* [gentoo-dev] last rites (kinda, long masked): sys-apps/opentmpfiles @ 2023-09-16 22:47 Andreas K. Huettel 2023-09-17 5:26 ` [gentoo-dev] Re: [gentoo-dev-announce] " Alexe Stefan 2023-09-20 13:58 ` [gentoo-dev] " Ulrich Mueller 0 siblings, 2 replies; 15+ messages in thread From: Andreas K. Huettel @ 2023-09-16 22:47 UTC (permalink / raw To: gentoo-dev-announce, gentoo-dev [-- Attachment #1: Type: text/plain, Size: 608 bytes --] # Andreas K. Hüttel <dilfridge@gentoo.org> (2021-07-06, 2023-09-15) # No longer maintained upstream; masked everywhere for two years now. # Please see also the 2021-07-15-opentmpfiles-deprecation news item. # https://www.gentoo.org/support/news-items/2021-07-15-opentmpfiles-deprecation.html # # The replacement is sys-apps/systemd-utils[tmpfiles]; new name # but otherwise identical to the solution described in the news item. # Removal on 2023-10-15. sys-apps/opentmpfiles -- Andreas K. Hüttel dilfridge@gentoo.org Gentoo Linux developer (council, toolchain, base-system, perl, libreoffice) [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 981 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-16 22:47 [gentoo-dev] last rites (kinda, long masked): sys-apps/opentmpfiles Andreas K. Huettel @ 2023-09-17 5:26 ` Alexe Stefan 2023-09-17 8:37 ` David Seifert ` (2 more replies) 2023-09-20 13:58 ` [gentoo-dev] " Ulrich Mueller 1 sibling, 3 replies; 15+ messages in thread From: Alexe Stefan @ 2023-09-17 5:26 UTC (permalink / raw To: gentoo-dev One is written in shell, the other is written in c.(no problems here) One is not part of systemd, the other is. How are they identical. I use this on my raspi server, works fine. Gentoo really became a systemd distro, further restricting choice by the day. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 5:26 ` [gentoo-dev] Re: [gentoo-dev-announce] " Alexe Stefan @ 2023-09-17 8:37 ` David Seifert 2023-09-17 8:47 ` Alexe Stefan 2023-09-17 10:58 ` Arsen Arsenović 2023-09-17 11:53 ` Michael Orlitzky 2 siblings, 1 reply; 15+ messages in thread From: David Seifert @ 2023-09-17 8:37 UTC (permalink / raw To: gentoo-dev On Sun, 2023-09-17 at 08:26 +0300, Alexe Stefan wrote: > One is written in shell, the other is written in c.(no problems here) > One is not part of systemd, the other is. > How are they identical. > > I use this on my raspi server, works fine. > > Gentoo really became a systemd distro, further restricting choice by > the day. > http://www.islinuxaboutchoice.com/ ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 8:37 ` David Seifert @ 2023-09-17 8:47 ` Alexe Stefan 0 siblings, 0 replies; 15+ messages in thread From: Alexe Stefan @ 2023-09-17 8:47 UTC (permalink / raw To: gentoo-dev On 9/17/23, David Seifert <soap@gentoo.org> wrote: > On Sun, 2023-09-17 at 08:26 +0300, Alexe Stefan wrote: >> One is written in shell, the other is written in c.(no problems here) >> One is not part of systemd, the other is. >> How are they identical. >> >> I use this on my raspi server, works fine. >> >> Gentoo really became a systemd distro, further restricting choice by >> the day. >> > > http://www.islinuxaboutchoice.com/ > > That mail is about fedora, the furthest you can go away from choice on linux. However, that page talks about fedora as if all of linux is fedora. Gentoo is not fedora... yet. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 5:26 ` [gentoo-dev] Re: [gentoo-dev-announce] " Alexe Stefan 2023-09-17 8:37 ` David Seifert @ 2023-09-17 10:58 ` Arsen Arsenović 2023-09-17 11:15 ` Arsen Arsenović 2023-09-17 13:05 ` orbea 2023-09-17 11:53 ` Michael Orlitzky 2 siblings, 2 replies; 15+ messages in thread From: Arsen Arsenović @ 2023-09-17 10:58 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1865 bytes --] Alexe Stefan <stefanalexe48@gmail.com> writes: > One is written in shell, the other is written in c.(no problems here) Not that implementation language matters. > One is not part of systemd, the other is. Both work fine without systemd, but the systemd implementation also happens not to be unmaintained and happens to be more complete. > How are they identical. The last rites message does not say that opentmpfiles and systemd-tmpfiles are identical. That'd do a disservice to the actually complete, unmaintained, and (currently) non-CVE-affected implementation in systemd. > I use this on my raspi server, works fine. 