From nobody Fri Dec 5 20:17:42 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dNN3N5kwhz6Jf1y for ; Fri, 05 Dec 2025 20:17:52 +0000 (UTC) (envelope-from Wismos@proton.me) Received: from mail-24427.protonmail.ch (mail-24427.protonmail.ch [109.224.244.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dNN3K74vLz3kYQ for ; Fri, 05 Dec 2025 20:17:49 +0000 (UTC) (envelope-from Wismos@proton.me) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=proton.me header.s=protonmail header.b=NE6D7rrs; dmarc=pass (policy=quarantine) header.from=proton.me; spf=pass (mx1.freebsd.org: domain of Wismos@proton.me designates 109.224.244.27 as permitted sender) smtp.mailfrom=Wismos@proton.me DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1764965866; x=1765225066; bh=wRV/eVVAkfmSm+zhnmbccza7E4k9tOIrNNmRUcLAZ1Y=; h=Date:To:From:Cc:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=NE6D7rrskQ4x5ZQ2Za7slL67/0hjFq69dLNAEsDp/2xnN+TzMzJi+gsDSpizXtKVb M+S6tpUsme9n5ZUHlx5z3W0FZToEJca97CK8svBWGBVNNMsaC60uBhv8Sl5XOigCKv w3iG4lLQFGpr5E3Y+hzuxO1934qF7jFuEzDzR9zokWQzQqEXaiOjdMzySx9rguRS9V tfpAbyCd3A/ytc+CD6p5X6t3uL1FnEd4DmZHaplI6PPCOzgU7uuRZ+GwhwNZj2Bxqn A2615CWFu13sKotI7+HqR/CB4Ri2wvqYxIYWDzptKzIlPf2ISF1hPvISmY2Ey5UE9j 4s3/uEMmFoAGg== Date: Fri, 05 Dec 2025 20:17:42 +0000 To: freebsd-security@freebsd.org From: Wismos@proton.me Cc: olce@freebsd.org Subject: Regarding PAM support for mdo Message-ID: <5yH9o0uW628frXojj_IKQVxRqtYT0Z9ZrqQp8eAbNXa3iuQoTT-Nm2zN_yNTc89dzFPvnrYkIIkL5yjmmFZ1z9FmaGpM7_sYJ0t1Ho2ktr0=@proton.me> Feedback-ID: 51325846:user:proton X-Pm-Message-ID: 4451f03a5d34216ff8353355b3ca0f923ffb4e9a List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1=_iTLt5VpMQ7oBHo0ZM1auBHVnrsG58TevKNLUn9Zeds" X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.21 / 15.00]; MIME_BASE64_TEXT_BOGUS(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.91)[-0.911]; DMARC_POLICY_ALLOW(-0.50)[proton.me,quarantine]; RWL_MAILSPIKE_EXCELLENT(-0.40)[109.224.244.27:from]; R_DKIM_ALLOW(-0.20)[proton.me:s=protonmail]; R_SPF_ALLOW(-0.20)[+ip4:109.224.244.0/24]; MIME_BASE64_TEXT(0.10)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; ARC_NA(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; DKIM_TRACE(0.00)[proton.me:+]; FROM_NO_DN(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MISSING_XM_UA(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; RCVD_COUNT_ZERO(0.00)[0]; RCVD_IN_DNSWL_NONE(0.00)[109.224.244.27:from] X-Rspamd-Queue-Id: 4dNN3K74vLz3kYQ --b1=_iTLt5VpMQ7oBHo0ZM1auBHVnrsG58TevKNLUn9Zeds Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 aGVsbG8gdGhlcmUsIGkgd2FzIHdvcmtpbmcgb24gYWRkaW5nIFBBTSBzdXBwb3J0IHRvIG1kbyBh bmQgaSBub3RpY2VkIHRoYXQgaXQgd2FzIGEgZGVsaWV2ZXJhYmxlIHVudGlsIHJldmlzaW9uIDcg b2YgdGhlIHdpa2kgcGFnZSBvZiBHU29DJ3MgbWRvIGltcHJvdmVtZW50IHByb2plY3QgYW5kIHdh cyByZW1vdmVkIGluIHJldmlzaW9uIDgKaHR0cHM6Ly93aWtpLmZyZWVic2Qub3JnL2FjdGlvbi9y ZWNhbGwvU3VtbWVyT2ZDb2RlMjAyNVByb2plY3RzL01hY0RvQW5kTURvSW1wcm92ZW1lbnRzP2Fj dGlvbj1yZWNhbGwmcmV2PTcKaHR0cHM6Ly93aWtpLmZyZWVic2Qub3JnL2FjdGlvbi9yZWNhbGwv U3VtbWVyT2ZDb2RlMjAyNVByb2plY3RzL01hY0RvQW5kTURvSW1wcm92ZW1lbnRzP2FjdGlvbj1y ZWNhbGwmcmV2PTgKYW5kIGkgdHJpZWQgbG9va2luZyBmb3IgYW55IGNsdWUgdGhhdCB3b3VsZCBp bmRpY2F0ZSB3aHkgdGhhdCB3YXMgdGhlIGNhc2UgYnV0IGkgZm91bmQgbm90aGluZy4KCnNvIGkg d291bGQgYmUgcmVhbGx5IGdsYWQgdG8ga25vdyBpZiB0aGUgcmVhc29uIHdlcmUgc29tZSBibG9j a2VycyBvciBzZWN1cml0eSB3aXNlIGlzc3VlcyBpIGFtIG5vdCBhd2FyZSBvZgoKVGhhbmtz --b1=_iTLt5VpMQ7oBHo0ZM1auBHVnrsG58TevKNLUn9Zeds Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGh0bWw+PGhlYWQ+PC9oZWFkPjxib2R5PmhlbGxvIHRoZXJlLCBpIHdhcyB3b3JraW5nIG9uIGFk ZGluZyBQQU0gc3VwcG9ydCB0byBtZG8gYW5kIGkgbm90aWNlZCB0aGF0IGl0IHdhcyBhIGRlbGll dmVyYWJsZSB1bnRpbCByZXZpc2lvbiA3IG9mIHRoZSB3aWtpIHBhZ2Ugb2YgR1NvQydzIG1kbyBp bXByb3ZlbWVudCBwcm9qZWN0Jm5ic3A7YW5kIHdhcyByZW1vdmVkIGluIHJldmlzaW9uIDg8ZGl2 Pmh0dHBzOi8vd2lraS5mcmVlYnNkLm9yZy9hY3Rpb24vcmVjYWxsL1N1bW1lck9mQ29kZTIwMjVQ cm9qZWN0cy9NYWNEb0FuZE1Eb0ltcHJvdmVtZW50cz9hY3Rpb249cmVjYWxsJmFtcDtyZXY9Nzwv ZGl2PjxkaXY+aHR0cHM6Ly93aWtpLmZyZWVic2Qub3JnL2FjdGlvbi9yZWNhbGwvU3VtbWVyT2ZD