From owner-freebsd-ports@FreeBSD.ORG Mon Oct 7 13:48:35 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 48413C61 for ; Mon, 7 Oct 2013 13:48:35 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-qc0-x22c.google.com (mail-qc0-x22c.google.com [IPv6:2607:f8b0:400d:c01::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0B28B24DB for ; Mon, 7 Oct 2013 13:48:34 +0000 (UTC) Received: by mail-qc0-f172.google.com with SMTP id l13so4847207qcy.31 for ; Mon, 07 Oct 2013 06:48:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=j6O3zYNhdHXF22jKZYWBxXjonm7KGGEDiDT6GMeHjDs=; b=pc1dai9kSapMxt429Et2T3kCXJMRMCldLgfkkcTIBhZ3jnVx4DWNYsrUPUEbouNBnK By9afO9clQVmGTvsqSp7QvUPD/SFj1bU1kxjGN8PKK61nMeCtUehUC8vhp+x6ujMXjhB I7uU7zPxeGB62YiVBeBhc4qgiOF80QwXTknaK88s7YA5JjCq8LXTX6M6lA3ZNUZFj+HQ 85cZWl2qkNB1yvk6sYRuCh34AJVVhIENsa/RF2rBV8S4qSuv0yCVFfvwcWfmme0gL7hr /aHK6fUVNqyYilqE2A0E5TpLlCYyhAzZrIbO4k3D+qnAvjfgz8g38kBB9cZM/zTUCs+v ghtg== MIME-Version: 1.0 X-Received: by 10.49.76.6 with SMTP id g6mr36468355qew.41.1381153714271; Mon, 07 Oct 2013 06:48:34 -0700 (PDT) Received: by 10.224.204.74 with HTTP; Mon, 7 Oct 2013 06:48:34 -0700 (PDT) In-Reply-To: References: <5252A04F.1060906@passap.ru> <201310071252.r97Cq51N051621@mech-cluster241.men.bris.ac.uk> Date: Mon, 7 Oct 2013 16:48:34 +0300 Message-ID: Subject: Re: Explain staging From: Kimmo Paasiala To: Daniel Nebdal Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: mexas@bris.ac.uk, Boris Samorodov , Ports FreeBSD X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Oct 2013 13:48:35 -0000 On Mon, Oct 7, 2013 at 4:36 PM, Daniel Nebdal wrote: > On Mon, Oct 7, 2013 at 2:52 PM, Anton Shterenlikht wro= te: >> >From bsam@passap.ru Mon Oct 7 13:36:53 2013 >>> >>>07.10.2013 13:23, Anton Shterenlikht =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>> >>>> What about "make fetch"? It puts files by default under >>>> ports/distfiles, which, by default, is 755: >>>[...] >>>> What about "make extract"? Same problem: >>> >>>I use svn repo owned by a user for ages. When a root rights are needed, >>>the ports infrastructure asks for the password. >> >> I've read a few books on unix security. >> The typical advice is to assume the user >> passwords are compromised. >> If I build and install from a ports tree >> owned by a user, I increase the chances of >> comromising the system, if an attacker >> changes some files in the ports tree, >> i.e. the URL in the Makefile and the checksum >> in distinfo. I'll then have to add this worry >> to my already long list. >> >> Anton >> > > If that happens to an account used by an admin, don't you have larger wor= ries? > > Let's say : > * You have an account with no special privileges, that you typically > log in with. > * That account has a ports tree > * You typically install ports by compiling them as this user, then > installing them with root privileges. > > If you use sudo, and you haven't used targetpw or something to make it > ask for a different password, and you haven't set any strong limits on > it, anyone that got your password would also be able to use sudo to do > whatever they wanted more directly. So let's assume you're not doing > that. > > An attacker with your password could meddle with your .profile or > .cshrc or whatever, and replace your shell with a lookalike that > logged all input. From there, they could get hold of whatever commands > and passwords you use to install software, and reuse that to install > whatever they want directly. If what you use is sudo, somehow > restricted to only run make install, and only within that ports tree > ... again, what would keep an attacker from just modifying any random > port on the fly, installing it there and then, and then reverting the > changes to reduce the risk of detection? > > It just seems like leaving a timebomb in the form of a modified ports > directory would be a fairly inefficient thing to do if they'd already > gotten that far., and it would run the risk of being overwritten > and/or detected next time you updated your ports tree. Of course, if > you set the ports tree a+w (or, heaven forbid, 0777), you'd be asking > for trouble ... but that's not new. > > > Then again, I might have overlooked something. :) > In my opinion fetching and building (and creating packages if using staging ) as a non privileged user is always safer than doing the same things as root. The common advice to security is to AVOID using admin/root privileges as much as possible to minimize the attack vectors. -Kimmo