Date: Thu, 30 Jan 2020 00:50:06 +0000 From: Nathan Dorfman <ndorf@rtfm.net> To: Glen Barber <gjb@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Cryptographic signatures of installer sets Message-ID: <20200130005006.GA13@e398a4ce8009> In-Reply-To: <20200127164201.GB9584@FreeBSD.org> References: <20200125200007.GA11@rtfm.net> <20200127164201.GB9584@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > No, this last part is not true. The installer always verifies the > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > variable explicitly contains the MANIFEST. Thank you, Glen. You're correct of course; the installer uses its embedded MANIFEST and doesn't even fetch it from the mirror... during system installation, at least. However, the first time a jail is set up, using the `bsdinstall jail` command, it does in fact fetch and trust the mirror's MANIFEST. I just tested this with a freshly installed 12.1-RELEASE system and a local mirror with a modified base.txz and manifest. It installs the modified files into the new jail without any complaint. Simply, after a clean installation /usr/freebsd-dist doesn't exist on the new system, so the jail script creates it and downloads the MANIFEST from the mirror. See lines 60-70, here: https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 After the first jail, this downloaded manifest and package(s) are saved in /usr/freebsd-dist. So you are only at risk the first time, and there will be some evidence of the tampering. Still, I hope you'll agree that this should be fixed. The installer already has a trusted manifest as you point out, why not simply install that one into the target system's /usr/freebsd-dist at setup time? -nd.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200130005006.GA13>