b2RlMjAyNVByb2plY3RzL01hY0RvQW5kTURvSW1wcm92ZW1lbnRzP2FjdGlvbj1yZWNhbGwmYW1w O3Jldj04PC9kaXY+PGRpdj5hbmQgaSB0cmllZCBsb29raW5nIGZvciBhbnkgY2x1ZSB0aGF0IHdv dWxkIGluZGljYXRlIHdoeSB0aGF0IHdhcyB0aGUgY2FzZSBidXQgaSBmb3VuZCBub3RoaW5nLjwv ZGl2PjxkaXY+PGJyPjwvZGl2PjxkaXY+c28gaSB3b3VsZCBiZSByZWFsbHkgZ2xhZCB0byBrbm93 IGlmIHRoZSByZWFzb24gd2VyZSBzb21lIGJsb2NrZXJzIG9yIHNlY3VyaXR5IHdpc2UgaXNzdWVz IGkgYW0gbm90IGF3YXJlIG9mPC9kaXY+PGRpdj48YnI+PC9kaXY+PGRpdj5UaGFua3M8L2Rpdj48 L2JvZHk+PC9odG1sPg== --b1=_iTLt5VpMQ7oBHo0ZM1auBHVnrsG58TevKNLUn9Zeds-- From nobody Fri Dec 5 23:02:14 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dNRjC70Nkz6Jd4f for ; Fri, 05 Dec 2025 23:02:23 +0000 (UTC) (envelope-from olce@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dNRjB4MSyz4Fhw; Fri, 05 Dec 2025 23:02:22 +0000 (UTC) (envelope-from olce@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764975742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=W0J9GTB8+QBYJzGXanT2OqloIEw55IXy098nkihicic=; b=C9bIX87jzIJYUPQZy8Idd4/PNco+X4PvKQilF+0nkj0xlTyt2Gciqdz7G2qu9QzNVSYlVO ftYVqPkCJGWpApVj2XUrnNaNHTJ2SjhiXuOO6BLGZYEHuTo7LAsq3FnrbbQE6DecKjyTRe bCdxJJsDRUnRXv3K4sDoqOBHK2PqOs99S6OKKYhOt2KEp4uqN92s5rqxZNOJuZquJz14BA oq17ouv/PXKsvQhls9QxI7GL8T2gZKPZG6OcDqrWzIwcGdifLrmXAINHF0h3EiQ6TFU5G9 IHbNqgom573Gl1mOBaA9buWxVALuRVGupuTCO8+6eVW0tPBrjCTnHVk0Laistw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1764975742; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=W0J9GTB8+QBYJzGXanT2OqloIEw55IXy098nkihicic=; b=V5GzeHLuFX+wW/iRFf6uFPU9z07i7cYQne6DUtijo2f+t2enAnI6MEOtE/h8Wsb0Ou0gJm B2kWd/FHNP6ixGsIrMS9F2PT4Ms6fBxC0nIk1Ru7kUfCb0eDjy35rIgNUtlMYbErqgBKG3 h0budV+7lNK/7QqrAjrUGRtGgZSQI0jFea+5ppX76YLLt6ENBxQ3u3OdytacqXttB7eYiy rB9VzvGE65mHkIMpuLIbpW9FfqnmWMm6gJRLSlYFNiglrWIWrtQM40UKU6BJT5G7InWN06 CEipTpr3EzM87isofRUB+XB4rpeD8UQrLIMuai5mFfMMYeDsyFrZqfZdoX62+g== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1764975742; a=rsa-sha256; cv=none; b=Bi45LlWaSTDLcN8+NEwEgUAiovz189C1vFxsAsPWUDMXOXd77kcgDZhQk2I6EDeCoHwTo7 Pi7FvaY1v2D/W5f14qAeKatQeASqNZX/7OEwoRKqpMvI0HDqqgVCfsBd7tYcmLlU9vA/Du +bhFa2jkEwc5t79qn76pvtjP5XckdluSMCY6ZxOuJrzSS9b9xQeruBxBshSYmYCeZsO98D Hbq5qYR9yNSNNLvdCKieHE8ZZqw2U1OHIAz7KPe2s7CuFi7R0VRLLhNd7P/pswz24K28PV xz6gxVXiKd0MHrNhZdV8/3K4AktKsWeyO8FM7TSr2FMl6a79xrxL8YbLK54Ftg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from ravel.localnet (aclermont-ferrand-653-1-222-123.w90-14.abo.wanadoo.fr [90.14.66.123]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: olce/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dNRjB1NK3zZKH; Fri, 05 Dec 2025 23:02:22 +0000 (UTC) (envelope-from olce@freebsd.org) From: Olivier Certner To: freebsd-security@freebsd.org, Wismos@proton.me Subject: Re: Regarding PAM support for mdo Date: Sat, 06 Dec 2025 00:02:14 +0100 Message-ID: <24612612.gYbqZ1YImA@ravel> In-Reply-To: <5yH9o0uW628frXojj_IKQVxRqtYT0Z9ZrqQp8eAbNXa3iuQoTT-Nm2zN_yNTc89dzFPvnrYkIIkL5yjmmFZ1z9FmaGpM7_sYJ0t1Ho2ktr0=@proton.me> References: <5yH9o0uW628frXojj_IKQVxRqtYT0Z9ZrqQp8eAbNXa3iuQoTT-Nm2zN_yNTc89dzFPvnrYkIIkL5yjmmFZ1z9FmaGpM7_sYJ0t1Ho2ktr0=@proton.me> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart55254552.J2yNMGElB9"; micalg="pgp-sha384"; protocol="application/pgp-signature" --nextPart55254552.J2yNMGElB9 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8"; protected-headers="v1" From: Olivier Certner To: freebsd-security@freebsd.org, Wismos@proton.me Subject: Re: Regarding PAM support for mdo Date: Sat, 06 Dec 2025 00:02:14 +0100 Message-ID: <24612612.gYbqZ1YImA@ravel> MIME-Version: 1.0 Hello, > so i would be really glad to know if the reason were some blockers or security wise issues i am not aware of Yes, there was a reason: It doesn't fit in the current mac_do(4)/mdo(1) framework in a straightforward manner. mdo(1) is not a setuid executable (a feature), which basically means that PAM, which expects to be root, is unlikely to function correctly. E.g., it's impossible on FreeBSD for a non-root user to validate some password against the database, as 'master.passwd' is only readable by 'root'. CAPSICUM programs have the related problem of not