From owner-freebsd-security@freebsd.org Thu Apr 8 02:50:22 2021 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 45F715CB74D for ; Thu, 8 Apr 2021 02:50:22 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4FG5ND5MWjz3h3V; Thu, 8 Apr 2021 02:50:20 +0000 (UTC) (envelope-from sblachmann@gmail.com) Received: by mail-lf1-x130.google.com with SMTP id g8so1355033lfv.12; Wed, 07 Apr 2021 19:50:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=HiTnMRxGrWYFlT1s4s71c7Cc7CjHSNvWJYluV1FlW4g=; b=tAZ5cOWO8eATsDXfKFR0F3GLAzSh4GFxt46mTogB2ycJDlJm7qQFuhQ3Xs5NVbC0YS KbLMHsHWneYPqaKd9elV5b4ixd+ET8fZaQqw1f+wcmCjRqqt54ne4pRUJ5Ata02K7rha V/98XH/vnDmKPaEzAVD6b+Woqlb5UXlhVBrJnC0nsYy4jIOZxps0QFmuBC0fg86Xn3qp qKhZE7XhvVd8F8pg2c5COeS2mQY6UGxUFTbcMM0igGV1IoNDnZJqKqLtFaM8I6e2CBCb 9BfVReaK5bNFF+Q1PLJe5uNB3RScuodhKHQedthDpDcn0rkC4Y0+prRhQ5RKRgiqOhC3 JdkA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=HiTnMRxGrWYFlT1s4s71c7Cc7CjHSNvWJYluV1FlW4g=; b=CASj9RcCu/W2rKTbyIes6N3I6vlZoKuCNe6kkwRE5oIp+C3n2WrEEuZs9z2XST2wyN ppPCenVbgaD+1joA4vmhhlxEK8pQYabwlqj4oGROzqq7lppotgCi5JJM+UzinsJRJ55g uaAG8hcGBA/ym6kKX131m3qPdgbuHjtWKp8X/Hv5XS/qHVfxRfonx/4E2K0XySQ5jGcA V79LLiWq26+uBIx5qevK1LJgEPcQb7ITn/AJUMmPeIsGkkILyKs58Uja1EgqpZ2BI2Ku VQNNqVuqZ6txtQRRfTkJvdJryPVcXeN211xmS3UOeoFicMbirowYnNtOwjXrFl8+ZJ/y gZkQ== X-Gm-Message-State: AOAM531SEsDpN8+MLMcBJ/P0MU6tc03XmPlqU7h8BYXOI3OnyG2kXjgy O0HzDENWmzDN1xUg/95wyMPIQzAwaV47+xtP/G0= X-Google-Smtp-Source: ABdhPJz2thiOTFltm9woaf6VDpoCpXfzRir8znKl3Sit0AnzIFqM2ItaJrD4kl8y2hl6gsVqpAS/MpNWNdFXpyGAMjQ= X-Received: by 2002:ac2:424f:: with SMTP id m15mr1063975lfl.66.1617850218443; Wed, 07 Apr 2021 19:50:18 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a2e:8199:0:0:0:0:0 with HTTP; Wed, 7 Apr 2021 19:50:17 -0700 (PDT) In-Reply-To: <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> References: <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> From: Stefan Blachmann Date: Thu, 8 Apr 2021 04:50:17 +0200 Message-ID: Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg To: Gordon Tetlow Cc: Shawn Webb , Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team , Ed Maste , FreeBSD-security@freebsd.org, cperciva@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4FG5ND5MWjz3h3V X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=tAZ5cOWO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of sblachmann@gmail.com designates 2a00:1450:4864:20::130 as permitted sender) smtp.mailfrom=sblachmann@gmail.com X-Spamd-Result: default: False [-3.99 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; MIME_GOOD(-0.10)[text/plain]; RBL_DBL_DONT_QUERY_IPS(0.00)[2a00:1450:4864:20::130:from]; SPAMHAUS_ZRD(0.00)[2a00:1450:4864:20::130:from:127.0.2.255]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCPT_COUNT_SEVEN(0.00)[7]; RCVD_IN_DNSWL_NONE(0.00)[2a00:1450:4864:20::130:from]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.992]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; MAILMAN_DEST(0.00)[FreeBSD-security]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Mailman-Approved-At: Thu, 08 Apr 2021 13:10:43 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Apr 2021 02:50:22 -0000 The answers I got from both "Security Officers" surprised me so much that I had to let that settle a bit to understand the implications. Looking at the FreeBSD Porters' Handbook [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-instal= l.html], it describes the purpose of the package pre- and postinstallation scripts as to "set up the package so that it is as ready to use as possible". It explicitly names only a few actions that are forbidden for them to do: "...must not be abused to start services, stop services, or run any other commands that will modify the currently running system." Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. Spying out the machine and its configuration, sending that data to an external entity =E2=80=93 perfectly OK. Not a problem at all. This has been proved by the handling of this last BSDstats security incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being abused t= o run spyware without the users=E2=80=99 pre-knowledge and without his content. This abuse is apparently being considered acceptable by both FreeBSD and HardenedBSD security officers. Instead of taking action, you "security officers" tell the FreeBSD users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. Just because they trustingly installed software from the package repo hosted by FreeBSD, without religiously-carefully auditing every and each packages' pre- and postinstallation script before actual install, using the =E2=80=9Cpkg -I=E2=80=9D option. Indeed, I felt very surprised that the =E2=80=9CSecurity Officer=E2=80=9D o= f =E2=80=9CHardened BSD=E2=80=9D chimed in, only to publicly demonstrate his lack of competence= to recognize obvious security problems. Like two fish caught with a single hook! Are you "Security Officers" aware that you basically are tearing down any trust that conventional, non-big-corporate users without large own IT staff can have in FreeBSD? So, I believe that not only the reasons that made the Wireguard debacle possible need to be discussed. This discussion should not occur in hermetic private circles, but in public places like /r/freebsd, IT news outlets and other competent and independent media. Not only Wireguard needs to be discussed, but also things like the responsibility for software that is not part of the base system, but nevertheless being distributed by the FreeBSD organization. Can it be ethically acceptable to put users at risk, for example by intentionally (?) not setting any limits to what extent installer scripts are allowed to collect sensitive user and system data and disclose them to interested third parties? This should imho be discussed in public, leading to the formulation of rules which might help enabling users to trust FreeBSD. [ Just to note: the porter of the package in question wrote me that it never was the intention to run the scripts without user content. There must have happened something/some action by someone, which led to this behaviour. What actually happened, this can be analyzed. For me, what actually matters is not this particular incident, but the finding that spyware behavior of pre/postinstaller scripts is apparently generally deemed acceptable and not actionable, according to FreeBSD rules. So the problem are these rules, and not this last incident. ] On 4/6/21, Gordon Tetlow wrote: > On Apr 6, 2021, at 7:42 AM, Shawn Webb wrote= : >> >> On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote: >>> On 06/04/2021 16:27, Shawn Webb wrote: >>> >>>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the >>>> report with the BSDStats project, not FreeBSD. >>>> 2. You install a package that is made to submit statistical data. >>>> 3. You're upset that it submits statistical data? >>> >>> The problem here is that it collects and sends data right at the instal= l >>> time. It is really unexpected to run installed package without user >>> consent. >>> If you install Apache, MySQL or any other package the command / daemon = is >>> no >>> run by "pkg install" command. >>> This must be avoided. >> >> It's probably easier to submit a patch than it is to write a >> lolwut-type email. All you gotta do is rm the post-install script. >> Also `pkg install` has the -I option. But whatever, let the lolwut >> mentality prevail! > > I had a conversation on the side with the requestor. In short, there is > already a patch to address this issue in > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251152 > . Not sure wh= y it > hasn't been committed yet, but hopefully it gets picked up shortly. > > Gordon >