Date: Thu, 8 Apr 2021 08:45:16 -0500 From: Kyle Evans <kevans@freebsd.org> To: Chris BeHanna <chris@behanna.org> Cc: Stefan Blachmann <sblachmann@gmail.com>, Gordon Tetlow <gordon@tetlows.org>, Shawn Webb <shawn.webb@hardenedbsd.org>, Miroslav Lachman <000.fbsd@quip.cz>, FreeBSD Security Team <secteam@freebsd.org>, Ed Maste <emaste@freebsd.org>, FreeBSD-security@freebsd.org, Colin Percival <cperciva@freebsd.org> Subject: Re: Security leak: Public disclosure of user data without their consent by installing software via pkg Message-ID: <CACNAnaGywzZ33ReEjEJTR0EdYy8MhZVpE1nMzTbgAj=HrAF%2BNQ@mail.gmail.com> In-Reply-To: <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org> References: <CACc-My1b32PLyeOU4hMDCBGaVzU1GLSrgAft95zMb5U7p7eRwQ@mail.gmail.com> <20210406142735.nbearpqiqz3wyrmd@mutt-hbsd> <6fcb2d1a-929e-c1fe-0273-42858ec547ec@quip.cz> <20210406144222.gbgjcc7jsozsl2m2@mutt-hbsd> <410E4486-F9CF-41C3-9396-BD307AF2325F@tetlows.org> <CACc-My2PMzaiwqZUnTEhzKY5U3n0GzjOXMmsgPEVjf5Zyn4F4w@mail.gmail.com> <7079A789-03C3-4986-95A8-100252FDD9AD@behanna.org>
index | next in thread | previous in thread | raw e-mail
On Thu, Apr 8, 2021 at 8:35 AM Chris BeHanna <chris@behanna.org> wrote: > > On Apr 7, 2021, at 8:50 PM, Stefan Blachmann <sblachmann@gmail.com> wrote: > > > > The answers I got from both "Security Officers" surprised me so much > > that I had to let that settle a bit to understand the implications. > > > > Looking at the FreeBSD Porters' Handbook > > [https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install.html], > > it describes the purpose of the package pre- and postinstallation > > scripts as to "set up the package so that it is as ready to use as > > possible". > > > > It explicitly names only a few actions that are forbidden for them to > > do: "...must not be abused to start services, stop services, or run > > any other commands that will modify the currently running system." > > > > Anything else is apparently deemed “allowed”. > > Spying out the machine and its configuration, sending that data to an > > external entity – perfectly OK. Not a problem at all. > > > > This has been proved by the handling of this last BSDstats security > > incident, where the FreeBSD “pkg” utility is being abused to run > > spyware without the users’ pre-knowledge and without his content. > > > > This abuse is apparently being considered acceptable by both FreeBSD > > and HardenedBSD security officers. > > Instead of taking action, you "security officers" tell the FreeBSD > > users that it is their own guilt that they got “pwnd”. > > This is an incredibly dishonest summary of their responses to you. Gordon in particular wrote that it is NOT acceptable; however, rather than smash down the port's maintainer with the Security Officer sledgehammer, he preferred to give the maintainer some time to address the problem. > +1. Both of these reactions are way out of proportion, and Gordon's response was 100% the right thing to do. By his own admission he responded and looped in the port maintainer to the additional context, which is how it should be handled. If so@ smacked everyone that intentionally or unintentionally (as the case is here, clearly) did something that secteam's attention was raised to, then we would end up with a security officer that nobody on the project is willing to work with and their job becomes that much more difficult. Thanks, Kyle Evanshome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaGywzZ33ReEjEJTR0EdYy8MhZVpE1nMzTbgAj=HrAF%2BNQ>