[gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Georgy Yakovlev]

Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
---
 .../2021-07-07-systemd-tmpfiles.en.txt        | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt

diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
new file mode 100644
index 0000000..0960663
--- /dev/null
+++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
@@ -0,0 +1,48 @@
+Title: systemd-tmpfiles replaces opentmpfiles due to security issues
+Author: Georgy Yakovlev <gyakovlev@gentoo.org>
+Author: Sam James <sam@gentoo.org>
+Posted: 2021-07-07
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: virtual/tmpfiles
+
+On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
+root privilege escalation vulnerability (CVE-2017-18925 [0],
+bug #751415 [1], issue 4 [2] upstream).
+
+The use of opentmpfiles is discouraged by its maintainer due to the
+unpatched vulnerability and other long-standing bugs [3].
+
+Users will start seeing their package manager trying to replace
+sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
+another provider of virtual/tmpfiles.
+
+Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
+not use dbus, and is just a drop-in replacement for opentmpfiles. It is
+a small binary built from systemd source code, but works separately,
+similarly to eudev or elogind. It is known to work on both glibc and
+musl systems.
+
+Note that systemd-tmpfiles is specifically for non-systemd systems. It
+is intended to be used on an OpenRC system.
+
+If you wish to selectively test systemd-tmpfiles, follow those steps:
+
+ 1. # emerge --oneshot sys-apps/systemd-tmpfiles
+ 2. # reboot
+
+No other steps required.
+
+If, after reviewing the linked bug reference for opentmpfiles, you feel
+your system is not vulnerable/applicable to the attack described, you
+can unmask[4] opentmpfiles at your own risk:
+
+1. In /etc/portage/package.unmask, add:
+-sys-apps/opentmpfiles
+2. # emerge --oneshot sys-apps/opentmpfiles
+
+[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
+[1] https://bugs.gentoo.org/751415
+[2] https://github.com/OpenRC/opentmpfiles/issues/4
+[3] https://bugs.gentoo.org/741216
+[4] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
-- 
2.32.0

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 2945 bytes --]

On Thu, Jul 08, 2021 at 07:38:05PM -0700, Georgy Yakovlev wrote:
> Signed-off-by: Sam James <sam@gentoo.org>
> Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
> ---
>  .../2021-07-07-systemd-tmpfiles.en.txt        | 48 +++++++++++++++++++
>  1 file changed, 48 insertions(+)
>  create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> 
> diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> new file mode 100644
> index 0000000..0960663
> --- /dev/null
> +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> @@ -0,0 +1,48 @@
> +Title: systemd-tmpfiles replaces opentmpfiles due to security issues
> +Author: Georgy Yakovlev <gyakovlev@gentoo.org>
> +Author: Sam James <sam@gentoo.org>
> +Posted: 2021-07-07
> +Revision: 1
> +News-Item-Format: 2.0
> +Display-If-Installed: virtual/tmpfiles

This should be:

Display-If-Installed: sys-apps/opentmpfiles

> +
> +On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
> +root privilege escalation vulnerability (CVE-2017-18925 [0],
> +bug #751415 [1], issue 4 [2] upstream).
> +
> +The use of opentmpfiles is discouraged by its maintainer due to the
> +unpatched vulnerability and other long-standing bugs [3].
> +
> +Users will start seeing their package manager trying to replace
> +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
> +another provider of virtual/tmpfiles.
> +
> +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
> +not use dbus, and is just a drop-in replacement for opentmpfiles. It is
> +a small binary built from systemd source code, but works separately,
> +similarly to eudev or elogind. It is known to work on both glibc and
> +musl systems.
> +
> +Note that systemd-tmpfiles is specifically for non-systemd systems. It
> +is intended to be used on an OpenRC system.
> +
> +If you wish to selectively test systemd-tmpfiles, follow those steps:
> +
> + 1. # emerge --oneshot sys-apps/systemd-tmpfiles
> + 2. # reboot
> +
> +No other steps required.
> +
> +If, after reviewing the linked bug reference for opentmpfiles, you feel
> +your system is not vulnerable/applicable to the attack described, you
> +can unmask[4] opentmpfiles at your own risk:
> +
> +1. In /etc/portage/package.unmask, add:
> +-sys-apps/opentmpfiles
> +2. # emerge --oneshot sys-apps/opentmpfiles

Something might need to be added cautioning folks that if they unmask
this, it may disappear on them in the future if we decide to remove it.

William

> +
> +[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
> +[1] https://bugs.gentoo.org/751415
> +[2] https://github.com/OpenRC/opentmpfiles/issues/4
> +[3] https://bugs.gentoo.org/741216
> +[4] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
> -- 
> 2.32.0
> 
> 

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Joonas Niilola]

[-- Attachment #1.1: Type: text/plain, Size: 265 bytes --]

On 9.7.2021 5.49, William Hubbs wrote:

>> +Display-If-Installed: virtual/tmpfiles
> 
> This should be:
> 
> Display-If-Installed: sys-apps/opentmpfiles
> 

Disagree. Some people seem to be waking up into "oh no, what have I
installed?".

-- juippis


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 618 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 483 bytes --]

On Fri, Jul 09, 2021 at 07:04:45AM +0300, Joonas Niilola wrote:
> On 9.7.2021 5.49, William Hubbs wrote:
> 
> >> +Display-If-Installed: virtual/tmpfiles
> > 
> > This should be:
> > 
> > Display-If-Installed: sys-apps/opentmpfiles
> > 
> 
> Disagree. Some people seem to be waking up into "oh no, what have I
> installed?".

systemd and systemd-tmpfiles are also providers of this virtual, so
people who have these installed don't need to see the newsitem.

William

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

[gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Georgy Yakovlev]

Signed-off-by: Sam James <sam@gentoo.org>
Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
---
 .../2021-07-07-systemd-tmpfiles.en.txt        | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt

diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
new file mode 100644
index 0000000..e946c89
--- /dev/null
+++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
@@ -0,0 +1,64 @@
+Title: systemd-tmpfiles replaces opentmpfiles due to security issues
+Author: Georgy Yakovlev <gyakovlev@gentoo.org>
+Author: Sam James <sam@gentoo.org>
+Posted: 2021-07-07
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: sys-apps/opentmpfiles
+Display-If-Installed: sys-apps/systemd-tmpfiles
+
+A tmpfiles [0] implementation provides a generic mechanism to define
+the creation of regular files, directories, pipes, and device nodes,
+adjustments to their access mode, ownership, attributes, quota
+assignments, and contents, and finally their time-based removal.
+It is commonly used for volatile and temporary files and directories
+such as those located under /run/, /tmp/, /var/tmp/, the API file
+systems such as /sys/ or /proc/, as well as some other directories
+below /var/. [1]
+
+On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
+root privilege escalation vulnerability (CVE-2017-18925 [2],
+bug #751415 [3], issue 4 [4] upstream).
+
+The use of opentmpfiles is discouraged by its maintainer due to the
+unpatched vulnerability and other long-standing bugs [5].
+
+Users will start seeing their package manager trying to replace
+sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
+another provider of virtual/tmpfiles.
+
+Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
+not use dbus, and is just a drop-in replacement for opentmpfiles. It is
+a small binary built from systemd source code, but works separately,
+similarly to eudev or elogind. It is known to work on both glibc and
+musl systems.
+
+Note that systemd-tmpfiles is specifically for non-systemd systems. It
+is intended to be used on an OpenRC system.
+
+If you wish to selectively test systemd-tmpfiles, follow those steps:
+
+ 1. # emerge --oneshot sys-apps/systemd-tmpfiles
+ 2. # reboot
+
+No other steps required.
+
+If, after reviewing the linked bug reference for opentmpfiles, you feel
+your system is not vulnerable/applicable to the attack described, you
+can unmask [6] opentmpfiles at your own risk:
+
+ 1. In /etc/portage/package.unmask, add a line:
+ -sys-apps/opentmpfiles-
+ 2. # emerge --oneshot sys-apps/opentmpfiles
+
+Note that opentmpfiles is likely to be removed from gentoo repository
+in the future.
+
+[0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html
+[1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
+[2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
+[3] https://bugs.gentoo.org/751415
+[4] https://github.com/OpenRC/opentmpfiles/issues/4
+[5] https://bugs.gentoo.org/741216
+[6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
+
-- 
2.32.0