having enough privileges for some operations, but their way out, libcasper(3), currently wouldn't solve our problem (still not enough privileges to access the password database) and code would have to be written there for some PAM functions to be accessible through it (it's mostly and perhaps only the authentication phase that could interest us in PAM). Using PAM also means starting to rely on the filesystem hierarchy, with implications in terms of security when leveraging jails and chroots (confused deputy issues, as described in August on hackers@). Currently, mdo(1) does not read any configuration file at all, and thus is not subject to such problems. They are however easy to avoid (by leveraging P2_NO_NEW_PRIVS; at the price of functionality restrictions). What is your goal exactly? Having a simple program like doas(1) replacing sudo(8)? I'm evoking a number of possible mac_do(4)/mdo(1) evolutions in an article in the next FreeBSD Journal issue. One may be to have another executable, with the setuid mode bit set this time, that could leverage PAM with full privileges, and drop them the rest of the time until calling setcred() (this code could be share with mdo(1)). Another is to have an ad-hoc authentication mechanism, but then we would still need a mechanism to safely read a password database, e.g., communicate with a privileged server, which still remains to be written. There are number of other solutions with different advantages/drawbacks. The following steps are unclear, and mainly depend on user needs/feedbacks. Thanks and regards. -- Olivier Certner --nextPart55254552.J2yNMGElB9 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCQAdFiEEmNCxHjkosai0LYIujKEwQJceJicFAmkzZHcACgkQjKEwQJce Jidm6g/7BjG9ZDY2C+/i+k3FRfPha0M/BA1C1x1bUka5tit9eZGLbYeQYgkKDOCq WUZ//sWJ9JNDdYCFEglQvnA/H1J9nV7150XjgQ8Wqh5GTSAjsUL2A5B7eC6JQfnV mEAbLrTG017CEDZKmMJekscC7lvScJpjdd/ZkeBvqqz7XQ7ZgY3EdyZv6d4ynreP ch+7Je8NmtMr0y0VM8okGvrdkvG9/2GSa68ofZqNS7sBfMHQywTn5LWejB/Sfm6O X3yx96WCRekD8x/5/FhZ1OfKd5VZFzmm7ebAS2qsdKDtaPQEe9QWaA1FDtgQbK3F muc//MNuwT9E6fGArUrVpD+DQS5JbpYOdtLN0FhzSjlnWYecgomAtog0iB/+ICF9 OYeKy8o69QDRmy1ITCEyNxvsCFDXFhaXmO/Mkg2oHTdHpmaOE1Jr/UjemKYK+0kS W43U0AQQswmtK+QQf26EY/lQXZaAQ3LXoYviinJNkk0CHr+JuwegWD3PA87r/Kjk ZTliescnajjHEAhazRi6M+uBzG3JGWVNBgTEKZnhnpV0gsmUtkAI73fA723EOhBx BoLA+QwY7rNZ2qjvlln7VVk+QTJPJsRHsjRfKHEbihJqzV0LUXiZjq8giTaeMHc8 g9EZzHOGOAVMA1GHDh26SuMGNqlD5hFYgzGUIVAhYjMKG8tmd4g= =ti+4 -----END PGP SIGNATURE----- --nextPart55254552.J2yNMGElB9-- From nobody Sat Dec 6 05:47:42 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dNcjL68Bjz6K8ps for ; Sat, 06 Dec 2025 05:48:06 +0000 (UTC) (envelope-from info@spmzt.net) Received: from mail.spmzt.net (mail.spmzt.net [193.148.248.214]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dNcjK2H49z3gMK; Sat, 06 Dec 2025 05:48:05 +0000 (UTC) (envelope-from info@spmzt.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=spmzt.net header.s=mail header.b=d+lNEvLf; dmarc=pass (policy=quarantine) header.from=spmzt.net; spf=pass (mx1.freebsd.org: domain of info@spmzt.net designates 193.148.248.214 as permitted sender) smtp.mailfrom=info@spmzt.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spmzt.net; s=mail; t=1765000076; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=woUjuW8ms8Tq6d2mpknnEtIXVZCaQ+WaSKBJw+U40CE=; b=d+lNEvLf+Kd2sqLxXY2yDxVzYrig/uqn1MM4lxGxdjVOJFZhjAoptacyluCvPj4fEJKCMZ MCJHGTgS04p+7eNH1IzB9r1AIyLuNl+NnG0EwBRabO0dIYduFbVAM5U89Ms2/3o+QKQpxv M8Cx61LYt251DSEWus9zyKg1/sLrxxc= Received: by nl.mail.spmzt.net (OpenSMTPD) with ESMTPSA id 0893684a (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sat, 6 Dec 2025 09:17:55 +0330 (+0330) Message-ID: Date: Sat, 6 Dec 2025 09:17:42 +0330 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Regarding PAM support for mdo Content-Language: en-US, fa-IR References: <912767d4-9cf1-43b1-b6e9-66fed003d8e9@spmzt.net> To: Wismos@proton.me Cc: freebsd-security@freebsd.org, olce@freebsd.org From: Seyed Pouria Mousavizadeh Tehrani Organization: SPMZT - AS214145 In-Reply-To: <912767d4-9cf1-43b1-b6e9-66fed003d8e9@spmzt.net> X-Forwarded-Message-Id: <912767d4-9cf1-43b1-b6e9-66fed003d8e9@spmzt.net> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------vHXrw9MIoe0h5RL0LvnbnAPv" X-Spamd-Bar: ----- X-Spamd-Result: default: False [-6.00 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[spmzt.net,quarantine]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,multipart/alternative,text/plain]; R_DKIM_ALLOW(-0.20)[spmzt.net:s=mail]; R_SPF_ALLOW(-0.20)[+mx]; MIME_BASE64_TEXT(0.10)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:+,4:~,5:~]; ASN(0.00)[asn:34927, ipnet:193.148.248.0/24, country:CH]; RCVD_COUNT_ONE(0.00)[1]; HAS_ORG_HEADER(0.00)[]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; DKIM_TRACE(0.00)[spmzt.net:+]; TO_DN_NONE(0.00)[]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; HAS_ATTACHMENT(0.00)[] X-Rspamd-Queue-Id: 4dNcjK2H49z3gMK This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------vHXrw9MIoe0h5RL0LvnbnAPv Content-Type: multipart/mixed; boundary="------------jaiAeZP22d48I4SY27laD95H"; protected-headers="v1" Message-ID: Date: Sat, 6 Dec 2025 09:17:42 +0330 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Regarding PAM support for mdo Content-Language: en-US, fa-IR References: <912767d4-9cf1-43b1-b6e9-66fed003d8e9@spmzt.net> To: Wismos@proton.me Cc: freebsd-security@freebsd.org, olce@freebsd.org From: Seyed Pouria Mousavizadeh Tehrani Organization: SPMZT - AS214145 In-Reply-To: <912767d4-9cf1-43b1-b6e9-66fed003d8e9@spmzt.net> X-Forwarded-Message-Id: <912767d4-9cf1-43b1-b6e9-66fed003d8e9@spmzt.net> --------------jaiAeZP22d48I4SY27laD95H Content-Type: multipart/alternative; boundary="------------NCzZKF0BhYUmTb0Ox0GipUes" --------------NCzZKF0BhYUmTb0Ox0GipUes Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64 SGksDQoNCj4+IHNvIGkgd291bGQgYmUgcmVhbGx5IGdsYWQgdG8ga25vdyBpZiB0aGUgcmVh c29uIHdlcmUgc29tZSBibG9ja2VycyBvciBzZWN1cml0eSB3aXNlIGlzc3VlcyBpIGFtIG5v dCBhd2FyZSBvZg0KPiBZZXMsIHRoZXJlIHdhcyBhIHJlYXNvbjogSXQgZG9lc24ndCBmaXQg aW4gdGhlIGN1cnJlbnQgbWFjX2RvKDQpL21kbygxKSBmcmFtZXdvcmsgaW4gYSBzdHJhaWdo dGZvcndhcmQgbWFubmVyLg0KPg0KPiBtZG8oMSkgaXMgbm90IGEgc2V0dWlkIGV4ZWN1dGFi bGUgKGEgZmVhdHVyZSksIHdoaWNoIGJhc2ljYWxseSBtZWFucyB0aGF0IFBBTSwgd2hpY2gg ZXhwZWN0cyB0byBiZSByb290LCBpcyB1bmxpa2VseSB0byBmdW5jdGlvbiBjb3JyZWN0bHku ICBFLmcuLCBpdCdzIGltcG9zc2libGUgb24gRnJlZUJTRCBmb3IgYSBub24tcm9vdCB1c2Vy IHRvIHZhbGlkYXRlIHNvbWUgcGFzc3dvcmQgYWdhaW5zdCB0aGUgZGF0YWJhc2UsIGFzICdt YXN0ZXIucGFzc3dkJyBpcyBvbmx5IHJlYWRhYmxlIGJ5ICdyb290Jy4gIENBUFNJQ1VNIHBy b2dyYW1zIGhhdmUgdGhlIHJlbGF0ZWQgcHJvYmxlbSBvZiBub3QgaGF2aW5nIGVub3VnaCBw cml2aWxlZ2VzIGZvciBzb21lIG9wZXJhdGlvbnMsIGJ1dCB0aGVpciB3YXkgb3V0LCBsaWJj YXNwZXIoMyksIGN1cnJlbnRseSB3b3VsZG4ndCBzb2x2ZSBvdXIgcHJvYmxlbSAoc3RpbGwg bm90IGVub3VnaCBwcml2aWxlZ2VzIHRvIGFjY2VzcyB0aGUgcGFzc3dvcmQgZGF0YWJhc2Up IGFuZCBjb2RlIHdvdWxkIGhhdmUgdG8gYmUgd3JpdHRlbiB0aGVyZSBmb3Igc29tZSBQQU0g ZnVuY3Rpb25zIHRvIGJlIGFjY2Vzc2libGUgdGhyb3VnaCBpdCAoaXQncyBtb3N0bHkgYW5k IHBlcmhhcHMgb25seSB0aGUgYXV0aGVudGljYXRpb24gcGhhc2UgdGhhdCBjb3VsZCBpbnRl cmVzdCB1cyBpbiBQQU0pLg0KPg0KPiBVc2luZyBQQU0gYWxzbyBtZWFucyBzdGFydGluZyB0 byByZWx5IG9uIHRoZSBmaWxlc3lzdGVtIGhpZXJhcmNoeSwgd2l0aCBpbXBsaWNhdGlvbnMg aW4gdGVybXMgb2Ygc2VjdXJpdHkgd2hlbiBsZXZlcmFnaW5nIGphaWxzIGFuZCBjaHJvb3Rz IChjb25mdXNlZCBkZXB1dHkgaXNzdWVzLCBhcyBkZXNjcmliZWQgaW4gQXVndXN0IG9uIGhh Y2tlcnNAKS4gIEN1cnJlbnRseSwgbWRvKDEpIGRvZXMgbm90IHJlYWQgYW55IGNvbmZpZ3Vy YXRpb24gZmlsZSBhdCBhbGwsIGFuZCB0aHVzIGlzIG5vdCBzdWJqZWN0IHRvIHN1Y2ggcHJv YmxlbXMuICBUaGV5IGFyZSBob3dldmVyIGVhc3kgdG8gYXZvaWQgKGJ5IGxldmVyYWdpbmcg UDJfTk9fTkVXX1BSSVZTOyBhdCB0aGUgcHJpY2Ugb2YgZnVuY3Rpb25hbGl0eSByZXN0cmlj dGlvbnMpLg0KPg0KPiBXaGF0IGlzIHlvdXIgZ29hbCBleGFjdGx5PyAgSGF2aW5nIGEgc2lt cGxlIHByb2dyYW0gbGlrZSBkb2FzKDEpIHJlcGxhY2luZyBzdWRvKDgpPyAgSSdtIGV2b2tp bmcgYSBudW1iZXIgb2YgcG9zc2libGUgbWFjX2RvKDQpL21kbygxKSBldm9sdXRpb25zIGlu IGFuIGFydGljbGUgaW4gdGhlIG5leHQgRnJlZUJTRCBKb3VybmFsIGlzc3VlLiAgT25lIG1h eSBiZSB0byBoYXZlIGFub3RoZXIgZXhlY3V0YWJsZSwgd2l0aCB0aGUgc2V0dWlkIG1vZGUg Yml0IHNldCB0aGlzIHRpbWUsIHRoYXQgY291bGQgbGV2ZXJhZ2UgUEFNIHdpdGggZnVsbCBw cml2aWxlZ2VzLCBhbmQgZHJvcCB0aGVtIHRoZSByZXN0IG9mIHRoZSB0aW1lIHVudGlsIGNh