1 |
On Fri, Jan 3, 2020 at 9:41 AM Michael Orlitzky <mjo@g.o> wrote: |
2 |
> |
3 |
> On 1/3/20 9:40 AM, Toralf Förster wrote: |
4 |
> > On 1/3/20 3:37 PM, Michael Orlitzky wrote: |
5 |
> >> The gentoo-sources aren't 100% safe either, but the exploitable scenario |
6 |
> >> is less common thanks to fs.protected_{hardlinks,symlinks}=1. |
7 |
> > |
8 |
> > But this can be easily achieved w/o installing gentoo-sources, or? |
9 |
> > |
10 |
> |
11 |
> Yes, if you know how to do it. And the hard part: if you know that you |
12 |
> *should* do it. |
13 |
> |
14 |
|
15 |
If OpenRC contains a vulnerability wouldn't it make more sense to set |
16 |
this as part of OpenRC, then to assume somebody is running a kernel |
17 |
patch that does it, especially since OpenRC doesn't in any way ensure |
18 |
that gentoo-sources is actually being used? |
19 |
|
20 |
Of course, fixing the vulnerability seems like a better option. At |
21 |
least on Linux based on your one bug description it sounds like |
22 |
systemd has a Linux-specific fix already. Obviously it would be best |
23 |
to secure this on all kernels but there is no reason not to at least |
24 |
use that fix on Linux. You could also try to convince the entire |
25 |
world not to use tmpfiles.d but since it is only a problem if you |
26 |
aren't using systemd I suspect you won't get much traction there. |
27 |
|
28 |
In any case this seems more like an OpenRC issue than a Gentoo issue. |
29 |
|
30 |
-- |
31 |
Rich |