Date: Mon, 7 Oct 2013 16:48:34 +0300 From: Kimmo Paasiala <kpaasial@gmail.com> To: Daniel Nebdal <dnebdal@gmail.com> Cc: mexas@bris.ac.uk, Boris Samorodov <bsam@passap.ru>, Ports FreeBSD <freebsd-ports@freebsd.org> Subject: Re: Explain staging Message-ID: <CA%2B7WWSdYEhhLx8s7TYsfQcUzr%2BY3aTroMQ%2BpOmLqpCqSv3vpWQ@mail.gmail.com> In-Reply-To: <CA%2Bt49PKZ-s6HHakWu6BiZFBRX_Hy27uxKQ%2BJuneA8YizbGNO%2Bw@mail.gmail.com> References: <5252A04F.1060906@passap.ru> <201310071252.r97Cq51N051621@mech-cluster241.men.bris.ac.uk> <CA%2Bt49PKZ-s6HHakWu6BiZFBRX_Hy27uxKQ%2BJuneA8YizbGNO%2Bw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 7, 2013 at 4:36 PM, Daniel Nebdal <dnebdal@gmail.com> wrote: > On Mon, Oct 7, 2013 at 2:52 PM, Anton Shterenlikht <mexas@bris.ac.uk> wro= te: >> >From bsam@passap.ru Mon Oct 7 13:36:53 2013 >>> >>>07.10.2013 13:23, Anton Shterenlikht =D0=BF=D0=B8=D1=88=D0=B5=D1=82: >>> >>>> What about "make fetch"? It puts files by default under >>>> ports/distfiles, which, by default, is 755: >>>[...] >>>> What about "make extract"? Same problem: >>> >>>I use svn repo owned by a user for ages. When a root rights are needed, >>>the ports infrastructure asks for the password. >> >> I've read a few books on unix security. >> The typical advice is to assume the user >> passwords are compromised. >> If I build and install from a ports tree >> owned by a user, I increase the chances of >> comromising the system, if an attacker >> changes some files in the ports tree, >> i.e. the URL in the Makefile and the checksum >> in distinfo. I'll then have to add this worry >> to my already long list. >> >> Anton >> > > If that happens to an account used by an admin, don't you have larger wor= ries? > > Let's say : > * You have an account with no special privileges, that you typically > log in with. > * That account has a ports tree > * You typically install ports by compiling them as this user, then > installing them with root privileges. > > If you use sudo, and you haven't used targetpw or something to make it > ask for a different password, and you haven't set any strong limits on > it, anyone that got your password would also be able to use sudo to do > whatever they wanted more directly. So let's assume you're not doing > that. > > An attacker with your password could meddle with your .profile or > .cshrc or whatever, and replace your shell with a lookalike that > logged all input. From there, they could get hold of whatever commands > and passwords you use to install software, and reuse that to install > whatever they want directly. If what you use is sudo, somehow > restricted to only run make install, and only within that ports tree > ... again, what would keep an attacker from just modifying any random > port on the fly, installing it there and then, and then reverting the > changes to reduce the risk of detection? > > It just seems like leaving a timebomb in the form of a modified ports > directory would be a fairly inefficient thing to do if they'd already > gotten that far., and it would run the risk of being overwritten > and/or detected next time you updated your ports tree. Of course, if > you set the ports tree a+w (or, heaven forbid, 0777), you'd be asking > for trouble ... but that's not new. > > > Then again, I might have overlooked something. :) > In my opinion fetching and building (and creating packages if using staging ) as a non privileged user is always safer than doing the same things as root. The common advice to security is to AVOID using admin/root privileges as much as possible to minimize the attack vectors. -Kimmo
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CA%2B7WWSdYEhhLx8s7TYsfQcUzr%2BY3aTroMQ%2BpOmLqpCqSv3vpWQ>