Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Michael Orlitzky <mjo@gentoo.org>
To: gentoo-user@lists.gentoo.org, Dale <rdalek1967@gmail.com>
Subject: Re: [gentoo-user] Switching default tmpfiles and faster internet coming my way.
Date: Fri, 4 Dec 2020 09:23:11 -0500	[thread overview]
Message-ID: <e8d75562-d468-dbbf-70a1-d74ac7a8b7ee@gentoo.org> (raw)
In-Reply-To: <61d98418-9451-027d-3266-4f62a13a8802@gmail.com>

On 12/4/20 1:44 AM, Dale wrote:
> 
> Will opentmpfiles be fixed at some point or is it true that it can't be
> fixed?  On -dev, I think I read where one person said it can't be
> fixed.  In that case, switching is likely a good idea since the insecure
> package can't be fixed.
> 

The answer is a bit complicated. The first thing we need to understand 
that opentmpfiles is supposed to be a cross-platform (i.e. POSIX) 
implementation of the systemd-tmpfiles program. Systemd itself only runs 
on newer versions of linux, and since it has control of the entire 
system, it can enable those non-standard symlink and hardlink 
protections. So,

   * systemd-tmpfiles is secure, but only on linux, and only if you let
     it enable fs.protected_hardlinks for you.

The security there comes from two places. The first is that everything 
was implemented carefully in C to avoid these problems, and the second 
is that fs.protected_hardlinks solves the otherwise-unavoidable hardlink 
exploits.

Now for contrast, opentmpfiles is INsecure for two reasons:

   (1) It's written in shell script, so it doesn't have the ability to
       pass e.g. O_NOFOLLOW to all of the calls that might follow
       symlinks. And shell programs all operate on path names as opposed
       to file descriptors, so race conditions are impossible to avoid.

   (2) The fs.protected_hardlinks sysctl is not cross-platform, so if
       it's to fulfill its stated design goals, opentmpfiles can't rely
       on fs.protected_hardlinks.

The first problem is fixable, but the second is not. If opentmpfiles is 
rewritten in C, it could be just as secure as systemd-tmpfiles... but 
**only on linux with fs.protected_hardlinks enabled**.

It will never be both secure and cross-platform. The design of the whole 
tmpfiles.d thing is flawed in that regard.

> 
> root@fireball / # sysctl -n fs.protected_hardlinks
> 1
> root@fireball / #
> 
> 
> Does that improve things any or does that not really help anything?
> 

It completely fixes one of the problems (hardlinks), but does nothing 
for the other (non-terminal symlinks).

next prev parent reply	other threads:[~2020-12-04 14:23 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-12-04  1:40 [gentoo-user] Switching default tmpfiles and faster internet coming my way Dale
2020-12-04  2:06 ` Kusoneko
2020-12-04  7:44   ` Dale
2020-12-04  2:18 ` Michael Orlitzky
2020-12-04  2:22   ` Michael Orlitzky
2020-12-04  6:44   ` Dale
2020-12-04 14:23     ` Michael Orlitzky [this message]
2020-12-04 17:02       ` Dale
2020-12-05 13:43         ` Michael Orlitzky
2020-12-06  6:40           ` Dale
2020-12-04 10:47   ` Michael
2020-12-04 14:07     ` Michael Orlitzky
2020-12-04  8:55 ` tastytea
2020-12-04 14:07   ` Michael Orlitzky
2020-12-04  9:09 ` antlists
2020-12-04 10:06   ` Dale
2020-12-04 10:24   ` Michael
2020-12-07  4:24   ` Dale
2020-12-07 11:39     ` Wols Lists
2020-12-07 20:32       ` Dale
2020-12-06  7:55 ` [gentoo-user] " Martin Vaeth
2020-12-06 10:45   ` Michael
2020-12-06 12:37     ` Neil Bothwick
2020-12-06 12:53       ` Arve Barsnes
2020-12-06 12:54       ` Rich Freeman
2020-12-06 13:01         ` antlists
2020-12-06 13:45           ` Michael
2020-12-06 15:13             ` Rich Freeman
2020-12-06 16:25     ` Martin Vaeth
2020-12-06 12:55   ` antlists
2020-12-06 17:06     ` Martin Vaeth
2020-12-06 13:29   ` Michael Orlitzky
2020-12-06 16:57     ` Martin Vaeth
2020-12-06 21:44       ` Michael Orlitzky
2020-12-07 20:41         ` Martin Vaeth

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=e8d75562-d468-dbbf-70a1-d74ac7a8b7ee@gentoo.org \
    --to=mjo@gentoo.org \
    --cc=gentoo-user@lists.gentoo.org \
    --cc=rdalek1967@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox