From owner-freebsd-ports-bugs@freebsd.org Sun Aug 6 14:07:25 2017 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6AFC8DAB68D for ; Sun, 6 Aug 2017 14:07:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 342DF24EA for ; Sun, 6 Aug 2017 14:07:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v76E7NW8071451 for ; Sun, 6 Aug 2017 14:07:25 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 221281] sysutils/ezjail should verify downloaded tarballs before use Date: Sun, 06 Aug 2017 14:07:24 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: rw@nelianur.org X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-ports-bugs@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Aug 2017 14:07:25 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221281 Bug ID: 221281 Summary: sysutils/ezjail should verify downloaded tarballs before use Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: freebsd-ports-bugs@FreeBSD.org Reporter: rw@nelianur.org CC: erdgeist@erdgeist.org Flags: maintainer-feedback?(erdgeist@erdgeist.org) CC: erdgeist@erdgeist.org Dear maintainer, by default, "ezjail-admin install" will download and install release tarbal= ls fetched via FTP without verifying their integrity. If an FTP mirror is compromised or a man-in-the-middle attack is conducted this will allow an attacker to execute arbitrary code within the jail. I'm aware of the option to have ezjail-admin use files from a local directo= ry instead and am using this myself. Still, I believe the default should not result in the above situation particularly since the handbook recommends ez= jail to novice users. That said, I'm not sure how to implement this feature in FreeBSD. The .asc release announcements are signed and include checksums of all release artifacts. If the GPG public keys used for signing this .asc were installed= on the host one could at least ensure that the downloaded files are as genuine= as the host OS. If the user has verified the installation media used for the h= ost OS a proper chain of trust would be established. This is how some Linux distributions (Debian) and OpenBSD have addressed this problem. Unfortunate= ly, FreeBSD does not appear to ship the signing public keys as part of the rele= ased images. At a minimum, ezjail should include a list of trusted checksums as part of = the port/package. This does, however, put the burden of verifying this list and keeping it up to date on the maintainer. Cheers, Rene --=20 You are receiving this mail because: You are the assignee for the bug.=