From owner-freebsd-security@freebsd.org Thu Jan 30 12:52:28 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 53F5F23849E for ; Thu, 30 Jan 2020 12:52:28 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay2.dreamhost.com (iad1-shared-relay2.dreamhost.com [208.113.157.41]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 487gHH38mHz44f2; Thu, 30 Jan 2020 12:52:27 +0000 (UTC) (envelope-from ndorf@rtfm.net) Received: from iad1-shared-relay1.dreamhost.com (iad1-shared-relay1.dreamhost.com [208.113.157.50]) by iad1-shared-relay2.dreamhost.com (Postfix) with ESMTP id 87B5A4E5C16; Wed, 29 Jan 2020 16:54:46 -0800 (PST) Received: from cloudburst.dreamhost.com (cloudburst.dreamhost.com [66.33.212.129]) by iad1-shared-relay1.dreamhost.com (Postfix) with ESMTP id A520DB40086; Wed, 29 Jan 2020 16:50:07 -0800 (PST) Received: by cloudburst.dreamhost.com (Postfix, from userid 10401829) id 52ED3187C; Wed, 29 Jan 2020 16:50:07 -0800 (PST) Date: Thu, 30 Jan 2020 00:50:06 +0000 From: Nathan Dorfman To: Glen Barber Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200130005006.GA13@e398a4ce8009> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200127164201.GB9584@FreeBSD.org> X-Rspamd-Queue-Id: 487gHH38mHz44f2 X-Spamd-Bar: ++++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=fail (mx1.freebsd.org: domain of ndorf@rtfm.net does not designate 208.113.157.41 as permitted sender) smtp.mailfrom=ndorf@rtfm.net X-Spamd-Result: default: False [6.10 / 15.00]; ARC_NA(0.00)[]; R_SPF_FAIL(1.00)[-all]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[rtfm.net]; NEURAL_SPAM_MEDIUM(0.90)[0.905,0]; RCVD_COUNT_THREE(0.00)[3]; RBL_SENDERSCORE(2.00)[41.157.113.208.bl.score.senderscore.com]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[41.157.113.208.list.dnswl.org : 127.0.5.0]; NEURAL_SPAM_LONG(1.00)[0.998,0]; IP_SCORE(0.80)[ip: (1.79), ipnet: 208.113.128.0/17(1.38), asn: 26347(0.89), country: US(-0.05)]; RWL_MAILSPIKE_POSSIBLE(0.00)[41.157.113.208.rep.mailspike.net : 127.0.0.17]; R_DKIM_NA(0.00)[]; MID_RHS_NOT_FQDN(0.50)[]; ASN(0.00)[asn:26347, ipnet:208.113.128.0/17, country:US]; MIME_TRACE(0.00)[0:+]; GREYLIST(0.00)[pass,body]; FROM_EQ_ENVFROM(0.00)[] X-Spam: Yes X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Jan 2020 12:52:28 -0000 On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > No, this last part is not true. The installer always verifies the > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > variable explicitly contains the MANIFEST. Thank you, Glen. You're correct of course; the installer uses its embedded MANIFEST and doesn't even fetch it from the mirror... during system installation, at least. However, the first time a jail is set up, using the `bsdinstall jail` command, it does in fact fetch and trust the mirror's MANIFEST. I just tested this with a freshly installed 12.1-RELEASE system and a local mirror with a modified base.txz and manifest. It installs the modified files into the new jail without any complaint. Simply, after a clean installation /usr/freebsd-dist doesn't exist on the new system, so the jail script creates it and downloads the MANIFEST from the mirror. See lines 60-70, here: https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 After the first jail, this downloaded manifest and package(s) are saved in /usr/freebsd-dist. So you are only at risk the first time, and there will be some evidence of the tampering. Still, I hope you'll agree that this should be fixed. The installer already has a trusted manifest as you point out, why not simply install that one into the target system's /usr/freebsd-dist at setup time? -nd.