'WOMM' is a fairly terrible measure. > Gentoo really became a systemd distro, further restricting choice by > the day. [ignoring this nonsensical statement, notice put here for clarity] Gentoo devs aren't obliged to maintain software you like to use. systemd-utils[tmpfiles] works on all Gentoo systems, including non-systemd ones. Until that changes (which is unlikely), I doubt there will be much interest in maintaining a fork from inside Gentoo. Please take up opentmpfiles maintenance. You have https://archives.gentoo.org/gentoo-dev/message/689954cc7fd55402dc4c82aa0ac70efb to address, and probably some other issues. See https://github.com/OpenRC/opentmpfiles/issues/19 for context. The message above implies that a rewrite in C is necessary. This should be rather easy. The systemd implementation is only ~4k LoC (excluding shared code), so I imagine that a complete reimplementation should be far less than 10k. Since this is fairly elementary stuff, it should be possible to finish in a weekends time. Submit a PR to re-add opentmpfiles after you're done. Looking forward to reviewing your contributions upstream. Have a lovely day :-) -- Arsen Arsenović [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 381 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 10:58 ` Arsen Arsenović @ 2023-09-17 11:15 ` Arsen Arsenović 2023-09-17 13:05 ` orbea 1 sibling, 0 replies; 15+ messages in thread From: Arsen Arsenović @ 2023-09-17 11:15 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 385 bytes --] Arsen Arsenović <arsen@gentoo.org> writes: [snip] >> How are they identical. > > The last rites message does not say that opentmpfiles and > systemd-tmpfiles are identical. That'd do a disservice to the actually > complete, unmaintained, and (currently) non-CVE-affected implementation ^^ C-h C-h... typo'd. > in systemd. > [snip] -- Arsen Arsenović [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 381 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 10:58 ` Arsen Arsenović 2023-09-17 11:15 ` Arsen Arsenović @ 2023-09-17 13:05 ` orbea 2023-09-17 17:28 ` Alexe Stefan 1 sibling, 1 reply; 15+ messages in thread From: orbea @ 2023-09-17 13:05 UTC (permalink / raw To: gentoo-dev On Sun, 17 Sep 2023 12:58:00 +0200 Arsen Arsenović <arsen@gentoo.org> wrote: > Alexe Stefan <stefanalexe48@gmail.com> writes: > > > One is written in shell, the other is written in c.(no problems > > here) > > Not that implementation language matters. > > > One is not part of systemd, the other is. > > Both work fine without systemd, but the systemd implementation also > happens not to be unmaintained and happens to be more complete. Here are some other implementations I have found, but I am not sure if they are drop-in replacements or not. https://github.com/eweOS/pawprint https://github.com/juur/tmpfilesd > > > How are they identical. > > The last rites message does not say that opentmpfiles and > systemd-tmpfiles are identical. That'd do a disservice to the > actually complete, unmaintained, and (currently) non-CVE-affected > implementation in systemd. > > > I use this on my raspi server, works fine. > > 'WOMM' is a fairly terrible measure. > > > Gentoo really became a systemd distro, further restricting choice by > > the day. > > [ignoring this nonsensical statement, notice put here for clarity] > > > Gentoo devs aren't obliged to maintain software you like to use. > systemd-utils[tmpfiles] works on all Gentoo systems, including > non-systemd ones. Until that changes (which is unlikely), I doubt > there will be much interest in maintaining a fork from inside Gentoo. > > Please take up opentmpfiles maintenance. You have > https://archives.gentoo.org/gentoo-dev/message/689954cc7fd55402dc4c82aa0ac70efb > to address, and probably some other issues. See > https://github.com/OpenRC/opentmpfiles/issues/19 for context. > > The message above implies that a rewrite in C is necessary. > > This should be rather easy. The systemd implementation is only ~4k > LoC (excluding shared code), so I imagine that a complete > reimplementation should be far less than 10k. Since this is fairly > elementary