diff options
author | Sam James <sam@gentoo.org> | 2021-07-09 13:33:08 +0100 |
---|---|---|
committer | Sam James <sam@gentoo.org> | 2021-07-09 13:33:08 +0100 |
commit | a93dbc1701de3b983c6f791391f7967d4b919b4a (patch) | |
tree | f9649a8bf038f77594e9b129634297b141137646 | |
parent | 2021-07-07-systemd-tmpfiles: add news item (diff) | |
download | gentoo-news-a93dbc1701de3b983c6f791391f7967d4b919b4a.tar.gz gentoo-news-a93dbc1701de3b983c6f791391f7967d4b919b4a.tar.bz2 gentoo-news-a93dbc1701de3b983c6f791391f7967d4b919b4a.zip |
Revert "2021-07-07-systemd-tmpfiles: add news item"
This reverts commit 29519425838e9b67c6802e321ce52c76a65c2215.
Reverting for now to allow more time for review on the mailing list
and to fix title / date posted, after discussion on IRC.
Signed-off-by: Sam James <sam@gentoo.org>
-rw-r--r-- | 2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt | 66 |
1 files changed, 0 insertions, 66 deletions
diff --git a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt b/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt deleted file mode 100644 index 159f95f..0000000 --- a/2021-07-07-systemd-tmpfiles/2021-07-07-systemd-tmpfiles.en.txt +++ /dev/null @@ -1,66 +0,0 @@ -Title: systemd-tmpfiles replaces opentmpfiles due to security issues -Author: Georgy Yakovlev <gyakovlev@gentoo.org> -Author: Sam James <sam@gentoo.org> -Posted: 2021-07-07 -Revision: 1 -News-Item-Format: 2.0 -Display-If-Installed: sys-apps/opentmpfiles -Display-If-Installed: sys-apps/systemd-tmpfiles - -A tmpfiles [0] implementation provides a generic mechanism to define -the creation of regular files, directories, pipes, and device nodes, -adjustments to their access mode, ownership, attributes, quota -assignments, and contents, and finally their time-based removal. -It is commonly used for volatile and temporary files and directories -such as those located under /run/, /tmp/, /var/tmp/, the API file -systems such as /sys/ or /proc/, as well as some other directories -below /var/. [1] - -On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a -root privilege escalation vulnerability (CVE-2017-18925 [2], -bug #751415 [3], issue 4 [4] upstream). - -The use of opentmpfiles is discouraged by its maintainer due to the -unpatched vulnerability and other long-standing bugs [5]. - -Users will start seeing their package manager trying to replace -sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is -another provider of virtual/tmpfiles. - -Despite the name, 'systemd-tmpfiles' does not depend on systemd, does -not use dbus, and is just a drop-in replacement for opentmpfiles. It is -a small binary built from systemd source code, but works separately, -similarly to eudev or elogind. It is known to work on both glibc and -musl systems. - -Note that systemd-tmpfiles is specifically for non-systemd systems. It -is intended to be used on an OpenRC system. - -If you wish to selectively test systemd-tmpfiles, follow those steps: - - 1. # emerge --oneshot sys-apps/systemd-tmpfiles - 2. # reboot - 3. # rm /etc/runlevels/boot/opentmpfiles-setup - 4. # rm /etc/runlevels/sysinit/opentmpfiles-dev - -No other steps required. - -If, after reviewing the linked bug reference for opentmpfiles, you feel -your system is not vulnerable/applicable to the attack described, you -can unmask [6] opentmpfiles at your own risk: - - 1. In /etc/portage/package.unmask, add a line: - -sys-apps/opentmpfiles- - 2. # emerge --oneshot sys-apps/opentmpfiles - -Note that opentmpfiles is likely to be removed from gentoo repository -in the future. - -[0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html -[1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html -[2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925 -[3] https://bugs.gentoo.org/751415 -[4] https://github.com/OpenRC/opentmpfiles/issues/4 -[5] https://bugs.gentoo.org/741216 -[6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package - |