Michael Orlitzky wrote: > On 12/3/20 8:40 PM, Dale wrote: >> Howdy, >> >> I've mentioned I follow -dev to see what is coming around the corner. >> There is a thread on there about switching tmpfiles packages for >> security reasons. I currently have sys-apps/opentmpfiles installed. I >> guess that is the default for openrc. Someone mentioned >> systemd-tmpfiles as a alternative that doesn't have the same security >> problems. > > There's a full explanation here: > > http://michael.orlitzky.com/cves/cve-2017-18925.xhtml > > I'm a champion systemd hater, but you should switch to > systemd-tmpfiles. There's no downside other than the name. > >
Will opentmpfiles be fixed at some point or is it true that it can't be fixed? On -dev, I think I read where one person said it can't be fixed. In that case, switching is likely a good idea since the insecure package can't be fixed. At the bottom of one of the links, it had this. Mitigation On Linux, the fs.protected_hardlinks sysctl should be enabled: root # sysctl --write fs.protected_hardlinks=1 So, I first figured out how to see what mine was set at. Little man page digging later and got this. root@fireball / # sysctl -n fs.protected_hardlinks 1 root@fireball / # Does that improve things any or does that not really help anything? While at it, I tend to do updates/switches in Konsole, while logged into KDE. Is this deep enough a package it should be done in a console and in the boot runlevel or safe to do like anything else? I read somewhere that while this works on systemd, I don't think it is maintained by the systemd folks. Can't recall where I read that tho. I still don't quite get what the package does. I read the links but it's still murky. Thanks for the info. Could be this helps others as well. Dale :-) :-)
