Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 25 Apr 1998 20:27:50 -0700
From:      "Jordan K. Hubbard" <jkh@time.cdrom.com>
To:        Eivind Eklund <eivind@yes.no>
Cc:        Alex <garbanzo@hooked.net>, hackers@FreeBSD.ORG
Subject:   Re: Speaking of packaging tools.. 
Message-ID:  <15211.893561270@time.cdrom.com>
In-Reply-To: Your message of "Sun, 26 Apr 1998 05:10:43 %2B0200." <19980426051043.29132@follo.net> 

next in thread | previous in thread | raw e-mail | index | archive | help
> Neat - but do we really want to go in the direction of packages that
> can contain trojans?  Personally I wouldn't like running a

Erm..  We've not only already gone in that direction, we reached the
destination long ago and have spent enough time at the location to
build a small town there.  The existing pkg_add format is a walking,
talking demonstration model for creating packaged trojans and I'm not
talking about condoms (rim shot) - the +INSTALL component of a pkg can
be literally anything from a benign shell-script to a system-eating
binary horror.  There are no checks on what it does save for the
permissions available to the uid pkg_add is running as, that generally
being root of course.  Packages aren't even SIGNED, as you well know,
and it'd be essentially correct to say that the *BSD package system is
completely, totally and utterly without any form of security
whatsoever and is probably saved only by the fact that hacking it
would prove no challenge whatsoever and hence isn't enough fun. :-)

What I'm more curious to know about these self-extractors is
where exactly they extract and how one controls that behavior.

The biggest problem with executable packages is also, of course, the
fact that people will typically use ftp to xfer them and they won't
then run without the user knowing how to use chmod to set the execute
bit.  This isn't a problem that pkg_add has to worry about with data
files.

					Jordan

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15211.893561270>