stuff, it should be possible to finish in a weekends time. > > Submit a PR to re-add opentmpfiles after you're done. > > Looking forward to reviewing your contributions upstream. Have a > lovely day :-) ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 13:05 ` orbea @ 2023-09-17 17:28 ` Alexe Stefan 2023-09-17 20:49 ` Michael Orlitzky 0 siblings, 1 reply; 15+ messages in thread From: Alexe Stefan @ 2023-09-17 17:28 UTC (permalink / raw To: gentoo-dev On 9/17/23, orbea <orbea@riseup.net> wrote: > On Sun, 17 Sep 2023 12:58:00 +0200 > Arsen Arsenović <arsen@gentoo.org> wrote: > >> Alexe Stefan <stefanalexe48@gmail.com> writes: >> >> > One is written in shell, the other is written in c.(no problems >> > here) >> >> Not that implementation language matters. >> >> > One is not part of systemd, the other is. >> >> Both work fine without systemd, but the systemd implementation also >> happens not to be unmaintained and happens to be more complete. > > Here are some other implementations I have found, but I am not sure if > they are drop-in replacements or not. > > https://github.com/eweOS/pawprint > https://github.com/juur/tmpfilesd > >> >> > How are they identical. >> >> The last rites message does not say that opentmpfiles and >> systemd-tmpfiles are identical. That'd do a disservice to the >> actually complete, unmaintained, and (currently) non-CVE-affected >> implementation in systemd. >> >> > I use this on my raspi server, works fine. >> >> 'WOMM' is a fairly terrible measure. >> >> > Gentoo really became a systemd distro, further restricting choice by >> > the day. >> >> [ignoring this nonsensical statement, notice put here for clarity] >> >> >> Gentoo devs aren't obliged to maintain software you like to use. >> systemd-utils[tmpfiles] works on all Gentoo systems, including >> non-systemd ones. Until that changes (which is unlikely), I doubt >> there will be much interest in maintaining a fork from inside Gentoo. >> >> Please take up opentmpfiles maintenance. You have >> https://archives.gentoo.org/gentoo-dev/message/689954cc7fd55402dc4c82aa0ac70efb >> to address, and probably some other issues. See >> https://github.com/OpenRC/opentmpfiles/issues/19 for context. >> >> The message above implies that a rewrite in C is necessary. >> >> This should be rather easy. The systemd implementation is only ~4k >> LoC (excluding shared code), so I imagine that a complete >> reimplementation should be far less than 10k. Since this is fairly >> elementary stuff, it should be possible to finish in a weekends time. >> >> Submit a PR to re-add opentmpfiles after you're done. >> >> Looking forward to reviewing your contributions upstream. Have a >> lovely day :-) > > > There are 2 open pr's on the opentmpfiles github. One removes the security vulnerability, but is non-compliant with the spec, the other is (at least is a start of) a rewrite in c. >As a result, opentmpfiles never should have tried to implement it, but >its authors didn't know about those problems either. And while >implementing tmpfiles in C has certain unavoidable race conditions, >hooooooooo boy is the shell version swiss cheese. There's no safe way >to run chown and chmod (the shell commands) as root in a directory you >don't control, and that's a big part of what opentmpfiles does. The >exploits for the shell version are kindergaren stuff. > Is it really so easy to exploit it? How would you do that? ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 17:28 ` Alexe Stefan @ 2023-09-17 20:49 ` Michael Orlitzky 0 siblings, 0 replies; 15+ messages in thread From: Michael Orlitzky @ 2023-09-17 20:49 UTC (permalink / raw To: gentoo-dev On 2023-09-17 20:28:49, Alexe Stefan wrote: > > There are 2 open pr's on the opentmpfiles github. One removes the > security vulnerability, but is non-compliant with the spec, the other > is (at least is a start of) a rewrite in c. The PR is still vulnerable. These checks, _chown() { local path=$2 uid=$1 if ! owned_by_root "${path}" ; then ... are insufficient to fix the vulnerability, because it's the parent path(s) that are the problem. If any parent path is writable by a non-root user, that non-root user can swap it out from under you, even if the thing you're operating on is