Archives
Archives
| From: | Michael Orlitzky <mjo@g.o> | ||
|---|---|---|---|
| To: | gentoo-dev@l.g.o | ||
| Subject: | Re: [gentoo-dev] Vanilla sources | ||
| Date: | Fri, 03 Jan 2020 14:37:17 | ||
| Message-Id: | 5537134e-0412-862d-e105-94c678229b46@gentoo.org | ||
| In Reply to: | Re: [gentoo-dev] Keywordreqs and slacking arch teams by Rolf Eike Beer |
||
| 1 | On 1/2/20 6:35 PM, Rolf Eike Beer wrote: |
| 2 | > |
| 3 | > I only run vanilla-sources since there are still lot of cache corruption |
| 4 | > problems in hppa kernels, or whatever makes them flaky. |
| 5 | |
| 6 | The vanilla-sources are unsafe to use on Gentoo. Many services have |
| 7 | stupid-easy root exploits, since we install tmpfiles entries by default |
| 8 | and OpenRC runs them insecurely: |
| 9 | |
| 10 | * https://github.com/OpenRC/opentmpfiles/issues/3 |
| 11 | * https://github.com/OpenRC/opentmpfiles/issues/4 |
| 12 | |
| 13 | I've fixed similar exploits when I've found them in /etc/init.d and |
| 14 | pkg_postinst[0][1], but they continue to be added to the tree. And there |
| 15 | is no fix for opentmpfiles. |
| 16 | |
| 17 | The gentoo-sources aren't 100% safe either, but the exploitable scenario |
| 18 | is less common thanks to fs.protected_{hardlinks,symlinks}=1. |
| 19 | |
| 20 | |
| 21 | [0] |
| 22 | http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_etc-init.d_great_again%29.xhtml |
| 23 | |
| 24 | [1] |
| 25 | http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_pkg_postinst_great_again%29.xhtml |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Vanilla sources | "Toralf Förster" <toralf@g.o> |