On 2014/10/21 13:32, Amit Kulkarni wrote:
> On Tue, Oct 21, 2014 at 12:18 PM, patrick keshishian <pkesh...@gmail.com>
> wrote:
>
> > On 10/21/14, Stuart Henderson <st...@openbsd.org> wrote:
> > > On 2014/10/21 10:58, Amit Kulkarni wrote:
> > >> On Tue, Oct 21, 2014 at 10:28 AM, Stuart Henderson <st...@openbsd.org>
> > >> > I'm fetching distfiles as my normal uid, then doing builds as pbuild.
> > >> > pf.conf:
> > >> >
> > >> > "block quick log proto {tcp udp} user pbuild"
> > >> >
> > >> >
> > >> This can be disabled by user and bypassed,
> > >
> > > If you're aware of a way in which an unprivileged user can change PF
> > > rules, it's probably best if you let me (or security@) know in private
> > > mail.
> >
> > I read that comment as: the system admin, may not
> > (forgets to?) enable such a rule. Also, the pf rule route
> > seems a bit "clunky" and disjointed from the ports process.
> >
>
>
> Somebody might disable the default PF rules and overwrite with their own,
> and forget about it. If it isn't caught by anybody else port might get
> committed. In that case, it will be caught in a bulk build by someone.
> Generally, people don't touch systrace enable/disable, but they usually
> fiddle with PF rules. But yes, this is immaterial. Patrick got the drift of
> this, sorry for not explaining clearly in the initial email.
Exact opposite on most machines I use for ports work I hardly ever
touch PF rules there, but before we had build-as-nonroot I was often
doing 'make USE_SYSTRACE=Yes' when working on a new port or testing
a submission.
systrace is not without problems, it can make some syscalls fail which
people don't expect or check for, so can have an impact on how the build
works (another issue is that it's very noticably slower).
> > >> you can't bypass systrace during ports build. Also, it would be
> > >> possible to place files in FAKE /etc i.e in places other than
> > /usr/local?
> > >
> > > I'm confused. It's ok if the port build puts things in directories
> > > writable by the user doing port builds, because that user only has
> > > filesystem permissions to write to a limited number of places
> > > (mostly the build dir).
> >
> > Consider a wip port, which may write files in $HOME, or
> > worse yet, delete files or directories from $HOME.
> >
> > I always felt more at ease, knowing systrace would "slap"
> > the hand that attempted that, whether maliciously or
> > erroneously.
Yes that is a problem if you do builds as your normal userid.
> > --patrick
> >
>
> +1
>
> I am asking if user can create /etc/sysctl.conf in a port, that port
> overwrites the real /etc/sysctl.conf because a port has superuser
> privileges during install. If systrace is not there to catch it, would it
> get installed?
It does not, not any more - this whole mail thread probably makes
little sense if you missed that change.
http://undeadly.org/cgi?action=article&sid=20141003132339
> Or as Patrick says in another email: what about add/delete
> in $HOME? Systrace protects us here. Is there any way to solve this problem
> and the arbitrary net download problem during port building?
Using a separate UID for builds protects against this too.
