From: Rich Freeman <rich0@gentoo.org>
To: gentoo-dev <gentoo-dev@lists.gentoo.org>
Subject: Re: [gentoo-dev] Vanilla sources
Date: Fri, 3 Jan 2020 09:46:50 -0500 [thread overview]
Message-ID: <CAGfcS_=Ci76CcFSsSvFF8sLZse=dPQymqPZzSH0MEymeaSKksQ@mail.gmail.com> (raw)
In-Reply-To: <9b48db99-19dc-617b-c0d4-ffa0216b43be@gentoo.org>
On Fri, Jan 3, 2020 at 9:41 AM Michael Orlitzky <mjo@gentoo.org> wrote:
>
> On 1/3/20 9:40 AM, Toralf Förster wrote:
> > On 1/3/20 3:37 PM, Michael Orlitzky wrote:
> >> The gentoo-sources aren't 100% safe either, but the exploitable scenario
> >> is less common thanks to fs.protected_{hardlinks,symlinks}=1.
> >
> > But this can be easily achieved w/o installing gentoo-sources, or?
> >
>
> Yes, if you know how to do it. And the hard part: if you know that you
> *should* do it.
>
If OpenRC contains a vulnerability wouldn't it make more sense to set
this as part of OpenRC, then to assume somebody is running a kernel
patch that does it, especially since OpenRC doesn't in any way ensure
that gentoo-sources is actually being used?
Of course, fixing the vulnerability seems like a better option. At
least on Linux based on your one bug description it sounds like
systemd has a Linux-specific fix already. Obviously it would be best
to secure this on all kernels but there is no reason not to at least
use that fix on Linux. You could also try to convince the entire
world not to use tmpfiles.d but since it is only a problem if you
aren't using systemd I suspect you won't get much traction there.
In any case this seems more like an OpenRC issue than a Gentoo issue.
--
Rich
next prev parent reply other threads:[~2020-01-03 14:47 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-28 7:09 [gentoo-dev] Keywordreqs and slacking arch teams Michał Górny
2019-12-28 9:27 ` Kent Fredric
2019-12-28 9:35 ` Fabian Groffen
2019-12-28 11:05 ` Kent Fredric
2019-12-28 11:14 ` Michael 'veremitz' Everitt
2019-12-28 11:27 ` Kent Fredric
2019-12-28 11:40 ` James Le Cuirot
2019-12-28 11:44 ` Kent Fredric
2019-12-28 11:32 ` Kent Fredric
2019-12-28 11:35 ` Michael 'veremitz' Everitt
2019-12-28 11:42 ` Kent Fredric
2019-12-28 18:05 ` Alec Warner
2019-12-29 2:19 ` Aaron Bauman
2019-12-29 5:09 ` Kent Fredric
2019-12-30 1:45 ` A Schenck
2020-01-02 20:32 ` Rolf Eike Beer
2020-01-02 23:25 ` Mike Pagano
2020-01-02 23:35 ` Rolf Eike Beer
2020-01-03 0:19 ` Michael 'veremitz' Everitt
2020-01-03 2:40 ` Aaron Bauman
2020-01-03 10:00 ` Rolf Eike Beer
2020-01-04 11:09 ` Rolf Eike Beer
2020-01-04 11:25 ` Michael 'veremitz' Everitt
2020-01-04 13:35 ` Rolf Eike Beer
2020-01-03 14:37 ` [gentoo-dev] Vanilla sources Michael Orlitzky
2020-01-03 14:40 ` Toralf Förster
2020-01-03 14:41 ` Michael Orlitzky
2020-01-03 14:46 ` Rich Freeman [this message]
2020-01-03 14:48 ` Toralf Förster
2020-01-03 22:32 ` Michael 'veremitz' Everitt
2020-01-04 7:38 ` Hanno Böck
2020-01-04 18:39 ` William Hubbs
2020-01-04 18:41 ` Michał Górny
2020-01-07 8:52 ` Hanno Böck
2020-01-03 14:52 ` Michael Orlitzky
2020-01-03 14:55 ` Michael Orlitzky
2020-01-03 16:28 ` Aaron Bauman
2020-01-04 11:01 ` Rich Freeman
2020-01-04 11:42 ` Roy Bamford
2020-01-04 12:54 ` Rich Freeman
2020-01-04 13:08 ` Roy Bamford
2020-01-04 13:43 ` Thomas Deutschmann
2020-01-05 10:34 ` Roy Bamford
2020-01-04 20:13 ` Christopher Head
2020-01-04 20:39 ` Rich Freeman
2020-01-04 13:47 ` Thomas Deutschmann
2020-01-04 18:41 ` William Hubbs
2020-01-04 18:42 ` Michał Górny
2020-01-04 19:13 ` Rolf Eike Beer
2020-01-05 16:41 ` Michael Orlitzky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAGfcS_=Ci76CcFSsSvFF8sLZse=dPQymqPZzSH0MEymeaSKksQ@mail.gmail.com' \
--to=rich0@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox