From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 6D31913933E for ; Fri, 9 Jul 2021 08:26:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A02E1E09DE; Fri, 9 Jul 2021 08:26:35 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7BAF4E09DE for ; Fri, 9 Jul 2021 08:26:35 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 394A1342A8C for ; Fri, 9 Jul 2021 08:26:34 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id AA9197C1 for ; Fri, 9 Jul 2021 08:26:28 +0000 (UTC) From: "Georgy Yakovlev" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Georgy Yakovlev" Message-ID: <1625819155.29519425838e9b67c6802e321ce52c76a65c2215.gyakovlev@gentoo> Subject: [gentoo-commits] data/gentoo-news:master commit in: 2021-07-07-systemd-tmpfiles/ X-VCS-Repository: data/gentoo-news X-VCS-Files: 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt X-VCS-Directories: 2021-07-07-systemd-tmpfiles/ X-VCS-Committer: gyakovlev X-VCS-Committer-Name: Georgy Yakovlev X-VCS-Revision: 29519425838e9b67c6802e321ce52c76a65c2215 X-VCS-Branch: master Date: Fri, 9 Jul 2021 08:26:28 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: cec841bb-835f-4f3f-80f8-548deb69622b X-Archives-Hash: 8bb1ef2f8efc6dab65dbae4839855aeb commit: 29519425838e9b67c6802e321ce52c76a65c2215 Author: Georgy Yakovlev gentoo org> AuthorDate: Fri Jul 9 02:36:20 2021 +0000 Commit: Georgy Yakovlev gentoo org> CommitDate: Fri Jul 9 08:25:55 2021 +0000 URL: https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=29519425 2021-07-07-systemd-tmpfiles: add news item Signed-off-by: Sam James gentoo.org> Signed-off-by: Georgy Yakovlev gentoo.org> .../2021-07-07-systemd-tmpfiles.en.txt | 66 ++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt new file mode 100644 index 0000000..159f95f --- /dev/null +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt @@ -0,0 +1,66 @@ +Title: systemd-tmpfiles replaces opentmpfiles due to security issues +Author: Georgy Yakovlev +Author: Sam James +Posted: 2021-07-07 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: sys-apps/opentmpfiles +Display-If-Installed: sys-apps/systemd-tmpfiles + +A tmpfiles [0] implementation provides a generic mechanism to define +the creation of regular files, directories, pipes, and device nodes, +adjustments to their access mode, ownership, attributes, quota +assignments, and contents, and finally their time-based removal. +It is commonly used for volatile and temporary files and directories +such as those located under /run/, /tmp/, /var/tmp/, the API file +systems such as /sys/ or /proc/, as well as some other directories +below /var/. [1] + +On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a +root privilege escalation vulnerability (CVE-2017-18925 [2], +bug #751415 [3], issue 4 [4] upstream). + +The use of opentmpfiles is discouraged by its maintainer due to the +unpatched vulnerability and other long-standing bugs [5]. + +Users will start seeing their package manager trying to replace +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is +another provider of virtual/tmpfiles. + +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does +not use dbus, and is just a drop-in replacement for opentmpfiles. It is +a small binary built from systemd source code, but works separately, +similarly to eudev or elogind. It is known to work on both glibc and +musl systems. + +Note that systemd-tmpfiles is specifically for non-systemd systems. It +is intended to be used on an OpenRC system. + +If you wish to selectively test systemd-tmpfiles, follow those steps: + + 1. # emerge --oneshot sys-apps/systemd-tmpfiles + 2. # reboot + 3. # rm /etc/runlevels/boot/opentmpfiles-setup + 4. # rm /etc/runlevels/sysinit/opentmpfiles-dev + +No other steps required. + +If, after reviewing the linked bug reference for opentmpfiles, you feel +your system is not vulnerable/applicable to the attack described, you +can unmask [6] opentmpfiles at your own risk: + + 1. In /etc/portage/package.unmask, add a line: + -sys-apps/opentmpfiles- + 2. # emerge --oneshot sys-apps/opentmpfiles + +Note that opentmpfiles is likely to be removed from gentoo repository +in the future. + +[0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html +[1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html +[2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925 +[3] https://bugs.gentoo.org/751415 +[4] https://github.com/OpenRC/opentmpfiles/issues/4 +[5] https://bugs.gentoo.org/741216 +[6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package +