Michael Orlitzky wrote: > On 12/4/20 12:02 PM, Dale wrote: >> >> So basically, that package would have to start over from scratch to be >> fixed. That's not very likely if history means anything. >> > > I think the opentmpfiles devs are planning to copy/paste the > systemd-tmpfiles C code into opentmpfiles eventually. That will make > it safe on Linux, obviously, since systemd-tmpfiles is... but will > leave the hardlink problem unsolved on other kernels. > > There's no way to make opentmpfiles both cross-platform and safe. It's > possible to do so with OpenRC more generally, but that's a larger > undertaking that I suspect no one is interested in taking under: > > 1. Give up on tmpfiles entirely > 2. Replace "checkpath" in OpenRC with something that drops privileges > 3. Rewrite all of the init scripts that rely on tmpfiles > 4. Rework any packages that use tmpfiles without an OpenRC service > > >> Sounds like switching is the best path and really, about the only path. >> Until something better comes along or the default is redone from >> scratch, not switching leaves a door open for a bad guy. > > Exactly. > > >> Do you know if the systemd devs manage this or is this package done >> outside of them? Since some don't like systemd, myself being one of >> them, I'd like to know what group maintains that package. > > Lennart "fuck Gentoo" Poettering is still in charge of > systemd-tmpfiles, but there's nothing bad to be said about him in this > regard. Compare his immediate and complete response to these issues, > > * https://github.com/systemd/systemd/issues/7736 > * https://github.com/systemd/systemd/issues/7986 > > with the fact that the opentmpfiles bugs have sat there unaddressed > for three years. > >
It sounds like both packages will end up being the same. Sort of. Switching it is. I read through those links. I admit, a lot of it went over my head but I did get a somewhat better understanding of how it is insecure. It seems to me like it would be a difficult thing to accomplish but if one does, it could get bad. Thanks much for all the info. It helped me and I hope it helped others as well. Dale :-) :-)
