1 |
On 11/26/20 5:37 PM, Peter Stuge wrote: |
2 |
> Georgy Yakovlev wrote: |
3 |
>> I'll be switching default tmpfiles provider to sys-apps/systemd-tmpfiles |
4 |
>> by the end of the week by updating virtual/tmpfiles ebuild. |
5 |
> |
6 |
> Michael Orlitzky wrote: |
7 |
>> Corollary: the tmpfiles.d specification can only be implemented (safely) |
8 |
>> on Linux after all. |
9 |
> |
10 |
> So should virtual/tmpfiles differentiate based on system? |
11 |
> |
12 |
|
13 |
There's no scenario where opentmpfiles is preferable. |
14 |
|
15 |
systemd-tmpfiles with the fs.protected_hardlinks=1 sysctl is secure on |
16 |
Linux. On other kernels, you're out of luck -- none of the options are |
17 |
secure. Securing the service manager on other kernels would require |
18 |
dropping tmpfiles entirely, and major changes to OpenRC. |