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Tomas Mozes]

[-- Attachment #1: Type: text/plain, Size: 2789 bytes --]

On Fri, Jul 9, 2021 at 4:38 AM Georgy Yakovlev <gyakovlev@gentoo.org> wrote:

> Signed-off-by: Sam James <sam@gentoo.org>
> Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
> ---
>  .../2021-07-07-systemd-tmpfiles.en.txt        | 48 +++++++++++++++++++
>  1 file changed, 48 insertions(+)
>  create mode 100644
> 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
>
> diff --git
> a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> new file mode 100644
> index 0000000..0960663
> --- /dev/null
> +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> @@ -0,0 +1,48 @@
> +Title: systemd-tmpfiles replaces opentmpfiles due to security issues
> +Author: Georgy Yakovlev <gyakovlev@gentoo.org>
> +Author: Sam James <sam@gentoo.org>
> +Posted: 2021-07-07
> +Revision: 1
> +News-Item-Format: 2.0
> +Display-If-Installed: virtual/tmpfiles
> +
> +On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
> +root privilege escalation vulnerability (CVE-2017-18925 [0],
> +bug #751415 [1], issue 4 [2] upstream).
> +
> +The use of opentmpfiles is discouraged by its maintainer due to the
> +unpatched vulnerability and other long-standing bugs [3].
> +
> +Users will start seeing their package manager trying to replace
> +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
> +another provider of virtual/tmpfiles.
> +
> +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
> +not use dbus, and is just a drop-in replacement for opentmpfiles. It is
> +a small binary built from systemd source code, but works separately,
> +similarly to eudev or elogind. It is known to work on both glibc and
> +musl systems.
> +
> +Note that systemd-tmpfiles is specifically for non-systemd systems. It
> +is intended to be used on an OpenRC system.
> +
> +If you wish to selectively test systemd-tmpfiles, follow those steps:
> +
> + 1. # emerge --oneshot sys-apps/systemd-tmpfiles
> + 2. # reboot
> +
> +No other steps required.
> +
> +If, after reviewing the linked bug reference for opentmpfiles, you feel
> +your system is not vulnerable/applicable to the attack described, you
> +can unmask[4] opentmpfiles at your own risk:
> +
> +1. In /etc/portage/package.unmask, add:
> +-sys-apps/opentmpfiles
> +2. # emerge --oneshot sys-apps/opentmpfiles
> +
> +[0] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
> +[1] https://bugs.gentoo.org/751415
> +[2] https://github.com/OpenRC/opentmpfiles/issues/4
> +[3] https://bugs.gentoo.org/741216
> +[4] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
> --
> 2.32.0
>
>
>
Plus maybe removing these dead symlinks:
/etc/runlevels/boot/opentmpfiles-setup
/etc/runlevels/sysinit/opentmpfiles-dev

[-- Attachment #2: Type: text/html, Size: 4034 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Michał Górny]