bGxpbmcgc2V0Y3JlZCgpICh0aGlzIGNvZGUgY291bGQgYmUgc2hhcmUgd2l0aCBtZG8oMSkp LiAgQW5vdGhlciBpcyB0byBoYXZlIGFuIGFkLWhvYyBhdXRoZW50aWNhdGlvbiBtZWNoYW5p c20sIGJ1dCB0aGVuIHdlIHdvdWxkIHN0aWxsIG5lZWQgYSBtZWNoYW5pc20gdG8gc2FmZWx5 IHJlYWQgYSBwYXNzd29yZCBkYXRhYmFzZSwgZS5nLiwgY29tbXVuaWNhdGUgd2l0aCBhIHBy aXZpbGVnZWQgc2VydmVyLCB3aGljaCBzdGlsbCByZW1haW5zIHRvIGJlIHdyaXR0ZW4uICBU aGVyZSBhcmUgbnVtYmVyIG9mIG90aGVyIHNvbHV0aW9ucyB3aXRoIGRpZmZlcmVudCBhZHZh bnRhZ2VzL2RyYXdiYWNrcy4NCj4NCj4gVGhlIGZvbGxvd2luZyBzdGVwcyBhcmUgdW5jbGVh ciwgYW5kIG1haW5seSBkZXBlbmQgb24gdXNlciBuZWVkcy9mZWVkYmFja3MuDQpBcyBhIHVz ZXIgb2YgbWFjX2RvKDQpL21kbygxKSwgSSBzdHJvbmdseSBiZWxpZXZlIHRoZSBjdXJyZW50 IA0KaW1wbGVtZW50YXRpb24gb2YgbWFjX2RvKDQpIGlzIHBlcmZlY3QuIElNSE8gYW5kIG9u bHkgSU1ITywgYW55IGNoYW5nZSANCnRvIG1hY19kbyBzaG91bGQgTk9UIGJyZWFrIHRoZXNl IGV4cGVjdGF0aW9ucyBiZWxvdyB0byBtYWNfZG8oNCksIHdoaWNoIA0KYXJlIHRoZSByZWFz b25zIHdlIHVzZSBpdDoNCg0KICAqIE5vIGRlcGVuZGVuY3kgb24gYSBjb25maWd1cmF0aW9u IGZpbGUgKHN5c2N0bC1iYXNlZCkNCiAgKiBObyBmaWxlc3lzdGVtIGRlcGVuZGVuY2llcyAo aW5jbHVkaW5nIHRoZSBzZXR1aWQgYml0KQ0KICAqIEphaWwgaW5oZXJpdGFuY2Ugc3VwcG9y dA0KICAqIFN0cmFpZ2h0Zm9yd2FyZMKgdWNyZWQtc3BlY2lmaWPCoHN5bnRheA0KDQpDb21t dW5pdHkgYXBwcmVjaWF0ZSBpbXByb3ZlbWVudHMgdG8gbWFjX2RvOyBob3dldmVyLCBhbnkg Y2hhbmdlIHRoYXQgDQphZmZlY3RzIHRoZSBhYm92ZSByZWFzb25zIHdpbGwgZGVmZWF0IG1h Y19kb+KAmXMgbWFpbiBwdXJwb3NlIGFuZCB0dXJuIGl0IA0KaW50byBrZXJuZWwtdG8tc3lz dGVtIGdsdWUsIG1ha2luZyBpdCBvZiBsaXR0bGUgdG8gbm8gdmFsdWUgdG8gaXRzIHVzZXJz IA0KY29tcGFyZWQgd2l0aCBkb2FzKDEpLg0KDQpJIGhhdmUgYSBmZXcgc3VnZ2VzdGlvbnM6 DQoNCiAgKiBBbnkgYWRkaXRpb24gb3IgaW1wcm92ZW1lbnQgbm90IHJlbGF0ZWQgdG8gdWNy ZWQgc2hvdWxkIGJlIGluDQogICAgYW5vdGhlciBzeXNjdGwgbm9kZSB0byBub3QgYnJlYWsg Y29tcGF0aWJpbGl0eS4NCiAgKiBJIGZvdW5kIHRoYXQgbGVhcm5pbmcgY3VycmVudCBtYWNf ZG8oNCkgYWZ0ZXIgcmVhZGluZyBpdHMgbWFudWFsDQogICAgcmVxdWlyZXMgdHJ5LWFuZC1l cnJvciB0byB1bmRlcnN0YW5kIGl0cyBmdW5jdGlvbi4gTmV3IHVzZXJzIGZpcnN0DQogICAg aGF2ZSB0byB1bmxlYXJuIHRoaW5ncyBhYm91dCBkb2FzKDEpL3N1ZG8oOCkgYW5kIHVuZGVy c3RhbmQgdGhhdA0KICAgIG1hY19kbyBpcyBzdHJvbmdseSBleHBsaWNpdCBpbiBpdHMgY3Jl ZGVudGlhbHMuIHdoaWNoIGlzDQogICAgZ29vZC7CoFRoZXJlZm9yZSwgaXQgbXVzdCBiZSBo ZWF2aWx5IGRvY3VtZW50ZWQgY29uc2lkZXJpbmcgaXQgaGFzIGENCiAgICBzZWN1cml0eSBl ZmZlY3RzIHRvby4NCg0KSSBiZWxpZXZlIHRoZSBSRkMxOTI1IHN0YXRlbWVudCBhYm91dCBw cm90b2NvbCBkZXNpZ24gaXMgYWxzbyBhcHBsaWVzIHRvIA0Ka2VybmVsIG1vZHVsZXMuDQoN Ci8oMTIpIEluIHByb3RvY29sIGRlc2lnbiwgcGVyZmVjdGlvbiBoYXMgYmVlbiByZWFjaGVk IG5vdCB3aGVuIHRoZXJlIGlzIA0Kbm90aGluZyBsZWZ0IHRvIGFkZCwgYnV0ICp3aGVuIHRo ZXJlIGlzIG5vdGhpbmcgbGVmdCB0byB0YWtlwqBhd2F5Ki4vDQoNClRoYW5rIHlvdSBmb3Ig d29ya2luZyBvbiBtYWNfZG8uDQoNCi0tIA0Kc3BtenQNCg0K --------------NCzZKF0BhYUmTb0Ox0GipUes Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi,

so i would be really gla=
d to know if the reason were some blockers or security wise issues i am n=
ot aware of

Yes, there was a reason: I=
t doesn't fit in the current mac_do(4)/mdo(1) framework in a straightforw=
ard manner.

mdo(1) is not a setuid executable (a feature), which basically means that=
 PAM, which expects to be root, is unlikely to function correctly.  E.g.,=
 it's impossible on FreeBSD for a non-root user to validate some password=
 against the database, as 'master.passwd' is only readable by 'root'.  CA=
PSICUM programs have the related problem of not having enough privileges =
for some operations, but their way out, libcasper(3), currently wouldn't =
solve our problem (still not enough privileges to access the password dat=
abase) and code would have to be written there for some PAM functions to =
be accessible through it (it's mostly and perhaps only the authentication=
 phase that could interest us in PAM).

Using PAM also means starting to rely on the filesystem hierarchy, with i=
mplications in terms of security when leveraging jails and chroots (confu=
sed deputy issues, as described in August on hackers@).  Currently, mdo(1=
) does not read any configuration file at all, and thus is not subject to=
 such problems.  They are however easy to avoid (by leveraging P2_NO_NEW_=
PRIVS; at the price of functionality restrictions).

