Date: Sat, 14 Jan 2017 02:32:27 +0100 From: Roland Smith <rsmith@xs4all.nl> To: Damien Fleuriot <ml@my.gd> Cc: "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: [ports] finding an orphan to maintain Message-ID: <20170114013227.GA69119@slackbox.erewhon.home> In-Reply-To: <CAE63ME4Eos_RdEA_vnmDS7XRAeoyPm3uiqbC=0To3j93kd7%2B0Q@mail.gmail.com> References: <CAE63ME592BgZdTdOHr3eM-=3Vf5WZfOQ1gp4Vuqm9uM5Gbg9HQ@mail.gmail.com> <20170111110634.GB53285@slackbox.erewhon.home> <CAE63ME63yh_PBQH9SaivM3C%2B-XKG0XE=XYFBNUFAafMc-3s6uw@mail.gmail.com> <20170112164708.GA73939@slackbox.erewhon.home> <CAE63ME4Eos_RdEA_vnmDS7XRAeoyPm3uiqbC=0To3j93kd7%2B0Q@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 12, 2017 at 09:21:16PM +0100, Damien Fleuriot wrote: > On 12 January 2017 at 17:47, Roland Smith <rsmith@xs4all.nl> wrote: > > On Wed, Jan 11, 2017 at 12:53:02PM +0100, Damien Fleuriot wrote: > >> Thanks for the additional input Roland. > >> > >> I currently have my eye on shells/lshell, which we use here on > >> 10-STABLE for PCI-DSS compliance (restricting and logging commands). > > > > In this case you might want to look at auditing; > > https://www.freebsd.org/doc/handbook/audit.html > > > > While the handbook explains how it works, I haven't really found good e= xamples > > of its use. > > >=20 > I thank you for the input and have indeed already looked at auditd. >=20 > While it does provide very good logging, it only answers one of the > prerequisites, logging, not actual command restriction. There is another (somewhat heavyhanded) approach to restricting commands. You could copy binaries for allowed programs to a special directory (to be = put in $PATH) and remove read/execute access for others from the normal `bin` d= irectories. > We do have another constraint which is that the software be portable > to linux as well, so as to not maintain 2 different sets of > logging/restriction stacks. I thought OpenBSM was ported to Linux, but it seems to miss auditd because = of kernel support. Pity. > >> It so happens the current (0.9.16_2) version on FreeBSD suffers from a > >> nasty case of shell escape : > >> https://github.com/ghantoos/lshell/issues/151 > >> root:~$ echo () sh && echo > >> # > >> ^-- uh oh... > > > > Oops. > > > > Looking at the discussion of the issue, I get the impression that there= are > > some fundamental problems with the way lshell parses and executes comma= nds. > > >=20 > Aye, bug reporter seems quite adamant that, quote, the software is > entirely broken. Not a good sign. And I think he has a point, seeing how lshell uses Python's subprocess module. > >> I cannot seem to reproduce when using the latest master branch, and am > >> seeking confirmation in the bug thread that I'm actually trying to > >> reproduce correctly. > >> > >> If it should transpire that the problem is indeed fixed in the master, > >> I shall try and update the port to the latest version. > > > > The port now uses SourceForge, which is getting a bad reputation these = days > > for adding crap to binary installers. This is probably not an issue with > > tarballs, but it makes me wonder if they are still trustworthy. You mi= ght > > want to consider switching to github. If you do, read > > /usr/ports/Mk/bsd.sites.mk on how to properly do that in the port Makef= ile. > > >=20 > When (if) I manage to get Poudriere up and running (it's currently > bitching about missing /usr/local/share/poudriere/jail.sh), I shall be > able to submit run tests for a patched version of shells/lshell. For just one port, bringing up Poudiere is surely overkill? My workflow for modifying a port is generally as follows (using sysutils/co= nky as an example): > mkdir scratch > cd scratch/ > cp -Rp /usr/ports/sysutils/conky . > cp -Rp /usr/ports/sysutils/conky conky.orig > cd conky/ [Make whatever changes necessary, then run the following tests (from the Porters Handbook) *as a normal user*, unless otherwise (#) indicated] > make stage > make check-orphans > make package > portlint . # make install # make deinstall # pkg add package-filename # pkg delete package-filename When all this works, # make clean > cd .. > diff -ruN conky.orig/ conky/ > patch-for-conky.diff Attach the diff to a PR. > The aim is to bring it up to upstream from github at version 0.9.18. > > Sadly lot of vulns were patched since 0.9.18 and there is no further > release tag. > > I've asked for one today, wait and see. The documentation for github in bsd.sites.mk states that you can use a hash =66rom a commit as a GH_TAGNAME. Roland --=20 R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] THUBpgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E= 0) --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEV1MzJBZhsP6Nk/ztQPbV3KOKM+AFAlh5f6QACgkQQPbV3KOK M+BpTg//UmVplBZOFBp50NXglHA+3jqKMo6cNYUtAgufcbRR1Bz0P094sumr255S 4Ghs1ws7/Ygh5M/GLyErU4sQzzkl1NDZZdQ6cWD7H6VByZdyAnd26JlQVmuTcYVD ljzsC4ndfoKXB6DwQ7t0+zGr87ri+15rr3lHVIMnaPyobvoXfDv9XL4k7UQX9GyR WpuGDbA+K1hpZ0c7z/FC/Mjvle6qImrLuWPzJd7QYGnGXRq3U1p89TTvex/IE6fF feVlss05Q2KsIXcvHEpMLUOpx4oce0HuGJxp0bvORSO7AJlQl7UJQXWj1ex2w9TP OAoUC9hF+qYgNtDzoDneRVvlBZhHMW4g7zbI7aoogwacIsQ6Ow9UrK9qwZ2xEb0F /Aa0oKVXqoruFNLNVn1YGgf1VxGiYNYdmf3wBFj4B+V6VYKEhbAyo239l0DbnstU 1oFvG5bEEXdA9pLbbqplCNysZ8QAbdyobgb1aSgmbKqAD987fDdftd/L5VD206Y1 cht93imE+Ag/1c4+IZsqpIzH+JLytqce2ZS6rR+ovpLytWwTBR/740L0R3NAJImB /o3zMfnOCYZEmFTwqErINmC4xSof3jxspujBHQL0fdXC4drmMoG1uFFz08jcXS7e SrvKSdZkicGmcJAVNNJ5z4cS7xHgkOiGXaIAGmBk1pgjmLfYaBk= =JwLi -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170114013227.GA69119>