifert
On Thu, 2020-11-26 at 17:45 -0500, Michael Orlitzky wrote: > On 11/26/20 5:37 PM, Peter Stuge wrote: > > Georgy Yakovlev wrote: > > > I'll be switching default tmpfiles provider to sys-apps/systemd- > > > tmpfiles > > > by the end of the week by updating virtual/tmpfiles ebuild. > > > > Michael

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Thomas Deutschmann
On 2020-11-26 21:36, Michael Orlitzky wrote: Most of these security issues were fixed in systemd-tmpfiles years ago, and you can easily find upstream tmpfiles.d entries that contain e.g. "Z" entries. In that case, the upstream file is not in error, and root doesn't have to be actively tricked

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Michael Orlitzky
On 11/26/20 5:37 PM, Peter Stuge wrote: > Georgy Yakovlev wrote: >> I'll be switching default tmpfiles provider to sys-apps/systemd-tmpfiles >> by the end of the week by updating virtual/tmpfiles ebuild. > > Michael Orlitzky wrote: >> Corollary: the tmpfiles.d specification can only be

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Sam James
> On 26 Nov 2020, at 22:37, Peter Stuge wrote: > Michael Orlitzky wrote: >> Corollary: the tmpfiles.d specification can only be implemented (safely) >> on Linux after all. > > So should virtual/tmpfiles differentiate based on system? > It won’t be keyworded where it’s not available so Portage

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Peter Stuge
Georgy Yakovlev wrote: > I'll be switching default tmpfiles provider to sys-apps/systemd-tmpfiles > by the end of the week by updating virtual/tmpfiles ebuild. Michael Orlitzky wrote: > Corollary: the tmpfiles.d specification can only be implemented (safely) > on Linux after all. So should

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Michael Orlitzky
On 11/26/20 10:07 AM, Thomas Deutschmann wrote: > > Only root is allowed to write to these directories. In other words: To > exploit this, a malicious local user (or a remote attacker who already > gained user access) would have to trick root into creating specially > crafted tmpfiles config

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-26 Thread Thomas Deutschmann
Hi, I don't have any objections regarding the change of the default tmpfiles provider but I would like to classify the vulnerability: On 2020-11-25 22:57, Georgy Yakovlev wrote: In case you don't know, opentmpfiles has an open CVE CVE-2017-18925: root privilege escalation by symlink attack

Re: [gentoo-dev] PSA: switching default tmpfiles virtual provider

2020-11-25 Thread Piotr Karbowski
Hi, On 25/11/2020 22.57, Georgy Yakovlev wrote: > systemd-tmpfiles does not depend on any systemd-isms, does not need dbus, > and is just a drop-in replacement, the only step needed is to emerge the > package. > it's a simple single binary + manpage, binary links to libacl and couple other >