Reflections on Trusting Trust

Peter Jeremy PeterJeremy at optushome.com.au
Wed Nov 30 17:58:53 GMT 2005 

On Wed, 2005-Nov-30 13:36:10 +0100, Andreas Nemeth wrote:
>On Wednesday 30 November 2005 09:55, Ádám Szilveszter wrote:
>> Which practically begs the question: could we, pretty please, change the
>> defaults and stop encouraging people from downloading distfiles and
>> compiling them when using the ports tree as *root*?
>
>Second that. But I feel a little uneasy about making /usr/ports/ group 
>writeable for wheel or giving it to a "normal" user on the system.

By default, /usr/ports is used to store:
- A checked-out copy of the ports tree as stored in CVS.
- INDEX-*  This is hard-wired in the Makefile infrastructure
- Compilation/work directories - overridable with WRKDIRPREFIX
- distfiles - overridable with DISTDIR
- packages - overridable with PACKAGES
- portupgrade's INDEX*.db - overridable with PORTS_DBDIR

Rather than making /usr/ports writable by anyone other than root (if
you don't want to), you can create alternative locations for distfiles,
work directories (and package directories) so a normal used can download
and compile ports.

At one stage, editors/openoffice.org-1.1 wouldn't build if WRKDIRPREFIX
was set but that has been fixed.  I haven't run into any other problems
(though it might be interesting for the build cluster to verify that).

Note that the only ports-related file that can't be moved out of the
ports tree is 'INDEX'.  This is annoying (I'd like to be able to RO
export /usr/ports across several FreeBSD variants) but 'make index'
only uses information within the ports tree and so isn't dangerous.

>And what about the +INSTALL and +DEINSTALL scripts, some ports want to run? 

I don't think any package management system has managed to avoid needing
scripts to handle some functions.  This is primarily an issue if you
are installing a package because the scripts come out of your ports tree
if you built the port.  (AFAIK, no ports create these scripts on the fly).

>Those I've seen, ensure that a certain user exists. Therefore they roam 
>around in /etc.

And, hence, require root privileges.

>BTW, those scripts fail (of course), if /tmp is mounted with the noexec 
>option.

I think the solution to this is to set PKG_TMPDIR somewhere else.

-- 
Peter Jeremy

More information about the freebsd-security mailing list