Date: Wed, 30 Nov 2005 13:36:10 +0100 From: Andreas Nemeth <andreas.nemeth@aporem.net> To: freebsd-security@freebsd.org Subject: Re: Reflections on Trusting Trust Message-ID: <200511301336.10782.andreas.nemeth@aporem.net> In-Reply-To: <4155.193.68.33.1.1133340924.squirrel@193.68.33.1> References: <20051129120151.5A2FB16A420@hub.freebsd.org> <438CE78F.303@freebsd.org> <4155.193.68.33.1.1133340924.squirrel@193.68.33.1>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wednesday 30 November 2005 09:55, =C1d=E1m Szilveszter wrote: > Which practically begs the question: could we, pretty please, change the > defaults and stop encouraging people from downloading distfiles and > compiling them when using the ports tree as *root*? (shudder) There is > exactly zero reason for this that I can think of apart from some "well > it's more convenient that way" arguments. With the current model of using > ports (and packages too) every single BO or whatever in eg fetch or > libfetch becomes a sure-fire remote root vulnerability, because all > FreeBSD machines use fetch to retrieve stuff from random sites on the > Internet (MASTERSITEs are all over the place) as root. A security > worst-practice.=20 Second that. But I feel a little uneasy about making /usr/ports/ group=20 writeable for wheel or giving it to a "normal" user on the system. What about creating a user called "ports" or something more compelling? Mos= t=20 daemons have their own uids, so why not "the daemon" for downloading an=20 compiling? > (Of course, we could go even further and start compartmentalising access > rights because eg a user with port-install rights should have no > permission to touch the base system, in partcular system binaries and the > contents of /etc, but this would also require saying farewell to some > really bizarre things like "openssh from ports overwriting the one in the > base" which would be really a good idea btw.) And what about the +INSTALL and +DEINSTALL scripts, some ports want to run?= =20 Those I've seen, ensure that a certain user exists. Therefore they roam=20 around in /etc. BTW, those scripts fail (of course), if /tmp is mounted with the noexec=20 option. So the nightmare begins with root re-mounting /tmp rw, fetching the= =20 distfiles and storing and executing shell scripts on /tmp... > Best regards, > Sz. Best regards, Andreas
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511301336.10782.andreas.nemeth>