1 |
On 12/4/20 1:44 AM, Dale wrote: |
2 |
> |
3 |
> Will opentmpfiles be fixed at some point or is it true that it can't be |
4 |
> fixed? On -dev, I think I read where one person said it can't be |
5 |
> fixed. In that case, switching is likely a good idea since the insecure |
6 |
> package can't be fixed. |
7 |
> |
8 |
|
9 |
The answer is a bit complicated. The first thing we need to understand |
10 |
that opentmpfiles is supposed to be a cross-platform (i.e. POSIX) |
11 |
implementation of the systemd-tmpfiles program. Systemd itself only runs |
12 |
on newer versions of linux, and since it has control of the entire |
13 |
system, it can enable those non-standard symlink and hardlink |
14 |
protections. So, |
15 |
|
16 |
* systemd-tmpfiles is secure, but only on linux, and only if you let |
17 |
it enable fs.protected_hardlinks for you. |
18 |
|
19 |
The security there comes from two places. The first is that everything |
20 |
was implemented carefully in C to avoid these problems, and the second |
21 |
is that fs.protected_hardlinks solves the otherwise-unavoidable hardlink |
22 |
exploits. |
23 |
|
24 |
Now for contrast, opentmpfiles is INsecure for two reasons: |
25 |
|
26 |
(1) It's written in shell script, so it doesn't have the ability to |
27 |
pass e.g. O_NOFOLLOW to all of the calls that might follow |
28 |
symlinks. And shell programs all operate on path names as opposed |
29 |
to file descriptors, so race conditions are impossible to avoid. |
30 |
|
31 |
(2) The fs.protected_hardlinks sysctl is not cross-platform, so if |
32 |
it's to fulfill its stated design goals, opentmpfiles can't rely |
33 |
on fs.protected_hardlinks. |
34 |
|
35 |
The first problem is fixable, but the second is not. If opentmpfiles is |
36 |
rewritten in C, it could be just as secure as systemd-tmpfiles... but |
37 |
**only on linux with fs.protected_hardlinks enabled**. |
38 |
|
39 |
It will never be both secure and cross-platform. The design of the whole |
40 |
tmpfiles.d thing is flawed in that regard. |
41 |
|
42 |
|
43 |
> |
44 |
> root@fireball / # sysctl -n fs.protected_hardlinks |
45 |
> 1 |
46 |
> root@fireball / # |
47 |
> |
48 |
> |
49 |
> Does that improve things any or does that not really help anything? |
50 |
> |
51 |
|
52 |
It completely fixes one of the problems (hardlinks), but does nothing |
53 |
for the other (non-terminal symlinks). |