1 |
Michael Orlitzky wrote: |
2 |
> On 12/3/20 8:40 PM, Dale wrote: |
3 |
>> Howdy, |
4 |
>> |
5 |
>> I've mentioned I follow -dev to see what is coming around the corner. |
6 |
>> There is a thread on there about switching tmpfiles packages for |
7 |
>> security reasons. I currently have sys-apps/opentmpfiles installed. I |
8 |
>> guess that is the default for openrc. Someone mentioned |
9 |
>> systemd-tmpfiles as a alternative that doesn't have the same security |
10 |
>> problems. |
11 |
> |
12 |
> There's a full explanation here: |
13 |
> |
14 |
> http://michael.orlitzky.com/cves/cve-2017-18925.xhtml |
15 |
> |
16 |
> I'm a champion systemd hater, but you should switch to |
17 |
> systemd-tmpfiles. There's no downside other than the name. |
18 |
> |
19 |
> |
20 |
|
21 |
|
22 |
Will opentmpfiles be fixed at some point or is it true that it can't be |
23 |
fixed? On -dev, I think I read where one person said it can't be |
24 |
fixed. In that case, switching is likely a good idea since the insecure |
25 |
package can't be fixed. |
26 |
|
27 |
At the bottom of one of the links, it had this. |
28 |
|
29 |
|
30 |
Mitigation |
31 |
|
32 |
On Linux, the fs.protected_hardlinks sysctl should be enabled: |
33 |
|
34 |
root # sysctl --write fs.protected_hardlinks=1 |
35 |
|
36 |
|
37 |
So, I first figured out how to see what mine was set at. Little man |
38 |
page digging later and got this. |
39 |
|
40 |
|
41 |
root@fireball / # sysctl -n fs.protected_hardlinks |
42 |
1 |
43 |
root@fireball / # |
44 |
|
45 |
|
46 |
Does that improve things any or does that not really help anything? |
47 |
|
48 |
While at it, I tend to do updates/switches in Konsole, while logged into |
49 |
KDE. Is this deep enough a package it should be done in a console and |
50 |
in the boot runlevel or safe to do like anything else? I read somewhere |
51 |
that while this works on systemd, I don't think it is maintained by the |
52 |
systemd folks. Can't recall where I read that tho. |
53 |
|
54 |
I still don't quite get what the package does. I read the links but |
55 |
it's still murky. |
56 |
|
57 |
Thanks for the info. Could be this helps others as well. |
58 |
|
59 |
Dale |
60 |
|
61 |
:-) :-) |