Date: Thu, 8 Apr 2021 07:35:33 -0600 From: Chris BeHanna <chris@behanna.org> To: Stefan Blachmann <sblachmann@gmail.com> Cc: Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, cperciva@freebsd.org Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> In-Reply-To: <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 7, 2021, at 8:50 PM, Stefan Blachmann <sblachmann@gmail.com> = wrote: >=20 > The answers I got from both "Security Officers" surprised me so much > that I had to let that settle a bit to understand the implications. >=20 > Looking at the FreeBSD Porters' Handbook > = [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-insta= ll.html], > it describes the purpose of the package pre- and postinstallation > scripts as to "set up the package so that it is as ready to use as > possible". >=20 > It explicitly names only a few actions that are forbidden for them to > do: "...must not be abused to start services, stop services, or run > any other commands that will modify the currently running system." >=20 > Anything else is apparently deemed =E2=80=9Callowed=E2=80=9D. > Spying out the machine and its configuration, sending that data to an > external entity =E2=80=93 perfectly OK. Not a problem at all. >=20 > This has been proved by the handling of this last BSDstats security > incident, where the FreeBSD =E2=80=9Cpkg=E2=80=9D utility is being = abused to run > spyware without the users=E2=80=99 pre-knowledge and without his = content. >=20 > This abuse is apparently being considered acceptable by both FreeBSD > and HardenedBSD security officers. > Instead of taking action, you "security officers" tell the FreeBSD > users that it is their own guilt that they got =E2=80=9Cpwnd=E2=80=9D. This is an incredibly dishonest summary of their responses to = you. Gordon in particular wrote that it is NOT acceptable; however, = rather than smash down the port's maintainer with the Security Officer = sledgehammer, he preferred to give the maintainer some time to address = the problem. --=20 Chris BeHanna chris@behanna.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7079A789-03C3-4986-95A8-100252FDD9AD>