On Fri, 3 Jan 2020 15:48:54 +0100
Toralf Förster wrote:
> # Restrict potential illegal access via links
> #
> fs.protected_hardlinks = 1
> fs.protected_symlinks = 1
Given the issues with openrc:
Wouldn't it be a good idea to add these by default to Gentoo's
sysctl.conf in baselayout?
As
Hi,
I'd like to officially RFC establishing the 'Distribution kernel'
project. As the project page [1] says, our goal is to maintain sys-
kernel/*-kernel packages. The goals are:
1. Covering kernel maintenance wholly within packages (install via
emerge, upgrade as part of @world upgrade), witho
On Fri, 3 Jan 2020 22:34:19 +
Michael 'veremitz' Everitt wrote:
> On 03/01/20 10:36, David Seifert wrote:
> > On Thu, 2020-01-02 at 21:54 +, Michael 'veremitz' Everitt wrote:
> >> On 02/01/20 21:08, Michał Górny wrote:
> >>> On Thu, 2020-01-02 at 21:15 +0100, Ulrich Mueller wrote:
>
On 03/01/2020 23:34, Michael 'veremitz' Everitt wrote:
On 03/01/20 10:36, David Seifert wrote:
On Thu, 2020-01-02 at 21:54 +, Michael 'veremitz' Everitt wrote:
On 02/01/20 21:08, Michał Górny wrote:
On Thu, 2020-01-02 at 21:15 +0100, Ulrich Mueller wrote:
On Thu, 02 Jan 2020, Michał Górny
On 03/01/20 10:36, David Seifert wrote:
> On Thu, 2020-01-02 at 21:54 +, Michael 'veremitz' Everitt wrote:
>> On 02/01/20 21:08, Michał Górny wrote:
>>> On Thu, 2020-01-02 at 21:15 +0100, Ulrich Mueller wrote:
> On Thu, 02 Jan 2020, Michał Górny wrote:
> --- a/eclass/ruby-ng.eclass
On 03/01/20 14:48, Toralf Förster wrote:
> On 1/3/20 3:46 PM, Rich Freeman wrote:
>> If OpenRC contains a vulnerability wouldn't it make more sense to set
>> this as part of OpenRC,
> Indeed.
>
> Furthermore there's a nifty page
> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/R
On 10/20/19 1:22 PM, Pacho Ramos wrote:
> Hello
>
> I almost lost access to the unique printer that was relying on this driver.
> Also, even if the current latest version was still working there, it will
> need a
> major update to newer cnRdrvcups driver sooner or later
> https://aur.archlinux.or
On January 3, 2020 9:55:31 AM EST, Michael Orlitzky wrote:
>On 1/3/20 9:52 AM, Michael Orlitzky wrote:
>>
>> But here we are. Do we make OpenRC Linux-only and steal the fix from
>> systemd? Or pretend to support other operating systems, but leave
>them
>> insecure?
>>
>
>Or the gripping hand:
On 1/3/20 9:52 AM, Michael Orlitzky wrote:
>
> But here we are. Do we make OpenRC Linux-only and steal the fix from
> systemd? Or pretend to support other operating systems, but leave them
> insecure?
>
Or the gripping hand: rewrite opentmpfiles in C, so that it's only as
insecure as checkpath.
On 1/3/20 9:46 AM, Rich Freeman wrote:
>
> ...
>
> In any case this seems more like an OpenRC issue than a Gentoo issue.
>
It's a specification issue. There's no way to implement tmpfiles safely
on a POSIX system, and opentmpfiles shouldn't exist if OpenRC wants to
work on anything other than L
On 1/3/20 3:46 PM, Rich Freeman wrote:
> If OpenRC contains a vulnerability wouldn't it make more sense to set
> this as part of OpenRC,
Indeed.
