From owner-freebsd-security@freebsd.org Thu Apr 8 03:37:27 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id DD3B35CCECE for ; Thu, 8 Apr 2021 03:37:27 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FG6Qb5d7hz3lZw for ; Thu, 8 Apr 2021 03:37:27 +0000 (UTC) (envelope-from gordon@tetlows.org) Received: by mail-pj1-x1036.google.com with SMTP id f2-20020a17090a4a82b02900c67bf8dc69so2388988pjh.1 for ; Wed, 07 Apr 2021 20:37:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/o8LcbvUIT5CGATB36svG35oCkzheXthOcGwCl3FzaU=; b=F2kJtKbMh9FLXjz181Yejegu1itDG3hOcDJO7ERgTL+ma+yGMAyurbEIH+kYiRwsWT sWE7yH8dvEzXKHGiXQA+bgopP/A9kpFYy/I+TAv8lEjStfDZ4G+CpT95lF5aeqO4CXKc Jn6PfDHf0U5Oi07OEZ6yUVDCeFdxo8yrBMwq1ZmMDpUbpoY6hPO6QF//lF0L5jPy3Lj1 M++/XwMRNeAkru4XvwMnriq1cDqnQ36bYeTVKFb2nc8ugMRkx3ddUafrsW7gl8s5TooW Zfa1juOFhsfzgdHViURN7WDlAr217t8el42N+3HB+6yts+xqiAhaJ7VlsG/DjbqDgpqt KLCg== X-Gm-Message-State: AOAM5321Vt+g47T8K2Qw5SuyCk0IlBkodWHWo9cDFTJeXF3nb//C+YvW 1IZXFw1wVApw6dCUtHj+mkiCXCAAX/0i+eE= X-Google-Smtp-Source: ABdhPJxGjIEBhJGEcUaJDxfvc1c2xcIzvrjG46quVVVrdbqgq0l85b+vvKAKVLeqclebVGwcqW8q7A== X-Received: by 2002:a17:90a:5889:: with SMTP id j9mr6572287pji.69.1617853046125; Wed, 07 Apr 2021 20:37:26 -0700 (PDT) Received: from 2603-8001-5e40-d300-88a3-73d5-13d9-083f.res6.spectrum.com (2603-8001-5e40-d300-88a3-73d5-13d9-083f.res6.spectrum.com. [2603:8001:5e40:d300:88a3:73d5:13d9:83f]) by smtp.gmail.com with ESMTPSA id pg11sm5596520pjb.53.2021.04.07.20.37.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Apr 2021 20:37:25 -0700 (PDT) From: Gordon Tetlow Message-Id: Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\)) Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Date: Wed, 7 Apr 2021 20:37:23 -0700 In-Reply-To: Cc: Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org To: Stefan Blachmann References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> X-Mailer: Apple Mail (2.3654.60.0.2.21) X-Rspamd-Queue-Id: 4FG6Qb5d7hz3lZw X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[] Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.34 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 03:37:27 -0000 > On Apr 7, 2021, at 7:50 PM, Stefan Blachmann = wrote: >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being = abused to run > spyware without the users=E2=80=99 pre-knowledge and without his = content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. > Just because they trustingly installed software from the package repo > hosted by FreeBSD, without religiously-carefully auditing every and > each packages' pre- and postinstallation script before actual install, > using the =E2=80=9Cpkg -I=E2=80=9D option. I do not consider it acceptable that this behavior is occurring. I'll = quote to you what I said in my private email to you: Running scripts at pre/post-install is a foundational design of = packages. These scripts can do anything a shell script can do. If you = are concerned packages running scripts, I recommend changing the pkg = setting: RUN_SCRIPTS: boolean Run pre-/post-installation action scripts. Default: = YES. Change this in your /usr/local/etc/pkg.conf and you will not have = pre/post install scripts running for your packages. Another option, instead of changing the global default is to use the pkg = install -I switch, which will not run scripts for that installation. As for the behavior of this specific package, I agree it is poor that it = runs without user consent. Reading the pkg-install script, it appears it = should ask consent, perhaps it is broken. I recommend taking it up with = the port/package maintainer, scrappy@hub.org , = whom I have added to this email. I agree this should be fixed and is undesirable. Even the pkg maintainer = who is the person running the bsdstats website is in agreement here. The = difference is: I don't assume the maintainer has ill-will and it is the = result of an oversight that will be fixed. There is a process to be = followed and I am not comfortable wielding the security-officer hammer = unless I see visible evidence the process is broken and requires me to = intercede. We aren't there. > Can it be ethically acceptable to put users at risk, for example by > intentionally (?) not setting any limits to what extent installer > scripts are allowed to collect sensitive user and system data and > disclose them to interested third parties? This is an interesting point. Unfortunately, the technology we have = gives unfettered access to the system. I'm having a hard time thinking = how we could achieve the goal of installing software (which in our model = requires root privileges) while also limiting what it is allowed to do = on said system. I'm not aware of any other package system (rpm, deb, = etc) that has technical limits on pre/post installation scripts. If you = are aware of any examples, I'd love to see it to see if there is = something we can incorporate. Patches, as always, are welcome to improve = the system. > This should imho be discussed in public, leading to the formulation of > rules which might help enabling users to trust FreeBSD. >=20 > [ Just to note: the porter of the package in question wrote me that it > never was the intention to run the scripts without user content. There > must have happened something/some action by someone, which led to this > behaviour. What actually happened, this can be analyzed. > For me, what actually matters is not this particular incident, but the > finding that spyware behavior of pre/postinstaller scripts is > apparently generally deemed acceptable and not actionable, according > to FreeBSD rules. So the problem are these rules, and not this last > incident. ] I disagree with your premise. For the record, I did take action, which = was to escalate the problem to the port/pkg maintainer. It is their = software and their responsibility. Please do not take my unwillingness = to violate the maintainer's ownership of their port/pkg as unwillingness = to deal with the issue. I'm would like the process to have a chance to = work. Lastly, your combative tone in reporting this issue is far from anything = I would consider professional. I would ask that you give some = consideration to your words in the hopes that you will understand that = flaming me on the mailing list is unlikely to make me want to advocate = for you. Thanks, Gordon=