From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 17:58:53 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8855B16A420 for ; Wed, 30 Nov 2005 17:58:53 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from mail01.syd.optusnet.com.au (mail01.syd.optusnet.com.au [211.29.132.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4D5A43D62 for ; Wed, 30 Nov 2005 17:58:51 +0000 (GMT) (envelope-from PeterJeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (c220-239-19-236.belrs4.nsw.optusnet.com.au [220.239.19.236]) by mail01.syd.optusnet.com.au (8.12.11/8.12.11) with ESMTP id jAUHwaZF031492 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 1 Dec 2005 04:58:39 +1100 Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1]) by cirb503493.alcatel.com.au (8.12.10/8.12.10) with ESMTP id jAUHwaHh035121; Thu, 1 Dec 2005 04:58:36 +1100 (EST) (envelope-from pjeremy@cirb503493.alcatel.com.au) Received: (from pjeremy@localhost) by cirb503493.alcatel.com.au (8.12.10/8.12.9/Submit) id jAUHwa1G035120; Thu, 1 Dec 2005 04:58:36 +1100 (EST) (envelope-from pjeremy) Date: Thu, 1 Dec 2005 04:58:36 +1100 From: Peter Jeremy To: Andreas Nemeth Message-ID: <20051130175835.GD32006@cirb503493.alcatel.com.au> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <438CE78F.303@freebsd.org> <4155.193.68.33.1.1133340924.squirrel@193.68.33.1> <200511301336.10782.andreas.nemeth@aporem.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <200511301336.10782.andreas.nemeth@aporem.net> User-Agent: Mutt/1.4.2.1i X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc Cc: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 17:58:53 -0000 On Wed, 2005-Nov-30 13:36:10 +0100, Andreas Nemeth wrote: >On Wednesday 30 November 2005 09:55, Ádám Szilveszter wrote: >> Which practically begs the question: could we, pretty please, change the >> defaults and stop encouraging people from downloading distfiles and >> compiling them when using the ports tree as *root*? > >Second that. But I feel a little uneasy about making /usr/ports/ group >writeable for wheel or giving it to a "normal" user on the system. By default, /usr/ports is used to store: - A checked-out copy of the ports tree as stored in CVS. - INDEX-* This is hard-wired in the Makefile infrastructure - Compilation/work directories - overridable with WRKDIRPREFIX - distfiles - overridable with DISTDIR - packages - overridable with PACKAGES - portupgrade's INDEX*.db - overridable with PORTS_DBDIR Rather than making /usr/ports writable by anyone other than root (if you don't want to), you can create alternative locations for distfiles, work directories (and package directories) so a normal used can download and compile ports. At one stage, editors/openoffice.org-1.1 wouldn't build if WRKDIRPREFIX was set but that has been fixed. I haven't run into any other problems (though it might be interesting for the build cluster to verify that). Note that the only ports-related file that can't be moved out of the ports tree is 'INDEX'. This is annoying (I'd like to be able to RO export /usr/ports across several FreeBSD variants) but 'make index' only uses information within the ports tree and so isn't dangerous. >And what about the +INSTALL and +DEINSTALL scripts, some ports want to run? I don't think any package management system has managed to avoid needing scripts to handle some functions. This is primarily an issue if you are installing a package because the scripts come out of your ports tree if you built the port. (AFAIK, no ports create these scripts on the fly). >Those I've seen, ensure that a certain user exists. Therefore they roam >around in /etc. And, hence, require root privileges. >BTW, those scripts fail (of course), if /tmp is mounted with the noexec >option. I think the solution to this is to set PKG_TMPDIR somewhere else. -- Peter Jeremy