From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 12:39:45 2005 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AA5216A41F for ; Wed, 30 Nov 2005 12:39:45 +0000 (GMT) (envelope-from andreas.nemeth@aporem.net) Received: from imap1u.univie.ac.at (murder.univie.ac.at [131.130.1.183]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A67E43D53 for ; Wed, 30 Nov 2005 12:39:43 +0000 (GMT) (envelope-from andreas.nemeth@aporem.net) Received: from attic.mat.univie.ac.at (attic.mat.univie.ac.at [131.130.16.122]) by imap1u.univie.ac.at (8.12.10/8.12.10) with ESMTP id jAUCaBHr046959 for ; Wed, 30 Nov 2005 13:36:13 +0100 (CET) From: Andreas Nemeth To: freebsd-security@freebsd.org Date: Wed, 30 Nov 2005 13:36:10 +0100 User-Agent: KMail/1.7.1 References: <20051129120151.5A2FB16A420@hub.freebsd.org> <438CE78F.303@freebsd.org> <4155.193.68.33.1.1133340924.squirrel@193.68.33.1> In-Reply-To: <4155.193.68.33.1.1133340924.squirrel@193.68.33.1> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200511301336.10782.andreas.nemeth@aporem.net> Subject: Re: Reflections on Trusting Trust X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2005 12:39:45 -0000 On Wednesday 30 November 2005 09:55, =C1d=E1m Szilveszter wrote: > Which practically begs the question: could we, pretty please, change the > defaults and stop encouraging people from downloading distfiles and > compiling them when using the ports tree as *root*? (shudder) There is > exactly zero reason for this that I can think of apart from some "well > it's more convenient that way" arguments. With the current model of using > ports (and packages too) every single BO or whatever in eg fetch or > libfetch becomes a sure-fire remote root vulnerability, because all > FreeBSD machines use fetch to retrieve stuff from random sites on the > Internet (MASTERSITEs are all over the place) as root. A security > worst-practice.=20 Second that. But I feel a little uneasy about making /usr/ports/ group=20 writeable for wheel or giving it to a "normal" user on the system. What about creating a user called "ports" or something more compelling? Mos= t=20 daemons have their own uids, so why not "the daemon" for downloading an=20 compiling? > (Of course, we could go even further and start compartmentalising access > rights because eg a user with port-install rights should have no > permission to touch the base system, in partcular system binaries and the > contents of /etc, but this would also require saying farewell to some > really bizarre things like "openssh from ports overwriting the one in the > base" which would be really a good idea btw.) And what about the +INSTALL and +DEINSTALL scripts, some ports want to run?= =20 Those I've seen, ensure that a certain user exists. Therefore they roam=20 around in /etc. BTW, those scripts fail (of course), if /tmp is mounted with the noexec=20 option. So the nightmare begins with root re-mounting /tmp rw, fetching the= =20 distfiles and storing and executing shell scripts on /tmp... > Best regards, > Sz. Best regards, Andreas