| 1 |
On 11/26/20 5:37 PM, Peter Stuge wrote: |
| 2 |
> Georgy Yakovlev wrote: |
| 3 |
>> I'll be switching default tmpfiles provider to sys-apps/systemd-tmpfiles |
| 4 |
>> by the end of the week by updating virtual/tmpfiles ebuild. |
| 5 |
> |
| 6 |
> Michael Orlitzky wrote: |
| 7 |
>> Corollary: the tmpfiles.d specification can only be implemented (safely) |
| 8 |
>> on Linux after all. |
| 9 |
> |
| 10 |
> So should virtual/tmpfiles differentiate based on system? |
| 11 |
> |
| 12 |
|
| 13 |
There's no scenario where opentmpfiles is preferable. |
| 14 |
|
| 15 |
systemd-tmpfiles with the fs.protected_hardlinks=1 sysctl is secure on |
| 16 |
Linux. On other kernels, you're out of luck -- none of the options are |
| 17 |
secure. Securing the service manager on other kernels would require |
| 18 |
dropping tmpfiles entirely, and major changes to OpenRC. |
Archives