Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 9 Apr 2021 18:37:37 +0200
From:      Johannes Meixner <johannes@meixner.ch>
To:        Stefan Blachmann <sblachmann@gmail.com>
Cc:        freebsd-security <FreeBSD-security@freebsd.org>
Subject:   Re: Security leak: Public disclosure of user data without their consent by installing software via pkg
Message-ID:  <CAEf8xb0HPKGr-YO5wVOpN4etsMUbA2eYxOCDH3W7WoDsLEvRTQ@mail.gmail.com>
In-Reply-To: <CACc-My1Uqvy1Y9yv8tVAyZ=nUu_JtOqeY9iSLOtwUW=xuA_i2Q@mail.gmail.com>
References:  <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> <20210408162402.en6dxevum7se2ndj@mutt-hbsd> <CACc-My1Uqvy1Y9yv8tVAyZ=nUu_JtOqeY9iSLOtwUW=xuA_i2Q@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
This is getting tiresome.

Please have a look the relevant handbook passage before shitpoasting on a
security mailing list.

At
https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install=
.html

you can find strongly worded notes on this topic.

Important:

This script is here to help you set up the package so that it is as ready
to use as possible. It *must not* be abused to start services, stop
services, or run any other commands that will modify the currently running
system.

Which part of "must not" is unclear?

Lapses happen - we have policies to prevent them ahead of time and yet,
things can still fall through.

Get on with it.



On Fri, 9 Apr 2021, 11:22 Stefan Blachmann, <sblachmann@gmail.com> wrote:

> The deeper-lying problem is the almost complete lack of policy what is
> allowed and not for installer scripts.
> And the complete lack of policy what to do in case of violations, no
> matter whether intentional or not.
>
> Other appstores (the pkg system is de facto an appstore) have policies
> that are being enforced to protect their customers, for example by
> (temporarily) taking down apps that behave dubiously.
>
> When in lack of agreed-upon rules/policies/laws the "police" does not
> dare to do anything, in fear to hurt anybody's feelings, isn't it then
> an useless placebo police?
>
> The issue has been reported and said to be fixed more than three
> months ago, and the problem still is there like if nothing had be
> done.
>
> If you are not able to understand that advocators and users get angry
> rightfully and want to have the deeper-lying issues addressed and
> solved, which have led to such problems, then this might be a
> complacency issue.
> And from another perspective, it might be seen as an entitlement
> mentality if developers expect users to fix their bugs, and even
> provide them with ready-to-use patches.
>
> I apologize if I hurt feelings by getting angered over this.
> But seeing quite some people having tried to get the issue solved in a
> quiet, polite manner without achieving any effective progress,
> indicated to me that this approach would not be fruitful.
> Sometimes it is necessary to raise the voice, even at the risk of
> making oneself unpopular.
>
> I would be happy if this incident would lead to a discussion and
> setting up rules/policies that in future can prevent such things
> happen and persist unsolved.
>
> On 4/8/21, Shawn Webb <shawn.webb@hardenedbsd.org> wrote:
> > On Thu, Apr 08, 2021 at 04:50:17AM +0200, Stefan Blachmann wrote:
> >> The answers I got from both "Security Officers" surprised me so much
> >> that I had to let that settle a bit to understand the implications.
> >>
> >>
> >> Looking at the FreeBSD Porters' Handbook
> >> [
> https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-insta=
ll.html
> ],
> >> it describes the purpose of the package pre- and postinstallation
> >> scripts as to "set up the package so that it is as ready to use as
> >> possible".
> >>
> >> It explicitly names only a few actions that are forbidden for them to
> >> do: "...must not be abused to start services, stop services, or run
> >> any other commands that will modify the currently running system."
> >>
> >> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D.
> >> Spying out the machine and its configuration, sending that data to an
> >> external entity =E2=80=93 perfectly OK. Not a problem at all.
> >>
> >> This has been proved by the handling of this last BSDstats security
> >> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abu=
sed to run
> >> spyware without the users=E2=80=99 pre-knowledge and without his conte=
nt.
> >>
> >> This abuse is apparently being considered acceptable by both FreeBSD
> >> and HardenedBSD security officers.
> >> Instead of taking action, you "security officers" tell the FreeBSD
> >> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D.
> >> Just because they trustingly installed software from the package repo
> >> hosted by FreeBSD, without religiously-carefully auditing every and
> >> each packages' pre- and postinstallation script before actual install,
> >> using the =E2=80=9Cpkg -I=E2=80=9D option.
> >>
> >> Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80=
=9D of =E2=80=9CHardened
> >> BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of compe=
tence to
> >> recognize obvious security problems.
> >> Like two fish caught with a single hook!
> >
> > 1. Ad hominem much? I understand the underlying problem very well.
> > 2. Your hostility is incredibly annoying.
> > 3. You attribute malice where there is none.
> > 4. This is volunteer work, where volunteers have everyones well-being
> >    in mind.
> > 5. Threatening to go to journalists accomplishes... what? What makes
> >    you think journalists are NOT paying attention to this list? What
> >    makes you think journalists care about you?
> > 6. I really, really, really, really, really hate the "Karen" meme. But
> >    it fits incredibly well here.
> > 7. Where can I review your patches that fix the problem?
> > 8. Entitlement mentality much?
> >
> > Sure, the bsdstats package shouldn't submit just on "pkg install."
> > Instead of fixing the problem, you went the hostile route.
> >
> > I'm sure you won't learn anything from this, but I hope you do. To me,
> > it reinforces how random people feel entitled to force their will on
> > others.
> >
> > Thanks,
> >
> > --
> > Shawn Webb
> > Cofounder / Security Engineer
> > HardenedBSD
> >
> >
> https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/0=
3A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
> >
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or=
g
> "
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAEf8xb0HPKGr-YO5wVOpN4etsMUbA2eYxOCDH3W7WoDsLEvRTQ>