From owner-freebsd-questions  Sat May 25 14:44:59 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from obsecurity.dyndns.org (adsl-64-169-107-187.dsl.lsan03.pacbell.net [64.169.107.187])
	by hub.freebsd.org (Postfix) with ESMTP id 8FA6137B401
	for <freebsd-questions@FreeBSD.ORG>; Sat, 25 May 2002 14:44:55 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id 1B7C466C32; Sat, 25 May 2002 14:44:55 -0700 (PDT)
Date: Sat, 25 May 2002 14:44:55 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Jean-Yves Lefort <jylefort@brutele.be>
Cc: Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: Building ports as a non priviledged user
Message-ID: <20020525144454.B61075@xor.obsecurity.org>
References: <20020525225808.08ac014c.jylefort@brutele.be>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="uQr8t48UFsdbeI+V"
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020525225808.08ac014c.jylefort@brutele.be>; from jylefort@brutele.be on Sat, May 25, 2002 at 10:58:08PM +0200
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


--uQr8t48UFsdbeI+V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, May 25, 2002 at 10:58:08PM +0200, Jean-Yves Lefort wrote:
> Hi,
>=20
> A backdoor has been found in Irssi's configure script. It compiled a
> little C program which connected to some host and spawned a shell.
>=20
> Since FreeBSD ports are built as root by default, the attacker would
> have gained a rootshell, instead of a non-priviledged shell.
>=20
> Is there a way to build FreeBSD ports using a non-priviledged account,
> and only install them as root?

A moment's thought will reveal that this actually wouldn't provide
extra security, because the backdoor could just do the bad thing at
install-time.

You can do it if you want to though -- it should just work, assuming
you have the permissions set up properly.

Kris
--uQr8t48UFsdbeI+V
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (FreeBSD)

iD8DBQE88AXWWry0BWjoQKURAp15AJ42xyUIFiFSrYo0UTcqJlai1qPRuACfbZWs
ek4VsSuS+BFhuOfc7wbEDjg=
=sxVQ
-----END PGP SIGNATURE-----

--uQr8t48UFsdbeI+V--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message