From: | Michael Orlitzky <mjo@g.o> | ||
---|---|---|---|
To: | gentoo-dev@l.g.o | ||
Subject: | Re: [gentoo-dev] Vanilla sources | ||
Date: | Fri, 03 Jan 2020 14:37:17 | ||
Message-Id: | 5537134e-0412-862d-e105-94c678229b46@gentoo.org | ||
In Reply to: | Re: [gentoo-dev] Keywordreqs and slacking arch teams by Rolf Eike Beer |
1 | On 1/2/20 6:35 PM, Rolf Eike Beer wrote: |
2 | > |
3 | > I only run vanilla-sources since there are still lot of cache corruption |
4 | > problems in hppa kernels, or whatever makes them flaky. |
5 | |
6 | The vanilla-sources are unsafe to use on Gentoo. Many services have |
7 | stupid-easy root exploits, since we install tmpfiles entries by default |
8 | and OpenRC runs them insecurely: |
9 | |
10 | * https://github.com/OpenRC/opentmpfiles/issues/3 |
11 | * https://github.com/OpenRC/opentmpfiles/issues/4 |
12 | |
13 | I've fixed similar exploits when I've found them in /etc/init.d and |
14 | pkg_postinst[0][1], but they continue to be added to the tree. And there |
15 | is no fix for opentmpfiles. |
16 | |
17 | The gentoo-sources aren't 100% safe either, but the exploitable scenario |
18 | is less common thanks to fs.protected_{hardlinks,symlinks}=1. |
19 | |
20 | |
21 | [0] |
22 | http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_etc-init.d_great_again%29.xhtml |
23 | |
24 | [1] |
25 | http://michael.orlitzky.com/articles/end_root_chowning_now_%28make_pkg_postinst_great_again%29.xhtml |
Subject | Author |
---|---|
Re: [gentoo-dev] Vanilla sources | "Toralf Förster" <toralf@g.o> |