On 12/4/20 3:55 AM, tastytea wrote:
From what I could gather, opentmpfiles is only vulnerable when an attacker is able to put a config file into /etc/tmpfiles.d/, so they have to be already root.
The exploit does require an entry in /etc/tmpfiles.d, but many packages install perfectly innocent files there that happen to be exploitable because opentmpfiles handles them insecurely.
