Re: Reflections on Trusting Trust
On Wednesday 30 November 2005 09:55, =C1d=E1m Szilveszter wrote:
> Which practically begs the question: could we, pretty please, change the
> defaults and stop encouraging people from downloading distfiles and
> compiling them when using the ports tree as *root*? (shudder) There is
> exactly zero reason for this that I can think of apart from some "well
> it's more convenient that way" arguments. With the current model of using
> ports (and packages too) every single BO or whatever in eg fetch or
> libfetch becomes a sure-fire remote root vulnerability, because all
> FreeBSD machines use fetch to retrieve stuff from random sites on the
> Internet (MASTERSITEs are all over the place) as root. A security
> worst-practice.=20
Second that. But I feel a little uneasy about making /usr/ports/ group=20
writeable for wheel or giving it to a "normal" user on the system.
What about creating a user called "ports" or something more compelling? Mos=
t=20
daemons have their own uids, so why not "the daemon" for downloading an=20
compiling?
> (Of course, we could go even further and start compartmentalising access
> rights because eg a user with port-install rights should have no
> permission to touch the base system, in partcular system binaries and the
> contents of /etc, but this would also require saying farewell to some
> really bizarre things like "openssh from ports overwriting the one in the
> base" which would be really a good idea btw.)
And what about the +INSTALL and +DEINSTALL scripts, some ports want to run?=
=20
Those I've seen, ensure that a certain user exists. Therefore they roam=20
around in /etc.
BTW, those scripts fail (of course), if /tmp is mounted with the noexec=20
option. So the nightmare begins with root re-mounting /tmp rw, fetching the=
=20
distfiles and storing and executing shell scripts on /tmp...
> Best regards,
> Sz.
Best regards,
Andreas
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 23 之 36 篇):