Hacker News new | ask | show | jobs
by egwynn 3742 days ago
The author writes:

   ###############################################################################
   daily_status_security_pkgaudit_enable="NO"
   ###############################################################################

   I most certainly don't want pkg (running as root, remember) going out to
   the internet every night to fetch a list of vulnerable ports.

   Who thought this was safe?
I’m confused. Why is this unsafe? Is it because the author doesn’t trust `pkg` to do the auditing job safely as root? Remember, this isn’t automatic updating/installing. This job just adds a section to the daily email that tells you which packages have security updates to them.
4 comments
xenophonf 3742 days ago
I think it's more of a defensive thing, where pkg should drop privileges unless it's performing an operation that absolutely requires root access. Technically, `pkg audit` doesn't need to run as root, since it only downloads a package catalog and compares it to the list of installed packages.
link
0xcde4c3db 3742 days ago
> Is it because the author doesn’t trust `pkg` to do the auditing job safely as root?

Even if one asks the question and arrives at "yes, I trust this program", there is value in eliminating the question itself.

link
geofft 3742 days ago
Yes, making this change is bad for security, unless you have some other means of being informed of vulnerabilities.

If you think pkg has vulnerabilities, fix them. (For instance, running as not-root is a great idea!) The author's argument that pkg is bad because Debian apt has vulnerabilities is ... really stretching.

link
washadjeffmad 3742 days ago
Isn't that still assuming that the information that pkg provides is generally trustworthy?

I assume their consideration is that the list might not be trustworthy, so knee jerk updating based on a potentially faulty list is itself a vulnerability. Would a 24h delayed updated list of security updates be worse than an incorrect one?

link
msbarnett 3742 days ago
The fact that pkg isn't least-privileged in its operations sucks, but the idea that this somehow makes the contents of a cryptographically signed vulnerability list, fetched via SSL with chain-of-trust verification "untrustworthy" is nonsensical.
link
MBCook 3742 days ago
Since it runs as scripts as root what happens when through malice, mistake, or odd configuration a script gets through standard review and trashes a system? What if one of the official maintainers doesn't exercise due diligence?

You're protected from MITM and hacked repos, but what if the problem is in the official repo?

Defensive programming is useful.

link
msbarnett 3741 days ago
Yeah, but that's not the argument. I'm specifically responding to the parent's assertion that you wouldn't want to run audit because the list might just lie to you.

That's separate from the idea that the list might be maliciously crafted to exploit an overflow and gain root privileges (which presumably could bypass signing checks) -- if your threat model involves loss of control of FreeBSD's signing keys, pkg running as root is irrelevant. You can't ever trust anything outside the box, or update at all. No binary is trustable and even if you heavily audit the source you're in trusting-trust territory.

(also the only key that matters is the Security Officer's key for vuln disclosures -- not any random maintainer has signing authority)

link
geofft 3741 days ago
No operating system, anywhere, has or can have protections against an official maintainer of their security update system screwing up and releasing a bad security update that has gone through all review and other checks.

The only possible defense is to turn off security updates entirely, and empirically, that is much higher risk. I can think of cases where signed and approved security updates have introduced regressions to valid use cases (e.g., LP #1058343 bit me badly at my previous job), not fixed a problem (e.g., the day after Shellshock came out), etc.... But I cannot think of a single case where a signed and approved security update, by an OS making even minimal attempts to have a decent process around updates (so, anyone better than Linux Mint), has been actively harmful.

Given that an operating system security update, by definition, is capable of changing the most privileged code on your system, there's no way to program it defensively. It needs to have the ability to make arbitrary changes your system (and thus the theoretical ability to trash your system) in order to be able to fix unforeseen bugs.

link
chongli 3742 days ago
Yeah, it seems pretty obvious to me that there's no reason pkg should be running as root just to fetch the list of vulnerable ports.
link