From owner-freebsd-security@freebsd.org Thu Apr 8 04:42:46 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id EBA135CF01D for ; Thu, 8 Apr 2021 04:42:46 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from hermes.heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FG7sx0vkqz3rCT; Thu, 8 Apr 2021 04:42:43 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from [10.0.5.3] (noddy.hs [10.0.5.3]) (authenticated bits=0) by hermes.heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPSA id 1384epb0039971 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Thu, 8 Apr 2021 14:40:52 +1000 (AEST) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1617856852; x=1618461653; bh=V0ZA1RGmQlcvOSrmEl8t0ILTo8JMl0o62QovyYkaH5s=; h=Subject:To:From:Message-ID:Date; b=H18+/O3Pl5gdG8ua53ODHSS/XZRO+zIp1MnfoPtIv+dVbhwFbH4bikSGr43mkROkb PhnTqranfoqa26tvGgPSjqG6RPA+ThjAQlGd/KP5koGJbhnNel0RJNxDU5wxnUCOTN fyWMnz1LatI0kIwP3meWu5sE6AK//QjmrRdm8erbb+MFtFalaxjlc X-Authentication-Warning: b3.hs: Host noddy.hs [10.0.5.3] claimed to be [10.0.5.3] Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Stefan Blachmann , secteam@freebsd.org, emaste@freebsd.org, FreeBSD-security@freebsd.org, cperciva@freebsd.org References: From: Dewayne Geraghty Message-ID: <26674e2a-a25e-f398-cc1e-609485f0145c@heuristicsystems.com.au> Date: Thu, 8 Apr 2021 14:39:29 +1000 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4FG7sx0vkqz3rCT X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=fail (headers rsa verify failed) header.d=heuristicsystems.com.au header.s=hsa header.b=H18+/O3P; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au X-Spamd-Result: default: False [-2.50 / 15.00]; RCVD_TLS_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; R_DKIM_REJECT(1.00)[heuristicsystems.com.au:s=hsa]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; RCPT_COUNT_FIVE(0.00)[5]; NEURAL_HAM_LONG(-1.00)[-1.000]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; DKIM_TRACE(0.00)[heuristicsystems.com.au:-]; DMARC_NA(0.00)[heuristicsystems.com.au]; NEURAL_HAM_SHORT(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FREEMAIL_TO(0.00)[gmail.com,freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 04:42:47 -0000 The prevailing paradigm is that a package install requires an affirming action in rc.conf. Neither of "man pkg-add" nor "pkg-install" explicitly states that an installed package will do other than perform installation and updating steps. At best, it is implied that installation scripts are run by the existence of -I which prevents installation scripts from running in both (pkg add, pkg install), but this is to *perform* an installation. It must be noted that the porter's handbook states unambiguously that "Important: This script [Ed: during pkg add, pkg install] is here to help you set up the package so that it is as ready to use as possible. It must not be abused to start services, stop services, or run any other commands that will modify the currently running system." Ref: https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install.html I'd suggest that the man pages be updated and to explicitly align with the porter's handbook. As installation does not imply consent to execute. Stefan, I've been involved in quite a few privacy breaches (from a server perspectives) so I appreciate the elevated level of concern. I'd suggest that you review https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504&qid=1532348683434 as the GDPR relates to natural persons and data pertaining to them. The transmission of data pertaining to applications and their version, may be a security risk, but it isn't a breach against a natural person's privacy. However as a data controller you may have an obligation IF you have installed bsdstats onto individual workstations/PCs. As I suspect that this falls under the personal data related to an individual, hence subject to data protection rules. To avoid unnecessary disclosure as I see no reason to share information to hacking entities, I'm sharing my /etc/periodic.conf monthly_statistics_enable="YES" monthly_statistics_report_devices="YES" monthly_statistics_report_ports="NO" Kind regards, Dewayne