Re: Extracting base.txz files missing flags
> Maybe you missed something - you cannot change flags when your system > has security level (kern.securelevel) raised above 0. Nobody missed that since anyone can easily install default freebsd and observe... $ sysctl kern.securelevel kern.securelevel: -1 SECURITY(7) - introduction to security under FreeBSD The security levels are: -1Permanently insecure mode - always run the system in insecure mode. This is the default initial value. Thus they have no effect as shipped. Nor do the schg'd files posted interact jointly with securelevels to produce more security together. They're just a list of arbitrarily chosen anti-footshooters, and anti-malware and other security theatre, that don't really need to be managed by freebsd as such. Though the handbook security section could point to some port/pkg/mtree's if some users wanted to try making some offerings there. It would also be foolish to presume or suggest, without at least continuous formal verification etc, that any of today's OS cannot be compromised, regardless of whatever options are enabled. Even then, you have the problem of all the secret blackbox hardware aka CPU / NIC they all run on... #OpenFabs #OpenHW #OpenAudit .
Re: Extracting base.txz files missing flags
On 12/11/2021 22:33, grarpamp wrote: Flags are not security since root will bypass everything. Maybe you missed something - you cannot change flags when your system has security level (kern.securelevel) raised above 0. And this level cannot be lowered on running system, only at boot time. Also kernel modules cannot be loaded. See "man security" for more. While some may beg for anti-footshooting, but where might that cry end up... chflags -Rhx schg / . Nor should freebsd fill that role when local admins know best for and given their own individual environments. If local tendency is to run around as root and disrupt your filesystems so bad that even these... ./libexec/ld-elf.so.1 ./libexec/ld-elf32.so.1 ... get routinely wrecked, then you have bigger local problems to work on than freebsd can help you with :) Kind regards Miroslav Lachman
Re: Extracting base.txz files missing flags
On Fri, Nov 12, 2021 at 09:04:47PM +0100, Herbert J. Skuhra wrote: > On Fri, 12 Nov 2021 20:22:38 +0100, "Herbert J. Skuhra" wrote: > > > > Hi! > > > > # uname -rms > > FreeBSD 12.2-RELEASE-p10 amd64 > > > > # cd tmp > > # fetch > > https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz > > # tar -xzvf base.txz > > # find . -flags schg > > ./sbin/init > > ./var/empty > > ./usr/bin/opieinfo > > ./usr/bin/passwd > > ./usr/bin/su > > ./usr/bin/chpass > > ./usr/bin/opiepasswd > > ./usr/bin/login > > ./usr/bin/crontab > > ./usr/lib/librt.so.1 > > ./libexec/ld-elf.so.1 > > ./libexec/ld-elf32.so.1 > > ./lib/libc.so.7 > > ./lib/libcrypt.so.5 > > ./lib/libthr.so.3 > > > > On 13.0-STABLE (stable/13-n247985-ef1134110e80): > > > > # cd tmp > > # fetch > > https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz > > # tar -xzvf base.txz > > # find . -flags schg > > ./var/empty > > > > On 14.0-CURRENT (main-n250458-c441592a0e15): > > > > # cd tmp > > # fetch > > https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz > > # tar -xzvf base.txz > > # find . -flags schg > > # find . -flags schg,uarch > > ./var/empty > > > > PBKAC or bug? > > 12.3-RC1 (r371003): also affected > 13.0-RELEASE (releng/13.0-n244733-ea31abc261f): OK This seems to be a libarchive bug, somewhere in the extraction code. I can reproduce it trivially on UFS or ZFS and in a debugger I can see that SF_IMMUTABLE is present during extraction. There is some deferral logic to ensure that setting SF_IMMUTABLE is one of the last steps during extract, and the problem seems to be related to that mechanism.
Re: Extracting base.txz files missing flags
Flags are not security since root will bypass everything. While some may beg for anti-footshooting, but where might that cry end up... chflags -Rhx schg / . Nor should freebsd fill that role when local admins know best for and given their own individual environments. If local tendency is to run around as root and disrupt your filesystems so bad that even these... > ./libexec/ld-elf.so.1 > ./libexec/ld-elf32.so.1 ... get routinely wrecked, then you have bigger local problems to work on than freebsd can help you with :) nb: /var/empty is an ssh make install-time thing, that mtree might have picked up, but sshd itself doesn't check or require schg [theatre] there. tar should probably get an extended verbose mode format that lists all metadata that is extractable to disk, such as flags.
Re: Extracting base.txz files missing flags
On Fri, 12 Nov 2021 20:22:38 +0100, "Herbert J. Skuhra" wrote: > > Hi! > > # uname -rms > FreeBSD 12.2-RELEASE-p10 amd64 > > # cd tmp > # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz > # tar -xzvf base.txz > # find . -flags schg > ./sbin/init > ./var/empty > ./usr/bin/opieinfo > ./usr/bin/passwd > ./usr/bin/su > ./usr/bin/chpass > ./usr/bin/opiepasswd > ./usr/bin/login > ./usr/bin/crontab > ./usr/lib/librt.so.1 > ./libexec/ld-elf.so.1 > ./libexec/ld-elf32.so.1 > ./lib/libc.so.7 > ./lib/libcrypt.so.5 > ./lib/libthr.so.3 > > On 13.0-STABLE (stable/13-n247985-ef1134110e80): > > # cd tmp > # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz > # tar -xzvf base.txz > # find . -flags schg > ./var/empty > > On 14.0-CURRENT (main-n250458-c441592a0e15): > > # cd tmp > # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz > # tar -xzvf base.txz > # find . -flags schg > # find . -flags schg,uarch > ./var/empty > > PBKAC or bug? 12.3-RC1 (r371003): also affected 13.0-RELEASE (releng/13.0-n244733-ea31abc261f): OK -- Herbert
Extracting base.txz files missing flags
Hi! # uname -rms FreeBSD 12.2-RELEASE-p10 amd64 # cd tmp # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz # tar -xzvf base.txz # find . -flags schg ./sbin/init ./var/empty ./usr/bin/opieinfo ./usr/bin/passwd ./usr/bin/su ./usr/bin/chpass ./usr/bin/opiepasswd ./usr/bin/login ./usr/bin/crontab ./usr/lib/librt.so.1 ./libexec/ld-elf.so.1 ./libexec/ld-elf32.so.1 ./lib/libc.so.7 ./lib/libcrypt.so.5 ./lib/libthr.so.3 On 13.0-STABLE (stable/13-n247985-ef1134110e80): # cd tmp # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz # tar -xzvf base.txz # find . -flags schg ./var/empty On 14.0-CURRENT (main-n250458-c441592a0e15): # cd tmp # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz # tar -xzvf base.txz # find . -flags schg # find . -flags schg,uarch ./var/empty PBKAC or bug? -- Herbert