What is your goal exactly?  Having a simple program like doas(1) replacin=
g sudo(8)?  I'm evoking a number of possible mac_do(4)/mdo(1) evolutions =
in an article in the next FreeBSD Journal issue.  One may be to have anot=
her executable, with the setuid mode bit set this time, that could levera=
ge PAM with full privileges, and drop them the rest of the time until cal=
ling setcred() (this code could be share with mdo(1)).  Another is to hav=
e an ad-hoc authentication mechanism, but then we would still need a mech=
anism to safely read a password database, e.g., communicate with a privil=
eged server, which still remains to be written.  There are number of othe=
r solutions with different advantages/drawbacks.

The following steps are unclear, and mainly depend on user needs/feedback=
s.
As a user of mac_do(4)/mdo(1), I strongly believe the current implementation of mac_do(4) is perfect. IMHO and only IMHO, any change to mac_do should NOT break these expectations below to mac_do(4), which are the reasons we use it:
  • No dependency on a configuration file (sysctl-based)
  • No filesystem dependencies (including the setuid bit)
  • Jail inheritance support
  • Straightforward=C2=A0ucred-specific=C2=A0syntax
Community appreciate improvements to mac_do; however, any change that affects the above reasons will defeat mac_do=E2=80=99s main pu= rpose and turn it into kernel-to-system glue, making it of little to no value to its users compared with doas(1).

I have a few suggestions:

  • Any addition or improvement not related to ucred should be in another sysctl node to not break compatibility.
  • I found that learning current mac_do(4) after reading its manual requires try-and-error to understand its function. New users first have to unlearn things about doas(1)/sudo(8) and understand that mac_do is strongly explicit in its credentials. which is good.=C2=A0Therefore, it must be heavily documented considering it has a security effects too.

I believe the RFC1925 statement about protocol design is also applies to kernel modules.

(12) In protocol design, perfection has been reached not when there is nothing left to add, but when there is nothing left to take=C2=A0away.

Thank you for working on mac_do. 
--=20
spmzt
--------------NCzZKF0BhYUmTb0Ox0GipUes-- --------------jaiAeZP22d48I4SY27laD95H-- --------------vHXrw9MIoe0h5RL0LvnbnAPv Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQSqt7cppfvJ816gj0lUwVnUeMwagAUCaTPDfgAKCRBUwVnUeMwa gNJKAQDlvRX8cP95mKaYEPBv78n6PNNEnlW30/MAZAe3hgz5PwD/VSQMrX2EX6Ja YViW7YHAbavGRGdiwomvwn6vowxyBgs= =r5TJ -----END PGP SIGNATURE----- --------------vHXrw9MIoe0h5RL0LvnbnAPv-- From nobody Sat Dec 6 07:37:43 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dNg8335nMz6KHMl for ; Sat, 06 Dec 2025 07:37:55 +0000 (UTC) (envelope-from Wismos@proton.me) Received: from mail-43167.protonmail.ch (mail-43167.protonmail.ch [185.70.43.167]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dNg830bTRz3tlw for ; Sat, 06 Dec 2025 07:37:50 +0000 (UTC) (envelope-from Wismos@proton.me) Authentication-Results: mx1.freebsd.org; none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proton.me; s=protonmail; t=1765006667; x=1765265867; bh=zxd870DDcpK6rmpdZDkNFDm+Csvp56l+O3+9j0qRNDM=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector; b=SR4P5OLN9U1u5KcfNuW2KsgbE2n06HiXgRXQc90Ve/w8KaTqu1WwMLb+2ohXVHoMy gJtMR+n0ZqYcJ6iHMb4dMRIwomVPCTtU/1yBTCVZxzSMBpg1+KE9rj3BtSt18J+wEP kh3qWVhFM1+dGcP9AbvRX3Krv6jORzg3Dp07FTulvaIUbWT4YAQLGvQUk0uLBXUfG1 8k9kY+bew9cVUhUr93T2mVpc9+fuc4z+sSs18nIMnjmItUFOkkZcEV4fNElmNsFqBT TSrQMiFCeTf9pxmhaaruoCDwPKS+Cykdbs4TfI0n94Y2Z6U81kNtQ0Wdn2rHXW1wR4 hAmSwWIxB/iVw== Date: Sat, 06 Dec 2025 07:37:43 +0000 To: Olivier Certner From: Wismos@proton.me Cc: freebsd-security@freebsd.org Subject: Re: Regarding PAM support for mdo Message-ID: In-Reply-To: <24612612.gYbqZ1YImA@ravel> References: <5yH9o0uW628frXojj_IKQVxRqtYT0Z9ZrqQp8eAbNXa3iuQoTT-Nm2zN_yNTc89dzFPvnrYkIIkL5yjmmFZ1z9FmaGpM7_sYJ0t1Ho2ktr0=@proton.me> <24612612.gYbqZ1YImA@ravel> Feedback-ID: 51325846:user:proton X-Pm-Message-ID: a530407270fb6db59d979a7d2f472c6881a24a6a List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Rspamd-Queue-Id: 4dNg830bTRz3tlw Thanks for the info > Hello, >=20 > > so i would be really glad to know if the reason were some blockers or s= ecurity wise issues i am not aware of >=20 > Yes, there was a reason: It doesn't fit in the current mac_do(4)/mdo(1) f= ramework in a straightforward manner. >=20 > mdo(1) is not a setuid executable (a feature), which basically means that= PAM, which expects to be root, is unlikely to function correctly. E.g., it= 's impossible on FreeBSD for a non-root user to validate some password agai= nst the database, as 'master.passwd' is only readable by 'root'. CAPSICUM p= rograms have the related problem of not having enough privileges for some o= perations, but their way out, libcasper(3), currently wouldn't solve our pr= oblem (still not enough privileges to access the password database) and cod= e would have to be written there for some PAM functions to be accessible th= rough it (it's mostly and perhaps only the authentication phase that could = interest us in PAM). >=20 > Using PAM also means starting to rely on the filesystem hierarchy, with i= mplications in terms of security when leveraging jails and chroots (confuse= d deputy