From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id E638D1382C5 for ; Wed, 25 Nov 2020 21:57:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 085B8E0896; Wed, 25 Nov 2020 21:57:40 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id B52DEE0893 for ; Wed, 25 Nov 2020 21:57:39 +0000 (UTC) Date: Wed, 25 Nov 2020 13:57:36 -0800 From: Georgy Yakovlev To: gentoo-dev@lists.gentoo.org Subject: [gentoo-dev] PSA: switching default tmpfiles virtual provider Message-ID: <20201125215736.c6w77snlm6ewk7vo@hydra> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="vuxzpbhpcgx3sxt5" Content-Disposition: inline X-Archives-Salt: 9cc8931b-2b42-4c2e-9688-699ec3746186 X-Archives-Hash: 689954cc7fd55402dc4c82aa0ac70efb --vuxzpbhpcgx3sxt5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi, In case you don't know, opentmpfiles has an open CVE CVE-2017-18925: root privilege escalation by symlink attack https://github.com/OpenRC/opentmpfiles/issues/4 It has been an issue for quite a while, reported 3 years ago, and not much changed since. Also it lacks any sort of testing, and master branch is in a non-working state at time of writing, latest version is masked.[0] Due to nature of opentmpfiles (it's a POSIX sh script), it may be impossible to fix symlink handling and TOCTOU races. As a consequence I'll be switching default tmpfiles provider to sys-apps/systemd-tmpfiles by the end of the week by updating virtual/tmpfiles ebuild. pros of systemd-tmpfiles: 0) Secure. 1) Reference implementation. 2) Supports all features, because ^. 3) Has working tests. 4) Has millions of users as part of systemd. 5) upstream supports standalone usecase/build our ebuild uses. [1][2] 6) drop-in replacement, just emerge and forget. systemd-tmpfiles does not depend on any systemd-isms, does not need dbus, and is just a drop-in replacement, the only step needed is to emerge the package. it's a simple single binary + manpage, binary links to libacl and couple other system libs. existing installations will not be affected, but openrc users are welcome to opt-in by running 'emerge --oneshot systemd-tmpfiles' [0] https://bugs.gentoo.org/751739 [1] https://github.com/systemd/systemd/pull/16061 [2] https://github.com/systemd/systemd/pull/16061/commits/db64ba81c62afa0e0d3e95c4a3e1ec3dd9a471a4 --vuxzpbhpcgx3sxt5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQJmBAABCABQFiEE3NQc5d2Nq7vhc9JNonLI8BUSnVIFAl++01AyFIAAAAAAFQAU cGthLWFkZHJlc3NAZ251cGcub3JnZ3lha292bGV2QGdlbnRvby5vcmcACgkQonLI 8BUSnVKIghAAzO5i9RFb79uZ1TmXoTctRAYw2krmBCKG5Cn0lvqSoRyFLhggfDfa RvhLIObQqKx3b8aNUe8J7r4+c0fSp8FjrMQEADD83clDX85lU3dwjwG/5o2mOks8 6zLdIc2xv6KVTbO+OKeV94jUCNGdjmD4KZ9+IcKuHOd6XAZwKhEW6QHIS9PbjsBw OYxsfzztg6P/SIDk1ap4Xv8b8GqHbuM5TrlE5lHlZn1Kczmj0bGZrag1tXAcewRQ abZn3mm50dncBpTsZFYF6icqiVR4FZzM9OIZigjWUSztYNnxkL5Kw0a7a3lYqNwr roiYwemt8y4EW2MncO3zgjMmFF5031vCw7swBTVyoQYxXqdob74FKgocWm3jEIOy 23bOxTMKkURCKojiVmzqWnPnWKgSx3hHVErPLh9Cm7JEdb/je+faRycGvzxPYO8r STGpv+llurxRmSnVUUWpgMDWwtpxs2cE82mQt4ZymsWXT2Izq3OthGw7/DgB+npM FZSkByaF1S71KWhsxwKn6XWeqBWtSs2yACH+6AcugVwGlVv9DwV6CSrDnqUfsMm7 X24JaPwIoRP8Aw5RdwN2QpejtK1Nv2Vh9D59zownlMgGD9vkigwFwAc6LWFYLPTz nDV15zfjqoXnw4Kc3vL9AfoWCdow7C4Zf5uhaGB4Q94He6Ys4Fh8LyA= =yoGl -----END PGP SIGNATURE----- --vuxzpbhpcgx3sxt5--