Date: Wed, 30 Nov 2005 09:55:24 +0100 (CET) From: =?iso-8859-2?Q?=C1d=E1m_Szilveszter?= <adamsz@mailpont.hu> To: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust Message-ID: <4155.193.68.33.1.1133340924.squirrel@193.68.33.1> In-Reply-To: <438CE78F.303@freebsd.org> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sze, November 30, 2005 12:43 am, Colin Percival mondta: > Even before you get to that point, you have to worry about making sure > that the build clients are secure. One possibility which worries me a > great deal is that a trojan in the build code for a low-profile port > (e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to > gain control of a build client (and then insert trojans into packages > which are built there). Which practically begs the question: could we, pretty please, change the defaults and stop encouraging people from downloading distfiles and compiling them when using the ports tree as *root*? (shudder) There is exactly zero reason for this that I can think of apart from some "well it's more convenient that way" arguments. With the current model of using ports (and packages too) every single BO or whatever in eg fetch or libfetch becomes a sure-fire remote root vulnerability, because all FreeBSD machines use fetch to retrieve stuff from random sites on the Internet (MASTERSITEs are all over the place) as root. A security worst-practice. (Well, not all of them... I use a non-priviledged user to do that, which is now becoming more and more practical, but earlier there used to be all kinds of nasties in the build processes of certain ports which you only noticed if you were non-root...) (Of course, we could go even further and start compartmentalising access rights because eg a user with port-install rights should have no permission to touch the base system, in partcular system binaries and the contents of /etc, but this would also require saying farewell to some really bizarre things like "openssh from ports overwriting the one in the base" which would be really a good idea btw.) Best regards, Sz. ----------------------------------------------------- 1 GByte ingyenes e-mail és webtárhely a MailPont-tól! Miért fizetnél érte, ha nálunk teljesen ingyen van? Regisztrálj te is magadnak! - www.MailPont.hu -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4155.193.68.33.1.1133340924.squirrel>