Furthermore there's a nifty page
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings
which yields for me to this /etc
On Fri, Jan 3, 2020 at 9:41 AM Michael Orlitzky wrote:
>
> On 1/3/20 9:40 AM, Toralf Förster wrote:
> > On 1/3/20 3:37 PM, Michael Orlitzky wrote:
> >> The gentoo-sources aren't 100% safe either, but the exploitable scenario
> >> is less common thanks to fs.protected_{hardlinks,symlinks}=1.
> >
>
On 1/3/20 9:40 AM, Toralf Förster wrote:
> On 1/3/20 3:37 PM, Michael Orlitzky wrote:
>> The gentoo-sources aren't 100% safe either, but the exploitable scenario
>> is less common thanks to fs.protected_{hardlinks,symlinks}=1.
>
> But this can be easily achieved w/o installing gentoo-sources, or?
On 1/3/20 3:37 PM, Michael Orlitzky wrote:
> The gentoo-sources aren't 100% safe either, but the exploitable scenario
> is less common thanks to fs.protected_{hardlinks,symlinks}=1.
But this can be easily achieved w/o installing gentoo-sources, or?
--
Toralf
PGP 23217DA7 9B888F45
signature.as
On 1/2/20 6:35 PM, Rolf Eike Beer wrote:
>
> I only run vanilla-sources since there are still lot of cache corruption
> problems in hppa kernels, or whatever makes them flaky.
The vanilla-sources are unsafe to use on Gentoo. Many services have
stupid-easy root exploits, since we install tmpfiles
On 1/3/20 1:23 PM, Joerg Bornkessel wrote:
media-video/vdrtools-genindex
is an useless leftover from older media-video/vdr install
this function is included in the core vdr
use "vdr --genindex=REC" for this
removal from tree ~31 Jan 2020
wrt bug 704692
reverted pmask, as it is still needed by
# Joerg Bornkessel
# package is broken by all version of imagemagick
# several open bugs on upstream
# Upstream did not reply about project status
# wrt bug 314315
# removal ~2020-01-31
media-plugins/vdr-skinenigmang
--
Joerg Bornkessel
GnuPG Key: 0x93EB5F4DAA5832A1
Fingerprint: 0E0A A1EE 1DF4
media-video/vdrtools-genindex
is an useless leftover from older media-video/vdr install
this function is included in the core vdr
use "vdr --genindex=REC" for this
removal from tree ~31 Jan 2020
wrt bug 704692
--
Joerg Bornkessel
GnuPG Key: 0x93EB5F4DAA5832A1
Fingerprint: 0E0A A1EE 1DF4 41D7 A3
A user reported that when compiling modules for a system with a 64-bit
kernel and a 32-bit userland, there were linker errors. This patch here
is an attempt to fix that by making sure that we always use the kernel
ABI when giving target build parameters.
Signed-off-by: Jason A. Donenfeld
Fixes: h
A user reported that when compiling modules for a system with a 64-bit
kernel and a 32-bit userland, there were linker errors. This patch here
is an attempt to fix that by making sure that we always use the kernel
ABI when giving target build parameters.
Signed-off-by: Jason A. Donenfeld
Fixes: h
On Thu, 2020-01-02 at 21:54 +, Michael 'veremitz' Everitt wrote:
> On 02/01/20 21:08, Michał Górny wrote:
> > On Thu, 2020-01-02 at 21:15 +0100, Ulrich Mueller wrote:
> > > > > > > > On Thu, 02 Jan 2020, Michał Górny wrote:
> > > > --- a/eclass/ruby-ng.eclass
> > > > +++ b/eclass/ruby-ng.eclass
Am Freitag, 3. Januar 2020, 03:40:35 CET schrieb Aaron Bauman:
> On January 2, 2020 6:35:08 PM EST, Rolf Eike Beer wrote:
> >Am Freitag, 3. Januar 2020, 00:25:06 CET schrieb Mike Pagano:
> >> hppa is making us keep old kernels around [1]. Should the kernel team be
> >> doing more to get your att
22 matches
Mail list logo
