| 1 |
On Fri, Jan 3, 2020 at 9:41 AM Michael Orlitzky <mjo@g.o> wrote: |
| 2 |
> |
| 3 |
> On 1/3/20 9:40 AM, Toralf Förster wrote: |
| 4 |
> > On 1/3/20 3:37 PM, Michael Orlitzky wrote: |
| 5 |
> >> The gentoo-sources aren't 100% safe either, but the exploitable scenario |
| 6 |
> >> is less common thanks to fs.protected_{hardlinks,symlinks}=1. |
| 7 |
> > |
| 8 |
> > But this can be easily achieved w/o installing gentoo-sources, or? |
| 9 |
> > |
| 10 |
> |
| 11 |
> Yes, if you know how to do it. And the hard part: if you know that you |
| 12 |
> *should* do it. |
| 13 |
> |
| 14 |
|
| 15 |
If OpenRC contains a vulnerability wouldn't it make more sense to set |
| 16 |
this as part of OpenRC, then to assume somebody is running a kernel |
| 17 |
patch that does it, especially since OpenRC doesn't in any way ensure |
| 18 |
that gentoo-sources is actually being used? |
| 19 |
|
| 20 |
Of course, fixing the vulnerability seems like a better option. At |
| 21 |
least on Linux based on your one bug description it sounds like |
| 22 |
systemd has a Linux-specific fix already. Obviously it would be best |
| 23 |
to secure this on all kernels but there is no reason not to at least |
| 24 |
use that fix on Linux. You could also try to convince the entire |
| 25 |
world not to use tmpfiles.d but since it is only a problem if you |
| 26 |
aren't using systemd I suspect you won't get much traction there. |
| 27 |
|
| 28 |
In any case this seems more like an OpenRC issue than a Gentoo issue. |
| 29 |
|
| 30 |
-- |
| 31 |
Rich |
Archives