From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 0E344138334 for ; Fri, 3 Jan 2020 14:47:07 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id C9258E09CD; Fri, 3 Jan 2020 14:47:03 +0000 (UTC) Received: from mail-pf1-f196.google.com (mail-pf1-f196.google.com [209.85.210.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 72AD7E090F for ; Fri, 3 Jan 2020 14:47:03 +0000 (UTC) Received: by mail-pf1-f196.google.com with SMTP id 195so22786026pfw.11 for ; Fri, 03 Jan 2020 06:47:03 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=ahPb1K8T4+cfeqr/1brXHalAyNzYD5/9Ei2G2V2+woQ=; b=QLwPFn5+eq6ZlWEefztv3ZApEVYHnjsQ8r6BSjQX6TGhbu6uCzcdbR+ufhMPj8Mjo2 fvoDLI7ivfWraraMOBMj1tmkDOxGwA39PP8xDe68mjRdPMMqyPAc0Qan9M+yuxmd1PwI JMGsfOkUA1uehT6GpaEgYcdav/mKAKb0KdCWIlGX0UcAJbPb3uvLut423RFM/TuEukMl sLIdZ3eRFVA3gQIwq1Uv5ezl+Mwx9QgGYS5o5S79LHQip3EUjKjWq8uPYOndQjj6BmVP zuKn/1FUUuduAuqvSx57MBmVS1v63WKit2jzV4/whtzq0VpSUVz2G2dLcWMefizSTYTz /1hg== X-Gm-Message-State: APjAAAXUuBuEsF9OtnMTZmnqPKHMojzGQl+Ak15SGFAUs23CXbITYLUs RtxgJi89K02lhV6V71kGxlkU95CJuDA8CW4BDLhi6A== X-Google-Smtp-Source: APXvYqyu7nF6PX+4n7xHADRqayT43UPkiBGkcyIk7PSSFLPhsY5O322Oqemandogw/1Xf4cKbywnp5Y1agz/GrFmmek= X-Received: by 2002:a05:6a00:11:: with SMTP id h17mr94164234pfk.209.1578062822165; Fri, 03 Jan 2020 06:47:02 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <3197490.ugo6OjCCXa@daneel.sf-tec.de> <1794534.0xJHuh4lKC@crazyhorse> <19015309.XG3PSQ8cOu@daneel.sf-tec.de> <5537134e-0412-862d-e105-94c678229b46@gentoo.org> <2dd351b3-0f71-4960-ffde-2f5a99ab161d@gentoo.org> <9b48db99-19dc-617b-c0d4-ffa0216b43be@gentoo.org> In-Reply-To: <9b48db99-19dc-617b-c0d4-ffa0216b43be@gentoo.org> From: Rich Freeman Date: Fri, 3 Jan 2020 09:46:50 -0500 Message-ID: Subject: Re: [gentoo-dev] Vanilla sources To: gentoo-dev Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Archives-Salt: f45dc6e9-5782-4a26-8e90-ba56da2c0ede X-Archives-Hash: 08552875ba9f749a0c154413081837b2 On Fri, Jan 3, 2020 at 9:41 AM Michael Orlitzky wrote: > > On 1/3/20 9:40 AM, Toralf F=C3=B6rster wrote: > > On 1/3/20 3:37 PM, Michael Orlitzky wrote: > >> The gentoo-sources aren't 100% safe either, but the exploitable scenar= io > >> is less common thanks to fs.protected_{hardlinks,symlinks}=3D1. > > > > But this can be easily achieved w/o installing gentoo-sources, or? > > > > Yes, if you know how to do it. And the hard part: if you know that you > *should* do it. > If OpenRC contains a vulnerability wouldn't it make more sense to set this as part of OpenRC, then to assume somebody is running a kernel patch that does it, especially since OpenRC doesn't in any way ensure that gentoo-sources is actually being used? Of course, fixing the vulnerability seems like a better option. At least on Linux based on your one bug description it sounds like systemd has a Linux-specific fix already. Obviously it would be best to secure this on all kernels but there is no reason not to at least use that fix on Linux. You could also try to convince the entire world not to use tmpfiles.d but since it is only a problem if you aren't using systemd I suspect you won't get much traction there. In any case this seems more like an OpenRC issue than a Gentoo issue. --=20 Rich