issues, as described in August on hackers@). Currently, mdo(1) doe= s not read any configuration file at all, and thus is not subject to such p= roblems. They are however easy to avoid (by leveraging P2_NO_NEW_PRIVS; at = the price of functionality restrictions). >=20 > What is your goal exactly? Having a simple program like doas(1) replacing= sudo(8)? I'm evoking a number of possible mac_do(4)/mdo(1) evolutions in a= n article in the next FreeBSD Journal issue. One may be to have another exe= cutable, with the setuid mode bit set this time, that could leverage PAM wi= th full privileges, and drop them the rest of the time until calling setcre= d() (this code could be share with mdo(1)). Another is to have an ad-hoc au= thentication mechanism, but then we would still need a mechanism to safely = read a password database, e.g., communicate with a privileged server, which= still remains to be written. There are number of other solutions with diff= erent advantages/drawbacks. >=20 > The following steps are unclear, and mainly depend on user needs/feedback= s. >=20 > Thanks and regards. >=20 > -- > Olivier Certner my goal is to either have an authentication prompt setup for every time a p= rocess from a certain uid is trying to change credentials or to have a some= form of blacklist/whitelist to only allow certain processes to be able to = change credentials from the response it's clear that a password based authentication prompt is= not ideal for mdo currently but perhaps the whitelist/blacklist may work if we were able to figure out = how to make it know which process to escalate without introducing reliance = on filesytem hierarchy,perhaps MAC/veriexec might be suitable to verify the= executable file allowed to change credentials? looking forward to your thoughts and thanks again From nobody Sun Dec 7 11:28:30 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dPNCn1wl1z6KHQc for ; Sun, 07 Dec 2025 11:28:37 +0000 (UTC) (envelope-from hello@bacula-web.org) Received: from mail-106117.protonmail.ch (mail-106117.protonmail.ch [79.135.106.117]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "protonmail.com", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dPNCl4QcYz3DrX for ; Sun, 07 Dec 2025 11:28:35 +0000 (UTC) (envelope-from hello@bacula-web.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=bacula-web.org header.s=protonmail header.b=IYO2a16i; dmarc=pass (policy=none) header.from=bacula-web.org; spf=pass (mx1.freebsd.org: domain of hello@bacula-web.org designates 79.135.106.117 as permitted sender) smtp.mailfrom=hello@bacula-web.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bacula-web.org; s=protonmail; t=1765106912; x=1765366112; bh=4xEHN53vJD9N6Zj+V6UPrKj10Uvpm2hqj2Jn1WegdbY=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector; b=IYO2a16ifbgztKCQonV+00zHrgR1JKaNTgR7IqCDsVvNJ1jfL5usIqQgJK2VrOys3 7ZXdWwaNXbDatvsn3joMn7Xeu/gUGA8w9/VlwEtPYLgYAhAv30znDjC6PuZpkoXjcW bS6bYrsN4Vwo/8314WYdp2tnCb/7/F6ehGZBLjx4cxnsZab6/csqA4V3fQrWAAChtE 1wAe4IdUND8Xg9T7M8ytcZjlglxfUi/GrYeTFKqyBmZnNiEqvWIybkLvvSEi5nFuM1 Tc3HxDgM89PMIeduxTE0ByGfDg/u7jGdV2xY8dSKgf0hVhFkc7kYqx6EgcOBmrvsIN 59s9HyOpxyYbQ== Date: Sun, 07 Dec 2025 11:28:30 +0000 To: "freebsd-security@FreeBSD.org" From: Bacula-Web project maintainer Subject: Guidance on how to handle FreeBSD port vulnerability Message-ID: Feedback-ID: 62987555:user:proton X-Pm-Message-ID: 327d13e7972f25f9b2a3525597396d96513abfd0 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="b1=_uTbZXVIEYfOu9uDkwHob2tWV6oO942NZN1ElC45cvo" X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.35 / 15.00]; MIME_BASE64_TEXT_BOGUS(1.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; DMARC_POLICY_ALLOW(-0.50)[bacula-web.org,none]; NEURAL_HAM_SHORT(-0.45)[-0.453]; R_DKIM_ALLOW(-0.20)[bacula-web.org:s=protonmail]; R_SPF_ALLOW(-0.20)[+ip4:79.135.106.0/24]; MIME_BASE64_TEXT(0.10)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[bacula-web.org:+]; MISSING_XM_UA(0.00)[]; ASN(0.00)[asn:62371, ipnet:79.135.106.0/24, country:CH]; MLMMJ_DEST(0.00)[freebsd-security@FreeBSD.org]; FROM_EQ_ENVFROM(0.00)[]; ARC_NA(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; BLOCKLISTDE_FAIL(0.00)[79.135.106.117:server fail]; RCVD_COUNT_ZERO(0.00)[0]; MIME_TRACE(0.00)[0:+,1:+,2:~] X-Rspamd-Queue-Id: 4dPNCl4QcYz3DrX --b1=_uTbZXVIEYfOu9uDkwHob2tWV6oO942NZN1ElC45cvo Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 SGVsbG8gdGhlcmUsCgpJJ2QgbmVlZCBzb21lIGhlbHAgdG8gdGFja2xlIGEga25vd24gRnJlZUJT RCBwb3J0IHZ1bG5lcmFiaWxpdHkgd2hpY2ggZG9lc24ndCBzZWVtIHRvIGJlIHJlZmVyZW5jZWQg b24gRnJlc2hQb3J0Lm9yZy4KClRoZSBhZmZlY3RlZCBwb3J0IGlzIGh0dHBzOi8vd3d3LmZyZXNo cG9ydHMub3JnL3d3dy9iYWN1bGEtd2ViLy4KCkFsc28sIEknZCBsaWtlIHRvIHB1dCBzb21lIGVm Zm9ydHMgdG8ga2VlcCB1cGRhdGVkIGFib3ZlIHBvcnRzIGFzIGl0IGRlc2VydmUgc29tZSBtb3Jl ICJsb3ZlIi4KCkFuIGhpbnRzIC8gbGluayB0byBkb2N1bWVudGVkIHByb2Nlc3Mgd291bGQgYmUg bmljZS4KClRoYW5rcwoKQmVzdCwKCkRhdmlkZQ== --b1=_uTbZXVIEYfOu9uDkwHob2tWV6oO942NZN1ElC45cvo Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: base64 PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0 cHg7Ij5IZWxsbyB0aGVyZSw8L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQXJpYWwsIHNh bnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPjxicj48L2Rpdj48ZGl2IHN0eWxlPSJmb250LWZh bWlseTogQXJpYWwsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTRweDsiPkknZCBuZWVkIHNvbWUg