On Thu, 2021-07-08 at 21:43 -0700, Georgy Yakovlev wrote:
> Signed-off-by: Sam James <sam@gentoo.org>
> Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
> ---
>  .../2021-07-07-systemd-tmpfiles.en.txt        | 64 +++++++++++++++++++
>  1 file changed, 64 insertions(+)
>  create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> 
> diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> new file mode 100644
> index 0000000..e946c89
> --- /dev/null
> +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> @@ -0,0 +1,64 @@
> +Title: systemd-tmpfiles replaces opentmpfiles due to security issues
> +Author: Georgy Yakovlev <gyakovlev@gentoo.org>
> +Author: Sam James <sam@gentoo.org>
> +Posted: 2021-07-07
> +Revision: 1
> +News-Item-Format: 2.0
> +Display-If-Installed: sys-apps/opentmpfiles
> +Display-If-Installed: sys-apps/systemd-tmpfiles
> +
> +A tmpfiles [0] implementation provides a generic mechanism to define
> +the creation of regular files, directories, pipes, and device nodes,
> +adjustments to their access mode, ownership, attributes, quota
> +assignments, and contents, and finally their time-based removal.
> +It is commonly used for volatile and temporary files and directories
> +such as those located under /run/, /tmp/, /var/tmp/, the API file
> +systems such as /sys/ or /proc/, as well as some other directories
> +below /var/. [1]
> +
> +On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
> +root privilege escalation vulnerability (CVE-2017-18925 [2],
> +bug #751415 [3], issue 4 [4] upstream).
> +
> +The use of opentmpfiles is discouraged by its maintainer due to the
> +unpatched vulnerability and other long-standing bugs [5].
> +
> +Users will start seeing their package manager trying to replace
> +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
> +another provider of virtual/tmpfiles.
> +
> +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
> +not use dbus, and is just a drop-in replacement for opentmpfiles. It is
> +a small binary built from systemd source code, but works separately,
> +similarly to eudev or elogind. It is known to work on both glibc and
> +musl systems.
> +
> +Note that systemd-tmpfiles is specifically for non-systemd systems. It
> +is intended to be used on an OpenRC system.

Maybe it'd be worth adding a sentence that systemd itself provides
the utility on systemd systems.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Georgy Yakovlev]

[-- Attachment #1: Type: text/plain, Size: 1138 bytes --]

On 09.07.2021 09:11, Michał Górny wrote:
> On Thu, 2021-07-08 at 21:43 -0700, Georgy Yakovlev wrote:
> > Signed-off-by: Sam James <sam@gentoo.org>
> > Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
> > ---
> >  .../2021-07-07-systemd-tmpfiles.en.txt        | 64 +++++++++++++++++++
> >  1 file changed, 64 insertions(+)
> >  create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> > 
> > diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> > new file mode 100644
> > index 0000000..e946c89
> > --- /dev/null
> > +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
... snip
> > +Note that systemd-tmpfiles is specifically for non-systemd systems. It
> > +is intended to be used on an OpenRC system.
> 
> Maybe it'd be worth adding a sentence that systemd itself provides
> the utility on systemd systems.
Already pushed as is. It should not be shown to systemd users anyway, so
no big losss.
> -- 
> Best regards,
> Michał Górny
> 
> 

-- 
Best regards,
Georgy

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 902 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Georgy Yakovlev]

[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]

On 09.07.2021 08:50, Tomas Mozes wrote:
> On Fri, Jul 9, 2021 at 4:38 AM Georgy Yakovlev <gyakovlev@gentoo.org> wrote:
> 
> > Signed-off-by: Sam James <sam@gentoo.org>
> > Signed-off-by: Georgy Yakovlev <gyakovlev@gentoo.org>
> > ---
> >  .../2021-07-07-systemd-tmpfiles.en.txt        | 48 +++++++++++++++++++
> >  1 file changed, 48 insertions(+)
> >  create mode 100644
> > 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> >
> > diff --git
> > a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> > b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
> > new file mode 100644
> > index 0000000..0960663
> > --- /dev/null
> > +++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
...snip
> > +
> > + 1. # emerge --oneshot sys-apps/systemd-tmpfiles
> > + 2. # reboot
> > +
> > +No other steps required.
> > +
...snip
> Plus maybe removing these dead symlinks:
> /etc/runlevels/boot/opentmpfiles-setup
> /etc/runlevels/sysinit/opentmpfiles-dev

added, thanks.

-- 
Best regards,
Georgy

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 902 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 184 bytes --]

>>>>> On Fri, 09 Jul 2021, Georgy Yakovlev wrote:

> +Title: systemd-tmpfiles replaces opentmpfiles due to security issues

Title is way too long, maximum of 50 characters is allowed.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 300 bytes --]

>>>>> On Fri, 09 Jul 2021, Georgy Yakovlev wrote:

> Already pushed as is.

So as far as I can see, you've posted it for review at 02:38:05 today,
and pushed it at 08:25:55?