root:root. AFAIK it's impossible to fix that in shell. In C, you can do a little openat() dance ensuring that each component of your path is safe from the root upwards -- that's why one of the suggestions is to rewrite opentmpfiles in C. > >As a result, opentmpfiles never should have tried to implement it, but > >its authors didn't know about those problems either. And while > >implementing tmpfiles in C has certain unavoidable race conditions, > >hooooooooo boy is the shell version swiss cheese. There's no safe way > >to run chown and chmod (the shell commands) as root in a directory you > >don't control, and that's a big part of what opentmpfiles does. The > >exploits for the shell version are kindergaren stuff. > > Is it really so easy to exploit it? > How would you do that? > The daemon runs "ln" or "ln -s", basically at its leisure, and waits for opentmpfiles to run again. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 5:26 ` [gentoo-dev] Re: [gentoo-dev-announce] " Alexe Stefan 2023-09-17 8:37 ` David Seifert 2023-09-17 10:58 ` Arsen Arsenović @ 2023-09-17 11:53 ` Michael Orlitzky 2023-09-17 13:32 ` Marc Joliet 2 siblings, 1 reply; 15+ messages in thread From: Michael Orlitzky @ 2023-09-17 11:53 UTC (permalink / raw To: gentoo-dev On 2023-09-17 08:26:50, Alexe Stefan wrote: > One is written in shell, the other is written in c.(no problems here) > One is not part of systemd, the other is. > How are they identical. The big picture is that the tmpfiles.d specification is impossible to implement securely on a POSIX system. The systemd devs wrote a specification to appease the people who complained, but that doesn't change the fact that the spec is fundamentally flawed unless you happen to be implementing it on a new linux system. (The authors didn't know this at the time, so it was not a dirty trick.) As a result, opentmpfiles never should have tried to implement it, but its authors didn't know about those problems either. And while implementing tmpfiles in C has certain unavoidable race conditions, hooooooooo boy is the shell version swiss cheese. There's no safe way to run chown and chmod (the shell commands) as root in a directory you don't control, and that's a big part of what opentmpfiles does. The exploits for the shell version are kindergaren stuff. The systemd folks put in a lot of work to make sure that the race window is a small as possible in systemd-tmpfiles. And on linux with kernel hardening, you're safe. Given that no one is working towards replacing tmpfiles completely, here's where that leaves us. We have the systemd utility that is as secure as possible, and opentmpfiles that tries to mimic it but is unmaintained and much less secure. At best, the insecure version could be rewritten in C to make it.... basically identical to the systemd version? Which has no real problems aside from the fact that it has systemd in the name. And no one is volunteering to do that rewrite in the first place. Newer linux systems are well supported by systemd-tmpfiles, and that's the only place tmpfiles is safe to begin with. It sucks that we're all stuck with tmpfiles now but you're only shooting yourself in the foot if you insist on using the worst possible implementation of it. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 11:53 ` Michael Orlitzky @ 2023-09-17 13:32 ` Marc Joliet 2023-09-17 17:10 ` Marc Joliet 2023-09-17 17:25 ` Michael Orlitzky 0 siblings, 2 replies; 15+ messages in thread From: Marc Joliet @ 2023-09-17 13:32 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 452 bytes --] Am Sonntag, 17. September 2023, 13:53:45 CEST schrieb Michael Orlitzky: > On 2023-09-17 08:26:50, Alexe Stefan wrote: [...] I just want to say how amazed I am that you (and Arsen, too) still have the patience to try and explain the realities of the situation like this, especially after the eudev thread. Greetings -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 13:32 ` Marc Joliet @ 2023-09-17 17:10 ` Marc Joliet 2023-09-17 17:25 ` Michael Orlitzky 1 sibling, 0 replies; 15+ messages in thread From: Marc Joliet @ 2023-09-17 17:10 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 574 bytes --] Am Sonntag, 17. September 2023, 15:32:46 CEST schrieb Marc Joliet: > Am Sonntag, 17. September 2023, 13:53:45 CEST schrieb Michael Orlitzky: > > On 2023-09-17 08:26:50, Alexe Stefan wrote: > [...] > > I just want to say how amazed I am that you (and Arsen, too) still have the > patience to try and explain the realities of the situation like this, > especially after the eudev thread. (Just to be clear: I mean this as a compliment!) -- Marc Joliet -- "People who think they know everything really annoy those of us who know we don't" - Bjarne Stroustrup [-- Attachment #2: This is a digitally signed message part. --] [-- Type: application/pgp-signature, Size: 228 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 13:32 ` Marc Joliet 2023-09-17 17:10 ` Marc Joliet @ 2023-09-17 17:25 ` Michael Orlitzky 2023-09-17 17:53 ` orbea 1 sibling, 1 reply; 15+ messages in thread From: Michael Orlitzky @ 2023-09-17 17:25 UTC (permalink / raw To: gentoo-dev On 2023-09-17 15:32:46, Marc Joliet wrote: > I just want to say how amazed I am that you (and Arsen, too) still have the > patience to try and explain the realities of the situation like this, > especially after the eudev thread. I'm a founding member of the systemd haters club so I'm sympathetic, but in this case there are only a few realistic paths forward and none of them involve opentmpfiles. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] Re: [gentoo-dev-announce] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-17 17:25 ` Michael Orlitzky @ 2023-09-17 17:53 ` orbea 0 siblings, 0 replies; 15+ messages in thread From: orbea @ 2023-09-17 17:53 UTC (permalink / raw To: gentoo-dev On Sun, 17 Sep 2023 13:25:20 -0400 Michael Orlitzky <mjo@gentoo.org> wrote: > On 2023-09-17 15:32:46, Marc Joliet wrote: > > I just want to say how amazed I am that you (and Arsen, too) still > > have the patience to try and explain the realities of the situation > > like this, especially after the eudev thread. > > I'm a founding member of the systemd haters club so I'm sympathetic, > but in this case there are only a few realistic paths forward and none > of them involve opentmpfiles. > I'll say I agree too, I would like to stop using systemd-tmpfiles, but opentmpfiles is not a viable choice. Given this commit. https://github.com/OpenRC/opentmpfiles/commit/f33d0ea74bb0ab8bdf53e3df499323a828b3b1df And this comment. https://github.com/OpenRC/opentmpfiles/issues/19#issuecomment-877663396 At this point opentmpfiles seems actually dead and unmaintained, it also seems doubtful that will change in the foreseeable future. Its better to look into alternatives instead. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [gentoo-dev] last rites (kinda, long masked): sys-apps/opentmpfiles 2023-09-16 22:47 [gentoo-dev] last rites (kinda, long masked): sys-apps/opentmpfiles Andreas K. Huettel 2023-09-17 5:26 ` [gentoo-dev] Re: [gentoo-dev-announce] " Alexe Stefan @ 2023-09-20 13:58 ` Ulrich Mueller 1 sibling, 0 replies; 15+ messages in thread From: Ulrich Mueller @ 2023-09-20 13:58 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 314 bytes --] >>>>> On Sun, 17 Sep 2023, Andreas K Huettel wrote: > # Andreas K. Hüttel <dilfridge@gentoo.org> (2021-07-06, 2023-09-15) Please use only a single date. The current line breaks parsing of the date on packages.gentoo.org, which shows 0001-01-01: https://packages.gentoo.org/packages/sys-apps/opentmpfiles [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 507 bytes --] ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2023-09-20 13:58 UTC | newest] Thread overview: 15+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2023-09-16 22:47 [gentoo-dev] last rites (kinda, long masked): sys-apps/opentmpfiles Andreas K. Huettel 2023-09-17 5:26 ` [gentoo-dev] Re: [gentoo-dev-announce] " Alexe Stefan 2023-09-17 8:37 ` David Seifert 2023-09-17 8:47 ` Alexe Stefan 2023-09-17 10:58 ` Arsen Arsenović 2023-09-17 11:15 ` Arsen Arsenović 2023-09-17 13:05 ` orbea 2023-09-17 17:28 ` Alexe Stefan 2023-09-17 20:49 ` Michael Orlitzky 2023-09-17 11:53 ` Michael Orlitzky 2023-09-17 13:32 ` Marc Joliet 2023-09-17 17:10 ` Marc Joliet 2023-09-17 17:25 ` Michael Orlitzky 2023-09-17 17:53 ` orbea 2023-09-20 13:58 ` [gentoo-dev] " Ulrich Mueller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox