From owner-freebsd-stable@FreeBSD.ORG Wed Dec 4 23:02:03 2013 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 950DC2FE for ; Wed, 4 Dec 2013 23:02:03 +0000 (UTC) Received: from isis.morrow.me.uk (isis.morrow.me.uk [204.109.63.142]) by mx1.freebsd.org (Postfix) with ESMTP id 6B3061849 for ; Wed, 4 Dec 2013 23:02:03 +0000 (UTC) Received: from anubis.morrow.me.uk (host86-140-233-167.range86-140.btcentralplus.com [86.140.233.167]) (Authenticated sender: mauzo) by isis.morrow.me.uk (Postfix) with ESMTPSA id 4DA84450BF for ; Wed, 4 Dec 2013 23:02:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.8.3 isis.morrow.me.uk 4DA84450BF DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=morrow.me.uk; s=dkim201101; t=1386198122; bh=Kx2QLA+d/LNqeq3VGnbqeYR88f6bawaNHVGTkCy7UbA=; h=Date:From:To:Subject:References:In-Reply-To; b=aeLdkOrTg9/hZZhJo3uhfmbCUqRCirFrgBYeVa/jvgvbetgAhDt9yRuoF5TV8mCMz YZM2mqafprIQbk2saE5PyWyk/mVg79BAx3g0Rw8EgAvAmSjqHfHCC4Gi1OZcijMuo8 EFvcyaoDOCXikLdj6uZ//SKQwhfQ2ZdR/dwygzYA= X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.98 at isis.morrow.me.uk Received: by anubis.morrow.me.uk (Postfix, from userid 5001) id 823BEF5FC; Wed, 4 Dec 2013 23:01:59 +0000 (GMT) Date: Wed, 4 Dec 2013 23:01:59 +0000 From: Ben Morrow To: freebsd-stable@freebsd.org Subject: Re: 10.0-BETA4 bsdinstall zfs encryption broken Message-ID: <20131204230155.GA40375@anubis.morrow.me.uk> References: <099CD122-B7D8-4FC1-9C99-F19248418CD0@fisglobal.com> <20131204201312.GA39227@anubis.morrow.me.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <529F9A0F.3080608@bluerosetech.com> X-Newsgroups: gmane.os.freebsd.stable User-Agent: Mutt/1.5.22 (2013-10-16) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 04 Dec 2013 23:02:03 -0000 Quoth Darren Pilgrim : > On 12/4/2013 12:13 PM, Ben Morrow wrote: > > Quoth Devin Teske : > >> > >> The procedure I use is to take the existing ISO and... > >> > >> 1. use mdconfig to access it > >> 2. use mount_cd9660 to mount it > >> 3. use rsync to copy the contents to a local dir > > > > It's more secure to use tar for these three steps. Filesystems generally > > aren't hardened against malicious input. > > I'm curious about this statement. What extra security would tar get > you? Tar would be faster, but I can't think of how it would be more > secure since it's all going to end up on the same filesystem either way. Tar can extract files from an ISO without using mdconfig or the kernel's cd9660 filesystem. It's possible that a maliciously corrupted ISO image could cause a buffer overflow or similar inside the cd9660 filesystem code; at that point you've got a kernel-mode security breach. Tar's implementation of ISO9660 (in libarchive) runs in usermode with the current user's privileges, so the potential consequences of a bug are much less serious. Ben