That is less than the 72 hours mandated by GLEP 42, so definitely
not OK. That pr@ wasn't CCed isn't helpful either.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: add news item

[Georgy Yakovlev]

[-- Attachment #1: Type: text/plain, Size: 706 bytes --]

On 09.07.2021 13:57, Ulrich Mueller wrote:
> >>>>> On Fri, 09 Jul 2021, Georgy Yakovlev wrote:
> 
> > Already pushed as is.
> 
> So as far as I can see, you've posted it for review at 02:38:05 today,
> and pushed it at 08:25:55?
> 
> That is less than the 72 hours mandated by GLEP 42, so definitely
> not OK. That pr@ wasn't CCed isn't helpful either.
> 
> Ulrich

Sorry about not CC-ing and making title longer than 50.

But sure, let's revert and wait 3 days, instead of sending an explanation
to users who may need it now.
Let's wait till more topics on forums created, and let our IRC support
guys do more work explaining it to people.

Makes sense.

-- 
Best regards,
Georgy

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 902 bytes --]

[gentoo-dev] [PATCH] 2021-07-07-systemd-tmpfiles: restore news item

[Georgy Yakovlev]

This reverts commit a93dbc1701de3b983c6f791391f7967d4b919b4a.
and addresses some feedback items
---
 .../2021-07-07-systemd-tmpfiles.en.txt        | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt

diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
new file mode 100644
index 0000000..7167985
--- /dev/null
+++ b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt
@@ -0,0 +1,66 @@
+Title: opentmpfiles deprecation
+Author: Georgy Yakovlev <gyakovlev@gentoo.org>
+Author: Sam James <sam@gentoo.org>
+Posted: 2021-07-09
+Revision: 2
+News-Item-Format: 2.0
+Display-If-Installed: sys-apps/opentmpfiles
+Display-If-Installed: sys-apps/systemd-tmpfiles
+
+A tmpfiles [0] implementation provides a generic mechanism to define
+the creation of regular files, directories, pipes, and device nodes,
+adjustments to their access mode, ownership, attributes, quota
+assignments, and contents, and finally their time-based removal.
+It is commonly used for volatile and temporary files and directories
+such as those located under /run/, /tmp/, /var/tmp/, the API file
+systems such as /sys/ or /proc/, as well as some other directories
+below /var/. [1]
+
+On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
+root privilege escalation vulnerability (CVE-2017-18925 [2],
+bug #751415 [3], issue 4 [4] upstream).
+
+The use of opentmpfiles is discouraged by its maintainer due to the
+unpatched vulnerability and other long-standing bugs [5].
+
+Users will start seeing their package manager trying to replace
+sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
+another provider of virtual/tmpfiles.
+
+Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
+not use dbus, and is just a drop-in replacement for opentmpfiles. It is
+a small binary built from systemd source code, but works separately,
+similarly to eudev or elogind. It is known to work on both glibc and
+musl systems.
+
+Note that systemd-tmpfiles is specifically for non-systemd systems. It
+is intended to be used on an OpenRC system.
+
+If you wish to selectively test systemd-tmpfiles, follow those steps:
+
+ 1. # emerge --oneshot sys-apps/systemd-tmpfiles
+ 2. # reboot
+ 3. # rm /etc/runlevels/boot/opentmpfiles-setup
+ 4. # rm /etc/runlevels/sysinit/opentmpfiles-dev
+
+No other steps required.
+
+If, after reviewing the linked bug reference for opentmpfiles, you feel
+your system is not vulnerable/applicable to the attack described, you
+can unmask [6] opentmpfiles at your own risk:
+
+ 1. In /etc/portage/package.unmask, add a line:
+ -sys-apps/opentmpfiles-
+ 2. # emerge --oneshot sys-apps/opentmpfiles
+
+Note that opentmpfiles is likely to be removed from gentoo repository
+in the future.
+
+[0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html
+[1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
+[2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
+[3] https://bugs.gentoo.org/751415
+[4] https://github.com/OpenRC/opentmpfiles/issues/4
+[5] https://archives.gentoo.org/gentoo-dev/message/bce91b9d37db0b1e0980eb923a8607c9
+[6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
+
-- 
2.32.0

[gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Georgy Yakovlev]

This reverts commit a93dbc1701de3b983c6f791391f7967d4b919b4a.
and addresses some feedback items
---
 .../2021-07-09-systemd-tmpfiles.en.txt        | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 2021-07-09-systemd-tmpfiles/2021-07-09-systemd-tmpfiles.en.txt

diff --git a/2021-07-09-systemd-tmpfiles/2021-07-09-systemd-tmpfiles.en.txt b/2021-07-09-systemd-tmpfiles/2021-07-09-systemd-tmpfiles.en.txt
new file mode 100644
index 0000000..e902a3b
--- /dev/null
+++ b/2021-07-09-systemd-tmpfiles/2021-07-09-systemd-tmpfiles.en.txt
@@ -0,0 +1,66 @@
+Title: opentmpfiles deprecation
+Author: Georgy Yakovlev <gyakovlev@gentoo.org>
+Author: Sam James <sam@gentoo.org>
+Posted: 2021-07-09
+Revision: 2
+News-Item-Format: 2.0
+Display-If-Installed: sys-apps/opentmpfiles
+Display-If-Installed: sys-apps/systemd-tmpfiles
+
+A tmpfiles [0] implementation provides a generic mechanism to define
+the creation of regular files, directories, pipes, and device nodes,
+adjustments to their access mode, ownership, attributes, quota
+assignments, and contents, and finally their time-based removal.
+It is commonly used for volatile and temporary files and directories
+such as those located under /run/, /tmp/, /var/tmp/, the API file
+systems such as /sys/ or /proc/, as well as some other directories
+below /var/. [1]
+
+On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a
+root privilege escalation vulnerability (CVE-2017-18925 [2],
+bug #751415 [3], issue 4 [4] upstream).
+
+The use of opentmpfiles is discouraged by its maintainer due to the
+unpatched vulnerability and other long-standing bugs [5].
+
+Users will start seeing their package manager trying to replace
+sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is
+another provider of virtual/tmpfiles.
+
+Despite the name, 'systemd-tmpfiles' does not depend on systemd, does
+not use dbus, and is just a drop-in replacement for opentmpfiles. It is
+a small binary built from systemd source code, but works separately,
+similarly to eudev or elogind. It is known to work on both glibc and
+musl systems.
+
+Note that systemd-tmpfiles is specifically for non-systemd systems. It
+is intended to be used on an OpenRC system.
+
+If you wish to selectively test systemd-tmpfiles, follow those steps:
+
+ 1. # emerge --oneshot sys-apps/systemd-tmpfiles
+ 2. # reboot
+ 3. # rm /etc/runlevels/boot/opentmpfiles-setup
+ 4. # rm /etc/runlevels/sysinit/opentmpfiles-dev
+
+No other steps required.
+
+If, after reviewing the linked bug reference for opentmpfiles, you feel
+your system is not vulnerable/applicable to the attack described, you
+can unmask [6] opentmpfiles at your own risk:
+
+ 1. In /etc/portage/package.unmask, add a line:
+ sys-apps/opentmpfiles
+ 2. # emerge --oneshot sys-apps/opentmpfiles
+
+Note that opentmpfiles is likely to be removed from gentoo repository
+in the future.
+
+[0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html
+[1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
+[2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925
+[3] https://bugs.gentoo.org/751415
+[4] https://github.com/OpenRC/opentmpfiles/issues/4
+[5] https://archives.gentoo.org/gentoo-dev/message/bce91b9d37db0b1e0980eb923a8607c9
+[6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package
+
-- 
2.32.0

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 3640 bytes --]

Hi,

TL;DR:

Given that William said in the meanwhile, he sees no future for 
opentmpfiles [1] and that nobody else, including me, is interested in 
stepping up, things have changed.

Please start with the normal last-rite process and please please please, 
rephrase the news item and do not tell world that opentmpfiles has been 
masked due to the reported vulnerability because this would be wrong.

----

The package was masked due to a miscommunication with the Gentoo 
Security project.

