[Bug 221281] sysutils/ezjail should verify downloaded tarballs before use

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sun Aug 6 14:07:25 UTC 2017 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=221281

            Bug ID: 221281
           Summary: sysutils/ezjail should verify downloaded tarballs
                    before use
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: freebsd-ports-bugs at FreeBSD.org
          Reporter: rw at nelianur.org
                CC: erdgeist at erdgeist.org
             Flags: maintainer-feedback?(erdgeist at erdgeist.org)
                CC: erdgeist at erdgeist.org

Dear maintainer,

by default, "ezjail-admin install" will download and install release tarballs
fetched via FTP without verifying their integrity. If an FTP mirror is
compromised or a man-in-the-middle attack is conducted this will allow an
attacker to execute arbitrary code within the jail.

I'm aware of the option to have ezjail-admin use files from a local directory
instead and am using this myself. Still, I believe the default should not
result in the above situation particularly since the handbook recommends ezjail
to novice users.

That said, I'm not sure how to implement this feature in FreeBSD. The .asc
release announcements are signed and include checksums of all release
artifacts. If the GPG public keys used for signing this .asc were installed on
the host one could at least ensure that the downloaded files are as genuine as
the host OS. If the user has verified the installation media used for the host
OS a proper chain of trust would be established. This is how some Linux
distributions (Debian) and OpenBSD have addressed this problem. Unfortunately,
FreeBSD does not appear to ship the signing public keys as part of the released
images.

At a minimum, ezjail should include a list of trusted checksums as part of the
port/package. This does, however, put the burden of verifying this list and
keeping it up to date on the maintainer.

Cheers,

Rene

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list