Security leak: Public disclosure of user data without their consent by installing software via pkg

Stefan Blachmann sblachmann at gmail.com
Thu Apr 8 02:50:22 UTC 2021


The answers I got from both "Security Officers" surprised me so much
that I had to let that settle a bit to understand the implications.


Looking at the FreeBSD Porters' Handbook
[https://docs.freebsd.org/en_US.ISO8859-1/books/porters-handbook/pkg-install.html],
it describes the purpose of the package pre- and postinstallation
scripts as to "set up the package so that it is as ready to use as
possible".

It explicitly names only a few actions that are forbidden for them to
do: "...must not be abused to start services, stop services, or run
any other commands that will modify the currently running system."

Anything else is apparently deemed “allowed”.
Spying out the machine and its configuration, sending that data to an
external entity – perfectly OK. Not a problem at all.

This has been proved by the handling of this last BSDstats security
incident, where the FreeBSD “pkg” utility is being abused to run
spyware without the users’ pre-knowledge and without his content.

This abuse is apparently being considered acceptable by both FreeBSD
and HardenedBSD security officers.
Instead of taking action, you "security officers" tell the FreeBSD
users that it is their own guilt that they got “pwnd”.
Just because they trustingly installed software from the package repo
hosted by FreeBSD, without religiously-carefully auditing every and
each packages' pre- and postinstallation script before actual install,
using the “pkg -I” option.

Indeed, I felt very surprised that the “Security Officer” of “Hardened
BSD” chimed in, only to publicly demonstrate his lack of competence to
recognize obvious security problems.
Like two fish caught with a single hook!

Are you "Security Officers" aware that you basically are tearing down
any trust that conventional, non-big-corporate users without large own
IT staff can have in FreeBSD?


So, I believe that not only the reasons that made the Wireguard
debacle possible need to be discussed.
This discussion should not occur in hermetic private circles, but in
public places like /r/freebsd, IT news outlets and other competent and
independent media.
Not only Wireguard needs to be discussed, but also things like the
responsibility for software that is not part of the base system, but
nevertheless being distributed by the FreeBSD organization.

Can it be ethically acceptable to put users at risk, for example by
intentionally (?) not setting any limits to what extent installer
scripts are allowed to collect sensitive user and system data and
disclose them to interested third parties?

This should imho be discussed in public, leading to the formulation of
rules which might help enabling users to trust FreeBSD.


[ Just to note: the porter of the package in question wrote me that it
never was the intention to run the scripts without user content. There
must have happened something/some action by someone, which led to this
behaviour. What actually happened, this can be analyzed.
For me, what actually matters is not this particular incident, but the
finding that spyware behavior of pre/postinstaller scripts is
apparently generally deemed acceptable and not actionable, according
to FreeBSD rules. So the problem are these rules, and not this last
incident. ]

On 4/6/21, Gordon Tetlow <gordon at tetlows.org> wrote:
> On Apr 6, 2021, at 7:42 AM, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
>>
>> On Tue, Apr 06, 2021 at 04:39:40PM +0200, Miroslav Lachman wrote:
>>> On 06/04/2021 16:27, Shawn Webb wrote:
>>>
>>>> 1. BSDStats isn't run/maintained by the FreeBSD project. File the
>>>>    report with the BSDStats project, not FreeBSD.
>>>> 2. You install a package that is made to submit statistical data.
>>>> 3. You're upset that it submits statistical data?
>>>
>>> The problem here is that it collects and sends data right at the install
>>> time. It is really unexpected to run installed package without user
>>> consent.
>>> If you install Apache, MySQL or any other package the command / daemon is
>>> no
>>> run by "pkg install" command.
>>> This must be avoided.
>>
>> It's probably easier to submit a patch than it is to write a
>> lolwut-type email. All you gotta do is rm the post-install script.
>> Also `pkg install` has the -I option. But whatever, let the lolwut
>> mentality prevail!
>
> I had a conversation on the side with the requestor. In short, there is
> already a patch to address this issue in
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152
> <https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=251152>. Not sure why it
> hasn't been committed yet, but hopefully it gets picked up shortly.
>
> Gordon
>


More information about the freebsd-security mailing list