While it is true that the way opentmpfiles is currently implemented 
allows for certain races, from the security point of view, you always 
have to classify the vulnerability in context of your threat model 
because security depends on multiple layers (onion model).

First, we have to take tmpfiles.d specifications into account:

By default, opentmpfiles service is only reading from certain locations 
(for example /usr/lib/tmpfiles.d) – all of these locations are only 
writable for root user by default which makes it impossible for an 
attacker to create a controllable exploit.

Furthermore, tmpfiles.d settings are only supposed for creation, 
deletion and cleaning of volatile and temporary files. Any package which
will install tmpfiles.d settings which will create files in persistent 
locations should be treated like a bug in the package itself (for Gentoo
packagers for example we have keepdir [3] function).

Same is true for packages installing tmpfiles.d settings which will 
create volatile and temporary directories in user writable locations,
which is usually treated like a weak file permission vulnerability in 
the package, similar to world-writable PID files, config files, log
locations etc.

Despite all the outlined pre-requirements, an attacker would still need 
to convince the system administrator to restart a boot service which is
very uncommon and even OpenRC is warning against doing something like that.

opentmpfiles specifically starts before any other services, so a 
compromised daemon is not capable of injecting a malicious symlink 
before startup:

> $ /lib/rc/bin/rc-depend opentmpfiles-setup
> sysfs devfs udev udev-trigger hwclock modules fsck root localmount opentmpfiles-setup

Finally, in Gentoo Linux, like in many other distributions, from
security point of view, we assume certain preconditions like running
with "fs.protected_symlinks" and "fs.protected_hardlinks" enabled by
default since baselayout-2.7 [4] which largely mitigates symlink attacks.

(These sysctls don't affect CVE-2017-18925, but they do affect
the other reported opentmpfiles CVEs, and it's worth mentioning
them as examples of configuration we have to assume.)

Therefore, Gentoo's security project does not believe that it is 
required to mask this package in Gentoo Linux for security reasons 
because our classification from 2017 has not changed and we usually do 
not mask any package with flaws which cannot be exploited in default 
configuration and would require discouraged settings like disabled
fs.protected_symlink feature, or adjusting e.g. OpenRC's 
runlevels/configuration in an unsupported way.

Thank you.


See also:
=========
[1] 
https://archives.gentoo.org/gentoo-dev/message/bce91b9d37db0b1e0980eb923a8607c9

[2] 
https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

[3] https://devmanual.gentoo.org/function-reference/install-functions/

[4] https://bugs.gentoo.org/704914


-- 
Regards,
Thomas Deutschmann / Gentoo Security Team
fpr: C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 454 bytes --]

On Sun, Jul 11, 2021 at 03:53:31PM +0200, Thomas Deutschmann wrote:
> Hi,
> 
> TL;DR:
> 
> Given that William said in the meanwhile, he sees no future for 
> opentmpfiles [1] and that nobody else, including me, is interested in 
> stepping up, things have changed.

Add this reference as well if you want, everyone upstream seems to agree
that opentmpfiles doesn't have a future.

https://github.com/OpenRC/opentmpfiles/issues/19

William

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Michael Orlitzky]

On Sun, 2021-07-11 at 15:53 +0200, Thomas Deutschmann wrote:
> 
> Furthermore, tmpfiles.d settings are only supposed for creation, 
> deletion and cleaning of volatile and temporary files. Any package which
> will install tmpfiles.d settings which will create files in persistent 
> locations should be treated like a bug in the package itself (for Gentoo
> packagers for example we have keepdir [3] function).

