Re: pkg and root privileges
- Reply: niko.nastonen_a_icloud.com: "Re: pkg and root privileges"
- In reply to: niko.nastonen_a_icloud.com: "pkg and root privileges"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 28 Jul 2022 15:08:05 UTC
On Tue, Jul 26, 2022 at 07:15:43PM +0300, niko.nastonen@icloud.com wrote: > Hi. > > There was a recent discussion on the FreeBSD forum about security of pkg and its ability to drop root privileges when fetching packages. > > I couldn’t help but notice that there was a git commit > > fcceab3f with comment "drop privileges when using libfetch” > > and another one > > f3b0469e with comment "Stop dropping privileges when fetching as it causes more issues than it solved”. > > Can I ask what kind of issues the first commit introduces and why pkg still goes out to the internet unprotected? > > In case the issues are already solved by later commits, let me present a silly patch (mostly copied from fcceab3f) for branch "release-1.18” which makes fetch use nobody instead of root. > > Feel free to modify it to match “the real BSD hacker standards, if applicable” :-) > I am interested in the thread on the forum, if you can point it out to me. The reason why it was dropped is because, libfetch allows to access many thing (like ~/.netrc but not only) and many users are using such features of libfetch. I dropped the "drop of privileges" the time to work on libfetch to make it more friendly to the "drop of provileges" which I started but never finished. Thank you for the reminder I will move that up on my TODO list for 1.19 Best regards, Bapt