aGVscCB0byB0YWNrbGUgYSBrbm93biBGcmVlQlNEIHBvcnQgdnVsbmVyYWJpbGl0eSB3aGljaCBk b2Vzbid0IHNlZW0gdG8gYmUgcmVmZXJlbmNlZCBvbiBGcmVzaFBvcnQub3JnLjwvZGl2PjxkaXYg c3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+ PGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9u dC1zaXplOiAxNHB4OyI+VGhlIGFmZmVjdGVkIHBvcnQgaXMmbmJzcDs8c3Bhbj48YSB0YXJnZXQ9 Il9ibGFuayIgcmVsPSJub3JlZmVycmVyIG5vZm9sbG93IG5vb3BlbmVyIiBocmVmPSJodHRwczov L3d3dy5mcmVzaHBvcnRzLm9yZy93d3cvYmFjdWxhLXdlYi8iPmh0dHBzOi8vd3d3LmZyZXNocG9y dHMub3JnL3d3dy9iYWN1bGEtd2ViLzwvYT4uPC9zcGFuPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQt ZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+PGJyPjwvZGl2Pjxk aXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4 OyI+QWxzbywgSSdkIGxpa2UgdG8gcHV0IHNvbWUgZWZmb3J0cyB0byBrZWVwIHVwZGF0ZWQgYWJv dmUgcG9ydHMgYXMgaXQgZGVzZXJ2ZSBzb21lIG1vcmUgImxvdmUiLjwvZGl2PjxkaXYgc3R5bGU9 ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+PGJyPjwv ZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXpl OiAxNHB4OyI+QW4gaGludHMgLyBsaW5rIHRvIGRvY3VtZW50ZWQgcHJvY2VzcyB3b3VsZCBiZSBu aWNlLjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJpZjsgZm9u dC1zaXplOiAxNHB4OyI+PGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwg c2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+VGhhbmtzPC9kaXY+PGRpdiBzdHlsZT0iZm9u dC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0cHg7Ij48YnI+PC9kaXY+ PGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDE0 cHg7Ij5CZXN0LDwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBBcmlhbCwgc2Fucy1zZXJp ZjsgZm9udC1zaXplOiAxNHB4OyI+PGJyPjwvZGl2PjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBB cmlhbCwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxNHB4OyI+RGF2aWRlPC9kaXY+DQo= --b1=_uTbZXVIEYfOu9uDkwHob2tWV6oO942NZN1ElC45cvo-- From nobody Sun Dec 7 11:35:27 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dPNMj1yxJz6KHyt for ; Sun, 07 Dec 2025 11:35:29 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dPNMj1S7rz3H86; Sun, 07 Dec 2025 11:35:29 +0000 (UTC) (envelope-from dim@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765107329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d1kErx0+WTuCKc4vBwtXR33CgPY4cR8my7MR68jBQa0=; b=iNnhjg5qQy8qIE3NmkeR8OzrPs0cDuIvxocQgnBdpvQ2d0fGT+4s/JeV08bqCQ9vyFCb4g UOH4W6KUfEIwh/ViPcwygSzF5qrMYDIPUvp/C1flZQwLyWaN7iisB74j7jfJ+nX2jmP+xd 315qCk1UbDiFlHLAsKMz1aVGkkHEwYDGg+Bt7LTqSiexJhSURNKUa7hLpZHhptdr/DN3GV wrtkC+6L2CifhnkTrKOpltp9JzaP1aSTIgPlzwzAzG0T5Q2YTA6ow8OCqt3Rgs3EjSp7Xc NuMRmYkB2Sr2c4zXuCQ2ZRQf3/Jdn6060MIDrkbcvdQ4uiR7a8z2A0CROObsvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765107329; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=d1kErx0+WTuCKc4vBwtXR33CgPY4cR8my7MR68jBQa0=; b=HlMZFcZuWoGzGiopD73d6Hr2WadDm2IY0yDfpnq1fxHKYFb7yWMy1RmcDsQ4Gwz3BuMlws zU4renMtkEh7EpTGXUzbZhkxw2mt/Qp/0yIop2mgGi/iTSTHPzP2Qh4oXHPzv+19kks0PC 9ESyG3xnG5DsDLwvfwRTLCHNP11yqaau0CilM2r1ZW1XUUtGWMcB8P+mGMowCiOOM6VDZz h27lJdOAn3DeOJyqAPx/g2KzcGOwGEyXf+hcPKC5aj0lS5+AEQl9Jyk/EuyAVxZkMaXRXv B3oLSMZE0K0M9d5EGpMMROAKFKMNbj5Layxu6ZDttUE26wcG2W85wWCAXczR8A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765107329; a=rsa-sha256; cv=none; b=UsRDT/l2D1GBp0SqzGagbrNlPQ6f5LXk1Gw6sasB8yZm2mmg/Wxeb6T7vt6Tyf9lT8Ggqb bFSBHCVboN+5ozHipFKYuoYRyvMqzSxiRn/1ZPLKnh4J0Qk/2hpAbies4qUljgiMmo/+3C XMg1ryDCIUEBYvQGHAJpsmLSBPlSgLe4NxgnSZa+ukCM8r50OIleFUBI341Nrc14kE9Wq7 gOhtG3O99m1q/BYJ/LZp+eLIQJLbk5FPKW+mxRpB8lIa3DNbOroiwSU/a0+Zy0Gtk702oO qK63LG7NGVoW6K0hGBNEqS65gYcx9ckG03uVe8B5jricPNW24DCS86Sa1DUlXQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from tensor.andric.com (tensor.andric.com [87.251.56.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (prime256v1) client-digest SHA256) (Client CN "tensor.andric.com", Issuer "E7" (verified OK)) (Authenticated sender: dim) by smtp.freebsd.org (Postfix) with ESMTPSA id 4dPNMj093TzGs9; Sun, 07 Dec 2025 11:35:28 +0000 (UTC) (envelope-from dim@FreeBSD.org) Received: from smtpclient.apple (bladnoch.home.andric.com [192.168.0.20]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by tensor.andric.com (Postfix) with ESMTPSA id A7DFA75179; Sun, 07 Dec 2025 12:35:27 +0100 (CET) Content-Type: text/plain; charset=us-ascii List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.700.81.1.3\)) Subject: Re: Guidance on how to handle FreeBSD port vulnerability From: Dimitry Andric In-Reply-To: Date: Sun, 7 Dec 2025 12:35:27 +0100 Cc: "freebsd-security@FreeBSD.org" Content-Transfer-Encoding: quoted-printable Message-Id: <11DA25E7-8840-4182-995A-B976439C2E04@FreeBSD.org> References: To: Bacula-Web project maintainer X-Mailer: Apple Mail (2.3826.700.81.1.3) On 7 Dec 2025, at 12:28, Bacula-Web project maintainer = wrote: >=20 >=20 > Hello there, >=20 > I'd need some help to tackle a known FreeBSD port vulnerability which = doesn't seem to be referenced on FreshPort.org. >=20 > The affected port is https://www.freshports.org/www/bacula-web/. >=20 > Also, I'd like to put some efforts to keep updated above ports as it = deserve some more "love". >=20 > An hints / link to documented process would be nice. Report a bug on https://bugs.freebsd.org/bugzilla/, the "Report an = update or defect to a port" link there is the most appropriate. If you = start the subject of the bug report with the string "www/bacula-web: " = it will automatically get assigned to the port maintainer, which at the = moment is ler@FreeBSD.org . -Dimitry