From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 08:55:33 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 657D116A420 for ; Wed, 30 Nov 2005 08:55:33 +0000 (GMT) (envelope-from adamsz@mailpont.hu) Received: from mailpont.hu (mailpont.hu [217.20.133.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C22743D6D for ; Wed, 30 Nov 2005 08:55:31 +0000 (GMT) (envelope-from adamsz@mailpont.hu) Received: by mailpont.hu (Postfix, from userid 1005) id 8955640E4CE; Wed, 30 Nov 2005 09:55:28 +0100 (CET) Received: from www.mailpont.hu (localhost [127.0.0.1]) by mailpont.hu (Postfix) with ESMTP id 57CD440E4F6 for ; Wed, 30 Nov 2005 09:55:24 +0100 (CET) Received: from 193.68.33.1 (SquirrelMail authenticated user adamsz@mailpont.hu); by www.mailpont.hu with HTTP; Wed, 30 Nov 2005 09:55:24 +0100 (CET) Message-ID: <4155.193.68.33.1.1133340924.squirrel@193.68.33.1> In-Reply-To: <438CE78F.303@freebsd.org> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <002601c5f4fa$b5115320$e403000a@rickderringer> <20051129232703.GA60060@xor.obsecurity.org> <438CE78F.303@freebsd.org> Date: Wed, 30 Nov 2005 09:55:24 +0100 (CET) From: =?iso-8859-2?Q?=C1d=E1m_Szilveszter?= To: freebsd-security@freebsd.org User-Agent: SquirrelMail/1.4.3a X-Mailer: SquirrelMail/1.4.3a MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-2 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on prometheus X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED autolearn=ham version=3.0.3 Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 08:55:33 -0000 On Sze, November 30, 2005 12:43 am, Colin Percival mondta: > Even before you get to that point, you have to worry about making sure > that the build clients are secure. One possibility which worries me a > great deal is that a trojan in the build code for a low-profile port > (e.g., misc/my-port-which-nobody-else-uses) could allow an attacker to > gain control of a build client (and then insert trojans into packages > which are built there). Which practically begs the question: could we, pretty please, change the defaults and stop encouraging people from downloading distfiles and compiling them when using the ports tree as *root*? (shudder) There is exactly zero reason for this that I can think of apart from some "well it's more convenient that way" arguments. With the current model of using ports (and packages too) every single BO or whatever in eg fetch or libfetch becomes a sure-fire remote root vulnerability, because all FreeBSD machines use fetch to retrieve stuff from random sites on the Internet (MASTERSITEs are all over the place) as root. A security worst-practice. (Well, not all of them... I use a non-priviledged user to do that, which is now becoming more and more practical, but earlier there used to be all kinds of nasties in the build processes of certain ports which you only noticed if you were non-root...) (Of course, we could go even further and start compartmentalising access rights because eg a user with port-install rights should have no permission to touch the base system, in partcular system binaries and the contents of /etc, but this would also require saying farewell to some really bizarre things like "openssh from ports overwriting the one in the base" which would be really a good idea btw.) Best regards, Sz. ----------------------------------------------------- 1 GByte ingyenes e-mail és webtárhely a MailPont-tól! Miért fizetnél érte, ha nálunk teljesen ingyen van? Regisztrálj te is magadnak! - www.MailPont.hu -