On 12/6/20 2:55 AM, Martin Vaeth wrote:
Dale <rdalek1...@gmail.com> wrote:
It sounds like a rather rare problem. Maybe even only during boot up.
It is a non-existent problem on openrc if you clean /tmp and /var/tmp
on boot (which you should do if you use opentmp):
The purpose of opentmpfiles is to fill these directories with
certain data during boot, and when run only during boot
(as it is supposed to be) there is nothing wrong with it.
Why are you focusing on /tmp and /var/tmp? These entries are exploitable
everywhere. To pick a relevant example, app-portage/eix installs the
following:
$ cat /usr/lib/tmpfiles.d/eix.conf
d /var/cache/eix 0775 portage portage -
If that was a 'Z' entry, or if it created another portage:portage
directory beneath /var/cache/eix, then the "portage" user could easily
gain root whenever opentmpfiles is run. That happens not only on
reboots, but also when a package is (re)installed. Again, picking on
eix's ebuild:
pkg_postinst() {
tmpfiles_process eix.conf
...
(The portage user gain already gain root, but you get the idea.)
