1 |
On 12/6/20 2:55 AM, Martin Vaeth wrote: |
2 |
> Dale <rdalek1967@×××××.com> wrote: |
3 |
>> |
4 |
>> It sounds like a rather rare problem. Maybe even only during boot up. |
5 |
> |
6 |
> It is a non-existent problem on openrc if you clean /tmp and /var/tmp |
7 |
> on boot (which you should do if you use opentmp): |
8 |
> |
9 |
> The purpose of opentmpfiles is to fill these directories with |
10 |
> certain data during boot, and when run only during boot |
11 |
> (as it is supposed to be) there is nothing wrong with it. |
12 |
> |
13 |
|
14 |
Why are you focusing on /tmp and /var/tmp? These entries are exploitable |
15 |
everywhere. To pick a relevant example, app-portage/eix installs the |
16 |
following: |
17 |
|
18 |
$ cat /usr/lib/tmpfiles.d/eix.conf |
19 |
d /var/cache/eix 0775 portage portage - |
20 |
|
21 |
If that was a 'Z' entry, or if it created another portage:portage |
22 |
directory beneath /var/cache/eix, then the "portage" user could easily |
23 |
gain root whenever opentmpfiles is run. That happens not only on |
24 |
reboots, but also when a package is (re)installed. Again, picking on |
25 |
eix's ebuild: |
26 |
|
27 |
pkg_postinst() { |
28 |
tmpfiles_process eix.conf |
29 |
... |
30 |
|
31 |
(The portage user gain already gain root, but you get the idea.) |