Title: systemd-tmpfiles replaces opentmpfiles due to security issues Author: Georgy Yakovlev Author: Sam James Posted: 2021-07-07 Revision: 1 News-Item-Format: 2.0 Display-If-Installed: sys-apps/opentmpfiles Display-If-Installed: sys-apps/systemd-tmpfiles A tmpfiles [0] implementation provides a generic mechanism to define the creation of regular files, directories, pipes, and device nodes, adjustments to their access mode, ownership, attributes, quota assignments, and contents, and finally their time-based removal. It is commonly used for volatile and temporary files and directories such as those located under /run/, /tmp/, /var/tmp/, the API file systems such as /sys/ or /proc/, as well as some other directories below /var/. [1] On 2021-07-06, the sys-apps/opentmpfiles package was masked due to a root privilege escalation vulnerability (CVE-2017-18925 [2], bug #751415 [3], issue 4 [4] upstream). The use of opentmpfiles is discouraged by its maintainer due to the unpatched vulnerability and other long-standing bugs [5]. Users will start seeing their package manager trying to replace sys-apps/opentmpfiles with sys-apps/systemd-tmpfiles because it is another provider of virtual/tmpfiles. Despite the name, 'systemd-tmpfiles' does not depend on systemd, does not use dbus, and is just a drop-in replacement for opentmpfiles. It is a small binary built from systemd source code, but works separately, similarly to eudev or elogind. It is known to work on both glibc and musl systems. Note that systemd-tmpfiles is specifically for non-systemd systems. It is intended to be used on an OpenRC system. If you wish to selectively test systemd-tmpfiles, follow those steps: 1. # emerge --oneshot sys-apps/systemd-tmpfiles 2. # reboot 3. # rm /etc/runlevels/boot/opentmpfiles-setup 4. # rm /etc/runlevels/sysinit/opentmpfiles-dev No other steps required. If, after reviewing the linked bug reference for opentmpfiles, you feel your system is not vulnerable/applicable to the attack described, you can unmask [6] opentmpfiles at your own risk: 1. In /etc/portage/package.unmask, add a line: -sys-apps/opentmpfiles- 2. # emerge --oneshot sys-apps/opentmpfiles Note that opentmpfiles is likely to be removed from gentoo repository in the future. [0] https://www.freedesktop.org/software/systemd/man/systemd-tmpfiles.html [1] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html [2] https://nvd.nist.gov/vuln/detail/CVE-2017-18925 [3] https://bugs.gentoo.org/751415 [4] https://github.com/OpenRC/opentmpfiles/issues/4 [5] https://bugs.gentoo.org/741216 [6] https://wiki.gentoo.org/wiki/Knowledge_Base:Unmasking_a_package