| 1 |
Michael Orlitzky wrote: |
| 2 |
> On 12/3/20 8:40 PM, Dale wrote: |
| 3 |
>> Howdy, |
| 4 |
>> |
| 5 |
>> I've mentioned I follow -dev to see what is coming around the corner. |
| 6 |
>> There is a thread on there about switching tmpfiles packages for |
| 7 |
>> security reasons. I currently have sys-apps/opentmpfiles installed. I |
| 8 |
>> guess that is the default for openrc. Someone mentioned |
| 9 |
>> systemd-tmpfiles as a alternative that doesn't have the same security |
| 10 |
>> problems. |
| 11 |
> |
| 12 |
> There's a full explanation here: |
| 13 |
> |
| 14 |
> http://michael.orlitzky.com/cves/cve-2017-18925.xhtml |
| 15 |
> |
| 16 |
> I'm a champion systemd hater, but you should switch to |
| 17 |
> systemd-tmpfiles. There's no downside other than the name. |
| 18 |
> |
| 19 |
> |
| 20 |
|
| 21 |
|
| 22 |
Will opentmpfiles be fixed at some point or is it true that it can't be |
| 23 |
fixed? On -dev, I think I read where one person said it can't be |
| 24 |
fixed. In that case, switching is likely a good idea since the insecure |
| 25 |
package can't be fixed. |
| 26 |
|
| 27 |
At the bottom of one of the links, it had this. |
| 28 |
|
| 29 |
|
| 30 |
Mitigation |
| 31 |
|
| 32 |
On Linux, the fs.protected_hardlinks sysctl should be enabled: |
| 33 |
|
| 34 |
root # sysctl --write fs.protected_hardlinks=1 |
| 35 |
|
| 36 |
|
| 37 |
So, I first figured out how to see what mine was set at. Little man |
| 38 |
page digging later and got this. |
| 39 |
|
| 40 |
|
| 41 |
root@fireball / # sysctl -n fs.protected_hardlinks |
| 42 |
1 |
| 43 |
root@fireball / # |
| 44 |
|
| 45 |
|
| 46 |
Does that improve things any or does that not really help anything? |
| 47 |
|
| 48 |
While at it, I tend to do updates/switches in Konsole, while logged into |
| 49 |
KDE. Is this deep enough a package it should be done in a console and |
| 50 |
in the boot runlevel or safe to do like anything else? I read somewhere |
| 51 |
that while this works on systemd, I don't think it is maintained by the |
| 52 |
systemd folks. Can't recall where I read that tho. |
| 53 |
|
| 54 |
I still don't quite get what the package does. I read the links but |
| 55 |
it's still murky. |
| 56 |
|
| 57 |
Thanks for the info. Could be this helps others as well. |
| 58 |
|
| 59 |
Dale |
| 60 |
|
| 61 |
:-) :-) |
Archives