Not crucial to your main point, but packages that use keepdir under
/var/cache (which is persistent) get prodded to use tmpfiles instead:

  https://bugs.gentoo.org/692736

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 981 bytes --]

<snip>
> The package was masked due to a miscommunication with the Gentoo 
> Security project.
> 
> While it is true that the way opentmpfiles is currently implemented 
> allows for certain races, from the security point of view, you always 
> have to classify the vulnerability in context of your threat model 
> because security depends on multiple layers (onion model).
<snip>

I would like to respectfully point out that this makes 

1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless")

2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account).

https://www.gentoo.org/support/security/vulnerability-treatment-policy.html

-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1469 bytes --]

On Wed, Jul 14, 2021 at 12:04:34AM +0200, Andreas K. Huettel wrote:
> <snip>
> > The package was masked due to a miscommunication with the Gentoo 
> > Security project.
> > 
> > While it is true that the way opentmpfiles is currently implemented 
> > allows for certain races, from the security point of view, you always 
> > have to classify the vulnerability in context of your threat model 
> > because security depends on multiple layers (onion model).
> <snip>
> 
> I would like to respectfully point out that this makes 
> 
> 1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless")
>

The Gentoo model is not perfect and should be overhauled. However, it
works for most things and sometimes bugs fall between the cracks.

The package shouldn't have been masked either based on a bug that was
purposely ignored for many years simply because they want to disband the
package now and found a "security reason" to add to the mask.

> 2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account).
> 

I am not sure if this is sarcasm, but every bug must be considered
through the correct aperture. That is, based on your environment,
protections in place, defense in depth, and other buzzwords... hence the
onion analogy.

-Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Andreas K. Huettel]

[-- Attachment #1: Type: text/plain, Size: 1713 bytes --]

> > 
> > 1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless")
> >
> 
> The Gentoo model is not perfect and should be overhauled. However, it
> works for most things and sometimes bugs fall between the cracks.
> 
> The package shouldn't have been masked either based on a bug that was
> purposely ignored for many years simply because they want to disband the
> package now and found a "security reason" to add to the mask.

Well, over the last year or so every 2-3 months the (uninformed) discussion came up, "don't use openrc stages because you are automatically rooted". That leaves a rather bad impression of Gentoo, independent of whether it is true or not. If noone from sec team noticed the discussions...

> > 2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account).
> > 
> 
> I am not sure if this is sarcasm, but every bug must be considered
> through the correct aperture. That is, based on your environment,
> protections in place, defense in depth, and other buzzwords... hence the
> onion analogy.

It's not sarcasm. The point of the classification is to give clear rules (why else would you list, e.g., required response times on the vulnerability treatment page (no matter how illusory they are)).

If you don't take all factors into account when *making* the classification, then all gain you have from the classification is lost.



-- 
Andreas K. Hüttel
dilfridge@gentoo.org
Gentoo Linux developer
(council, toolchain, base-system, perl, libreoffice)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: [gentoo-dev] [PATCH] 2021-07-09-systemd-tmpfiles: re-add news item

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 1964 bytes --]

On Wed, Jul 14, 2021 at 10:49:34AM +0200, Andreas K. Huettel wrote:
> > > 
> > > 1) either the severity assignment of this bug by the Security project as B1 wrong (i.e. it should have been classified "harmless")

<snip> 

> Well, over the last year or so every 2-3 months the (uninformed) discussion came up, "don't use openrc stages because you are automatically rooted". That leaves a rather bad impression of Gentoo, independent of whether it is true or not. If noone from sec team noticed the discussions...

Absolutely, that would leave a bad impression. Where were these
discussions taking place?

> 
> > > 2) or the entire classification of severity levels according to the Security project pointless (i.e. you can't base any actions on them because a mystery onion needs to be taken into account).
> > > 
> > 
> > I am not sure if this is sarcasm, but every bug must be considered
> > through the correct aperture. That is, based on your environment,
> > protections in place, defense in depth, and other buzzwords... hence the
> > onion analogy.
> 
> It's not sarcasm. The point of the classification is to give clear rules (why else would you list, e.g., required response times on the vulnerability treatment page (no matter how illusory they are)).
> 
> If you don't take all factors into account when *making* the classification, then all gain you have from the classification is lost.
>

Let me explain differently. Gentoo has a vulnerability rating system
that is indepedent of any other system. This system is used to classify
bugs from a distro perspective and common usage of various applications.

However, one cannot consider all possible attack vectors, impacts, and
configuration scenarios being used by our users. So, it is not lost...
we just can't possibly account for all the things.

Yes, the response times are utter crap and as I mentioned the Gentoo
system needs to be overhauled/adapted.

-Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]