From owner-freebsd-questions@freebsd.org Sat Jan 14 01:33:42 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E4216CAF646 for ; Sat, 14 Jan 2017 01:33:42 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from lb3-smtp-cloud2.xs4all.net (lb3-smtp-cloud2.xs4all.net [194.109.24.29]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "*.xs4all.nl", Issuer "GlobalSign Domain Validation CA - SHA256 - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 81EE3162A for ; Sat, 14 Jan 2017 01:33:41 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.erewhon.home ([83.162.243.5]) by smtp-cloud2.xs4all.net with ESMTP id Y1YT1u00707iGuj011YVd7; Sat, 14 Jan 2017 02:32:29 +0100 Received: from rsmith (uid 1001) (envelope-from rsmith@xs4all.nl) id 123c9 by slackbox.erewhon.home (DragonFly Mail Agent v0.11+); Sat, 14 Jan 2017 02:32:27 +0100 Date: Sat, 14 Jan 2017 02:32:27 +0100 From: Roland Smith To: Damien Fleuriot Cc: "freebsd-questions@freebsd.org" Subject: Re: [ports] finding an orphan to maintain Message-ID: <20170114013227.GA69119@slackbox.erewhon.home> Mail-Followup-To: Damien Fleuriot , "freebsd-questions@freebsd.org" References: <20170111110634.GB53285@slackbox.erewhon.home> <20170112164708.GA73939@slackbox.erewhon.home> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline In-Reply-To: X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.7.2 (2016-11-26) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2017 01:33:43 -0000 --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 12, 2017 at 09:21:16PM +0100, Damien Fleuriot wrote: > On 12 January 2017 at 17:47, Roland Smith wrote: > > On Wed, Jan 11, 2017 at 12:53:02PM +0100, Damien Fleuriot wrote: > >> Thanks for the additional input Roland. > >> > >> I currently have my eye on shells/lshell, which we use here on > >> 10-STABLE for PCI-DSS compliance (restricting and logging commands). > > > > In this case you might want to look at auditing; > > https://www.freebsd.org/doc/handbook/audit.html > > > > While the handbook explains how it works, I haven't really found good e= xamples > > of its use. > > >=20 > I thank you for the input and have indeed already looked at auditd. >=20 > While it does provide very good logging, it only answers one of the > prerequisites, logging, not actual command restriction. There is another (somewhat heavyhanded) approach to restricting commands. You could copy binaries for allowed programs to a special directory (to be = put in $PATH) and remove read/execute access for others from the normal `bin` d= irectories. > We do have another constraint which is that the software be portable > to linux as well, so as to not maintain 2 different sets of > logging/restriction stacks. I thought OpenBSM was ported to Linux, but it seems to miss auditd because = of kernel support. Pity. > >> It so happens the current (0.9.16_2) version on FreeBSD suffers from a > >> nasty case of shell escape : > >> https://github.com/ghantoos/lshell/issues/151 > >> root:~$ echo () sh && echo > >> # > >> ^-- uh oh... > > > > Oops. > > > > Looking at the discussion of the issue, I get the impression that there= are > > some fundamental problems with the way lshell parses and executes comma= nds. > > >=20 > Aye, bug reporter seems quite adamant that, quote, the software is > entirely broken. Not a good sign. And I think he has a point, seeing how lshell uses Python's subprocess module. > >> I cannot seem to reproduce when using the latest master branch, and am > >> seeking confirmation in the bug thread that I'm actually trying to > >> reproduce correctly. > >> > >> If it should transpire that the problem is indeed fixed in the master, > >> I shall try and update the port to the latest version. > > > > The port now uses SourceForge, which is getting a bad reputation these = days > > for adding crap to binary installers. This is probably not an issue with > > tarballs, but it makes me wonder if they are still trustworthy. You mi= ght > > want to consider switching to github. If you do, read > > /usr/ports/Mk/bsd.sites.mk on how to properly do that in the port Makef= ile. > > >=20 > When (if) I manage to get Poudriere up and running (it's currently > bitching about missing /usr/local/share/poudriere/jail.sh), I shall be > able to submit run tests for a patched version of shells/lshell. For just one port, bringing up Poudiere is surely overkill? My workflow for modifying a port is generally as follows (using sysutils/co= nky as an example): > mkdir scratch > cd scratch/ > cp -Rp /usr/ports/sysutils/conky . > cp -Rp /usr/ports/sysutils/conky conky.orig > cd conky/ [Make whatever changes necessary, then run the following tests (from the Porters Handbook) *as a normal user*, unless otherwise (#) indicated] > make stage > make check-orphans > make package > portlint . # make install # make deinstall # pkg add package-filename # pkg delete package-filename When all this works, # make clean > cd .. > diff -ruN conky.orig/ conky/ > patch-for-conky.diff Attach the diff to a PR. > The aim is to bring it up to upstream from github at version 0.9.18. > > Sadly lot of vulns were patched since 0.9.18 and there is no further > release tag. > > I've asked for one today, wait and see. The documentation for github in bsd.sites.mk states that you can use a hash =66rom a commit as a GH_TAGNAME. Roland --=20 R.F.Smith http://rsmith.home.xs4all.nl/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] THUBpgp: 5753 3324 1661 B0FE 8D93 FCED 40F6 D5DC A38A 33E0 (keyID: A38A33E= 0) --nFreZHaLTZJo0R7j Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEV1MzJBZhsP6Nk/ztQPbV3KOKM+AFAlh5f6QACgkQQPbV3KOK M+BpTg//UmVplBZOFBp50NXglHA+3jqKMo6cNYUtAgufcbRR1Bz0P094sumr255S 4Ghs1ws7/Ygh5M/GLyErU4sQzzkl1NDZZdQ6cWD7H6VByZdyAnd26JlQVmuTcYVD ljzsC4ndfoKXB6DwQ7t0+zGr87ri+15rr3lHVIMnaPyobvoXfDv9XL4k7UQX9GyR WpuGDbA+K1hpZ0c7z/FC/Mjvle6qImrLuWPzJd7QYGnGXRq3U1p89TTvex/IE6fF feVlss05Q2KsIXcvHEpMLUOpx4oce0HuGJxp0bvORSO7AJlQl7UJQXWj1ex2w9TP OAoUC9hF+qYgNtDzoDneRVvlBZhHMW4g7zbI7aoogwacIsQ6Ow9UrK9qwZ2xEb0F /Aa0oKVXqoruFNLNVn1YGgf1VxGiYNYdmf3wBFj4B+V6VYKEhbAyo239l0DbnstU 1oFvG5bEEXdA9pLbbqplCNysZ8QAbdyobgb1aSgmbKqAD987fDdftd/L5VD206Y1 cht93imE+Ag/1c4+IZsqpIzH+JLytqce2ZS6rR+ovpLytWwTBR/740L0R3NAJImB /o3zMfnOCYZEmFTwqErINmC4xSof3jxspujBHQL0fdXC4drmMoG1uFFz08jcXS7e SrvKSdZkicGmcJAVNNJ5z4cS7xHgkOiGXaIAGmBk1pgjmLfYaBk= =JwLi -----END PGP SIGNATURE----- --nFreZHaLTZJo0R7j--