From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 16:08:27 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0E94A4EC; Fri, 11 Apr 2014 16:08:27 +0000 (UTC) Received: from mail-wg0-x22c.google.com (mail-wg0-x22c.google.com [IPv6:2a00:1450:400c:c00::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id F3B3A1C51; Fri, 11 Apr 2014 16:08:25 +0000 (UTC) Received: by mail-wg0-f44.google.com with SMTP id m15so5638573wgh.27 for ; Fri, 11 Apr 2014 09:08:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=CqSMelqTORavYfflG3kn+1HnOsNSkNL4JbrZSZu2+3U=; b=SizQxK/yE7ckERzn2FHiAbnF4fhrj9kd1JiNfeRxg49jQM22UsBngYttfdvH/5uVBX YHCdqEFC+0YOz0wgmhYLpqbNHD+iiIdb65c/LPL18G2POKXWANUAcUvZfugKjhcr7Zyu bCcwSnLPBOilaMUkH91CKlOdHMsfqvD9gix69mGWjTxoNWnQtLKhfEqavC0/rqsebSMw jyPAxvFrufrTL+v2FYWGMIx6p703jDVRHgOoxwqzBWHYh+VR8rBZhoMzPjBi27cplG6D SIFlHsuD5tDgZ/CyG8t0pzLVa15hJ1nmTRmBP34DHhMtCSvSjNR1Ad8eos93fNxg8XKo NSoQ== MIME-Version: 1.0 X-Received: by 10.194.94.39 with SMTP id cz7mr1378875wjb.78.1397232504044; Fri, 11 Apr 2014 09:08:24 -0700 (PDT) Received: by 10.217.55.138 with HTTP; Fri, 11 Apr 2014 09:08:23 -0700 (PDT) In-Reply-To: <53472B7F.5090001@FreeBSD.org> References: <53472B7F.5090001@FreeBSD.org> Date: Fri, 11 Apr 2014 11:08:23 -0500 Message-ID: Subject: Re: Retiring portsnap [was MITM attacks against portsnap and freebsd-update] From: David Noel To: Bryan Drewery Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org, secteam , Colin Percival , security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: David.I.Noel@gmail.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 16:08:27 -0000 > Your report aside, I find portsnap to be far superior in security for > ports and users. If you look at the portsnap build code you'll see that the first thing portsnap does is pull the ports tree from Subversion. It uses the URL svn://svn.freebsd.org/ports. By not using ssl or svn+ssh the entire ports archive is exposed to corruption right from the start. > I wish it knew how to checkout source as well. Aside from the fact that anyone sitting on a hop between svn.freebsd.org and the portsnap build server could MITM the entire ports tree, the main problem here is that the source would have to come from version control, and the version control system used by the FreeBSD project is Subversion. If you distrust Subversion you should be equally distrusting of portsnap and this hypothetical source checkout system. > 1. It only allows a secure checkout. See above. To be fair I think this perception has a lot to do with the fact that the server side code for portsnap and freebsd-update wasn't released publicly until a year ago (I'd requested it from Colin while attempting an audit two years ago). So you, like myself, never really had a fair chance to review it. I'd always just assumed it was rock solid. It was, after all, written by the FreeBSD Chief Security Officer! I'm sure your line of thinking was similar. Portsnap's first release was in 2005 and freebsd-update's was in 2006. That means we went a solid 7 years without a public review of either of those two core components. This is a huge problem, and an important lesson for the project on the subject of transparency; everything relating to FreeBSD needs to be open for review no matter who built it or what their credentials are. > You can't accidentally checkout svn:// or http://. You only have to check out the ports tree once so there's really only one time you're going to have to worry about correctly entering a URL. That and on the rare occasion that you have to call svn switch, which you shouldn't have to call to update ports unless one of the mirrors is down. Checking out /usr/ports creates a record of the URL used in /usr/ports/.svn/wc.db. If entering the https:// prefix is really that big of a deal, which I'm not convinced that it is, why not pre-load an .svn/ directory into the /usr/ports/ directory at the time the ports tree is installed? This would eliminate the need to call svn checkout altogether. > 2. It blows away directories with updates. I've witnessed a trojaned > ports checkout before. 'svn update' does not remove unexpected files, > nor remove changes. Yes this is a decrease in usability when you've > modified the file and want to keep the changes, but you can easily make > a wrapper script to merge in your changes, or use SVN if you really want. I'm not familiar with what you're talking about so I can't really respond to it. I guess I'm not clear: you're describing the process whereby a port containing malicious code is checked out by svn update? If the malicious code or metadata pointing to malicious code is on svn it's in portsnap too. I'm not clear on what a "trojaned ports checkout" is. > 3. SVN too often gets into confusing situations on 'svn update' that > require knowledge of how SVN works to resolve the conflict. Even I with > my ~10 years of SVN experience I get confused often and frustrated when > not even 'svn revert -R dir; svn up dir' will revert to the upstream > version (I may have my example off, but that's the point, it's confusing.) The only issue I've ever run into was an error message saying I needed to first run svn upgrade. Why were you using svn revert on your ports tree? Is that a common use case? Maintaining a local ports repository with Subversion requires knowledge of, at a minimum, two commands: svn co, and svn up. Actually you can get away with just one: `svn co https://... /usr/ports`. Any problem a user may encounter can be fixed with `rm -rf /usr/ports; svn co https://... /usr/ports`. If a person is using portsnap it means they're building their own ports. Make is immeasurably more difficult to use than subversion. If they're competent enough to wade through the nightmare that often is building ports on FreeBSD they're certainly competent enough to familiarize themselves with svn co. > 4. SVN asks the user to confirm the public key when first using the > HTTPS repository. I worry this step will be done poorly by users. If you look at the /root/.subversion/servers configuration file you'll see that one of its parameters is ssl-authority-files. Using this it would be simple to include the server's public keys in base, allowing users to call svn update without having to verify anything. Portsnap hard-codes the public key fingerprint in /etc/portsnap.conf. The line from the config file is: # ssl-authority-files = /path/to/CAcert.pem;/path/to/CAcert2.pem > 5. SVN requires 'svn upgrade' sometimes, this is also confusing for users. > 6. The way we do HTTPS is through mirrors only, if you pick the wrong > mirror it's against hard for the user who doesn't know SVN to change to > a different mirror. Portsnap already handles mirrors excellently by geo > location. Again, if they're using `make` it's safe to say they can handle svn upgrade and svn switch. Worst case scenario we have to document the few edge cases svn can throw in the handbook. > Teaching portsnap how to speak SVN, while still behaving the same, may > cover my concerns. That may be simpler than patching portsnap and freebsd-update. I don't think it would be worth the effort though. I don't see how adding `0 0 * * * svn up /usr/ports` to crontab is any more difficult than adding `0 0 * * * portsnap cron`. -David