From 9241b281d7244ef91e065767dbb2cba18299d4fc Mon Sep 17 00:00:00 2001 From: Sam James Date: Thu, 15 Jul 2021 22:22:51 +0100 Subject: 2021-07-15-opentmpfiles-deprecation: add news item Signed-off-by: Georgy Yakovlev Signed-off-by: Sam James --- .../2021-07-15-opentmpfiles-deprecation.en.txt | 69 ++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 2021-07-15-opentmpfiles-deprecation/2021-07-15-opentmpfiles-deprecation.en.txt (limited to '2021-07-15-opentmpfiles-deprecation') diff --git a/2021-07-15-opentmpfiles-deprecation/2021-07-15-opentmpfiles-deprecation.en.txt b/2021-07-15-opentmpfiles-deprecation/2021-07-15-opentmpfiles-deprecation.en.txt new file mode 100644 index 0000000..9f952d4 --- /dev/null +++ b/2021-07-15-opentmpfiles-deprecation/2021-07-15-opentmpfiles-deprecation.en.txt @@ -0,0 +1,69 @@ +Title: systemd-tmpfiles replaces deprecated opentmpfiles +Author: Georgy Yakovlev +Author: Sam James +Posted: 2021-07-15 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: sys-apps/opentmpfiles +Display-If-Installed: sys-apps/systemd-tmpfiles + +A tmpfiles [0] implementation provides a generic mechanism to define +the creation of regular files, directories, pipes, and device nodes, +adjustments to their access mode, ownership, attributes, quota +assignments, and contents, and finally their time-based removal. +It is commonly used for volatile and temporary files and directories +such as those located under /run/, /tmp/, /var/tmp/, the API file +systems such as /sys/ or /proc/, as well as some other directories +below /var/. [1] + +On 2021-07-06, the sys-apps/opentmpfiles package was initially masked +due to a root privilege escalation vulnerability (CVE-2017-18925 [2], +bug #751415 [3], issue 4 [4] upstream). + +The severity of this vulnerability is disputed due to the practical +obstacles to its exploitation in any default or supported configuration. + +That said, the use of opentmpfiles is discouraged by its maintainer due +to the unpatched vulnerability and other long-standing bugs [5]. It has +now been declared obsolete in favour of systemd-tmpfiles by opentmpfiles +upstream. + +Users will start seeing their package manager trying to replace +sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is +another provider of virtual/tmpfiles. + +Despite the name, 'systemd-tmpfiles' does not depend on systemd, does +not use dbus, and is just a drop-in replacement for opentmpfiles. It is +a small binary built from systemd source code, but works separately, +similarly to eudev or elogind. It is known to work on both glibc and +musl systems. + +Note that systemd-tmpfiles is specifically for non-systemd systems. It +is intended to be used on an OpenRC system. + +If you wish to selectively test systemd-tmpfiles, follow those steps: + + 1. # emerge --oneshot sys-apps/systemd-tmpfiles + 2. # reboot + 3. # rm /etc/runlevels/boot/opentmpfiles-setup + 4. # rm /etc/runlevels/sysinit/opentmpfiles-dev + +No other steps required. + +If you still wish to use opentmpfiles for the time being, you can unmask [6] +opentmpfiles: + 1. In /etc/portage/package.unmask, add a line: + -sys-apps/opentmpfiles- + 2. # emerge --oneshot sys-apps/opentmpfiles + +Note that opentmpfiles is likely to be removed from gentoo repository +in the future. You may wish to put it in a local overlay instead [7]. + +[0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html +[1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html +[2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925 +[3] https://bugs.gentoo.org/751415 +[4] https://github.com/OpenRC/opentmpfiles/issues/4 +[5] https://bugs.gentoo.org/741216 +[6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package +[7] https://wiki.gentoo.org/wiki/Custom_ebuild_repository#Creating_a_local_repository -- cgit v1.2.3-65-gdbad