| 1 |
On 12/6/20 2:55 AM, Martin Vaeth wrote: |
| 2 |
> Dale <rdalek1967@×××××.com> wrote: |
| 3 |
>> |
| 4 |
>> It sounds like a rather rare problem. Maybe even only during boot up. |
| 5 |
> |
| 6 |
> It is a non-existent problem on openrc if you clean /tmp and /var/tmp |
| 7 |
> on boot (which you should do if you use opentmp): |
| 8 |
> |
| 9 |
> The purpose of opentmpfiles is to fill these directories with |
| 10 |
> certain data during boot, and when run only during boot |
| 11 |
> (as it is supposed to be) there is nothing wrong with it. |
| 12 |
> |
| 13 |
|
| 14 |
Why are you focusing on /tmp and /var/tmp? These entries are exploitable |
| 15 |
everywhere. To pick a relevant example, app-portage/eix installs the |
| 16 |
following: |
| 17 |
|
| 18 |
$ cat /usr/lib/tmpfiles.d/eix.conf |
| 19 |
d /var/cache/eix 0775 portage portage - |
| 20 |
|
| 21 |
If that was a 'Z' entry, or if it created another portage:portage |
| 22 |
directory beneath /var/cache/eix, then the "portage" user could easily |
| 23 |
gain root whenever opentmpfiles is run. That happens not only on |
| 24 |
reboots, but also when a package is (re)installed. Again, picking on |
| 25 |
eix's ebuild: |
| 26 |
|
| 27 |
pkg_postinst() { |
| 28 |
tmpfiles_process eix.conf |
| 29 |
... |
| 30 |
|
| 31 |
(The portage user gain already gain root, but you get the idea.) |
Archives