From owner-freebsd-questions@freebsd.org Thu Jan 12 20:21:18 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06695CACB92 for ; Thu, 12 Jan 2017 20:21:18 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ua0-x242.google.com (mail-ua0-x242.google.com [IPv6:2607:f8b0:400c:c08::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B9F0D15A4 for ; Thu, 12 Jan 2017 20:21:17 +0000 (UTC) (envelope-from ml@my.gd) Received: by mail-ua0-x242.google.com with SMTP id d5so2535860uag.0 for ; Thu, 12 Jan 2017 12:21:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=my-gd.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=OwccwWAehcn7tYbTTSbPHVyroplk2PvKm8nDMqgzZo0=; b=Wb5wSgZJRRcI1VEjmx++tPIQftXtFkyb59DRwU/bISKpq/B8tBSV5ySiSUOI+WJi4B ivC04kwJO/HKf2u9zhdJj6QEb2rbDe1MFM7UmvTjd8ivgsJ5Q/uGDM9JO4SZ/yj0gVQx A0qIjVVZbZFtXRbJpNza38ytpo4cpAQibguAu109lbIygxrK8kN7JNnbSlkwEMNa6h4E bXsq+hyNJQHakFf7zijk4i0bpa4Qg/3zMY7KqC1oT3bgjbB1q/tvl8KxM9UjkYVpf2vf AN1+RIlHhN7bEjvOuVE132eD2UP2XA0qiDUZbzHpXdkoE0InsuUNKgSTnqwold0jx7PY Ixcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=OwccwWAehcn7tYbTTSbPHVyroplk2PvKm8nDMqgzZo0=; b=tr9srSRurBq/1B2KXwM6NnVr2CBtL5yBqZeme4TGy1yVJA9rTJ7YFVtbHM8xU/txaU Lq5fv7VzlfhdQIy/DtBVpEPEROMLCiX9qgS80+cFt44W5cYcGqngvUgJyNDf4VzqpGoh S7uOVF3j6IXul26qaGICc4rXkdAiQxL9xF42IweK8OusjrJYab0DeXaIx2gr5rYtwFZ0 HsIcQsa3DGxf5kML8bNb3m2vNti7SoxTUFUG22rDXQff67apK4b7Dlp6p9XcRJahT8/H b/ItDxKXYBfxQYVKucejVSgxX0tC4ERXo4lARW1+I/cxFFLRdzCgN3Frh3GV6J+zPTfH Vecw== X-Gm-Message-State: AIkVDXKnyVWomLVLU3fHDgRVBL89Z3rlC0pHBYbUU7aVW3f+eywoWQe9z13vzN5M354VT1zUCOLJ9Yfah9D1Tw== X-Received: by 10.176.1.119 with SMTP id 110mr7090862uak.143.1484252476767; Thu, 12 Jan 2017 12:21:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.103.48.213 with HTTP; Thu, 12 Jan 2017 12:21:16 -0800 (PST) In-Reply-To: <20170112164708.GA73939@slackbox.erewhon.home> References: <20170111110634.GB53285@slackbox.erewhon.home> <20170112164708.GA73939@slackbox.erewhon.home> From: Damien Fleuriot Date: Thu, 12 Jan 2017 21:21:16 +0100 Message-ID: Subject: Re: [ports] finding an orphan to maintain To: Damien Fleuriot , "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2017 20:21:18 -0000 On 12 January 2017 at 17:47, Roland Smith wrote: > On Wed, Jan 11, 2017 at 12:53:02PM +0100, Damien Fleuriot wrote: >> Thanks for the additional input Roland. >> >> I currently have my eye on shells/lshell, which we use here on >> 10-STABLE for PCI-DSS compliance (restricting and logging commands). > > In this case you might want to look at auditing; > https://www.freebsd.org/doc/handbook/audit.html > > While the handbook explains how it works, I haven't really found good examples > of its use. > I thank you for the input and have indeed already looked at auditd. While it does provide very good logging, it only answers one of the prerequisites, logging, not actual command restriction. We do have another constraint which is that the software be portable to linux as well, so as to not maintain 2 different sets of logging/restriction stacks. >> It so happens the current (0.9.16_2) version on FreeBSD suffers from a >> nasty case of shell escape : >> https://github.com/ghantoos/lshell/issues/151 >> root:~$ echo () sh && echo >> # >> ^-- uh oh... > > Oops. > > Looking at the discussion of the issue, I get the impression that there are > some fundamental problems with the way lshell parses and executes commands. > Aye, bug reporter seems quite adamant that, quote, the software is entirely broken. >> I cannot seem to reproduce when using the latest master branch, and am >> seeking confirmation in the bug thread that I'm actually trying to >> reproduce correctly. >> >> If it should transpire that the problem is indeed fixed in the master, >> I shall try and update the port to the latest version. > > The port now uses SourceForge, which is getting a bad reputation these days > for adding crap to binary installers. This is probably not an issue with > tarballs, but it makes me wonder if they are still trustworthy. You might > want to consider switching to github. If you do, read > /usr/ports/Mk/bsd.sites.mk on how to properly do that in the port Makefile. > When (if) I manage to get Poudriere up and running (it's currently bitching about missing /usr/local/share/poudriere/jail.sh), I shall be able to submit run tests for a patched version of shells/lshell. The aim is to bring it up to upstream from github at version 0.9.18. Sadly lot of vulns were patched since 0.9.18 and there is no further release tag. I've asked for one today, wait and see. I shall take a look at bsd.sites.mk, I've currently put the actual URL in MASTER_SITES, but there may be a more elegant way such as using the GH macro.