Reflections on Trusting Trust
Peter Jeremy
PeterJeremy at optushome.com.au
Wed Nov 30 17:58:53 GMT 2005
On Wed, 2005-Nov-30 13:36:10 +0100, Andreas Nemeth wrote:
>On Wednesday 30 November 2005 09:55, Ádám Szilveszter wrote:
>> Which practically begs the question: could we, pretty please, change the
>> defaults and stop encouraging people from downloading distfiles and
>> compiling them when using the ports tree as *root*?
>
>Second that. But I feel a little uneasy about making /usr/ports/ group
>writeable for wheel or giving it to a "normal" user on the system.
By default, /usr/ports is used to store:
- A checked-out copy of the ports tree as stored in CVS.
- INDEX-* This is hard-wired in the Makefile infrastructure
- Compilation/work directories - overridable with WRKDIRPREFIX
- distfiles - overridable with DISTDIR
- packages - overridable with PACKAGES
- portupgrade's INDEX*.db - overridable with PORTS_DBDIR
Rather than making /usr/ports writable by anyone other than root (if
you don't want to), you can create alternative locations for distfiles,
work directories (and package directories) so a normal used can download
and compile ports.
At one stage, editors/openoffice.org-1.1 wouldn't build if WRKDIRPREFIX
was set but that has been fixed. I haven't run into any other problems
(though it might be interesting for the build cluster to verify that).
Note that the only ports-related file that can't be moved out of the
ports tree is 'INDEX'. This is annoying (I'd like to be able to RO
export /usr/ports across several FreeBSD variants) but 'make index'
only uses information within the ports tree and so isn't dangerous.
>And what about the +INSTALL and +DEINSTALL scripts, some ports want to run?
I don't think any package management system has managed to avoid needing
scripts to handle some functions. This is primarily an issue if you
are installing a package because the scripts come out of your ports tree
if you built the port. (AFAIK, no ports create these scripts on the fly).
>Those I've seen, ensure that a certain user exists. Therefore they roam
>around in /etc.
And, hence, require root privileges.
>BTW, those scripts fail (of course), if /tmp is mounted with the noexec
>option.
I think the solution to this is to set PKG_TMPDIR somewhere else.
--
Peter Jeremy
More information about the freebsd-security
mailing list