subject:"Extracting base.txz files missing flags"

Re: Extracting base.txz files missing flags

2021-11-12 Thread grarpamp

> Maybe you missed something - you cannot change flags when your system
> has security level (kern.securelevel) raised above 0.

Nobody missed that since anyone can
easily install default freebsd and observe...

$ sysctl kern.securelevel
kern.securelevel: -1

SECURITY(7)  - introduction to security under FreeBSD
The security levels are:
 -1Permanently insecure mode - always run the system in insecure mode.
   This is the default initial value.

Thus they have no effect as shipped.

Nor do the schg'd files posted interact jointly with
securelevels to produce more security together.
They're just a list of arbitrarily chosen anti-footshooters,
and anti-malware and other security theatre, that don't
really need to be managed by freebsd as such.
Though the handbook security section could point to some
port/pkg/mtree's if some users wanted to try making some
offerings there.

It would also be foolish to presume or suggest, without at
least continuous formal verification etc, that any of today's OS
cannot be compromised, regardless of whatever options are enabled.
Even then, you have the problem of all the secret blackbox hardware
aka CPU / NIC they all run on... #OpenFabs #OpenHW #OpenAudit .

Re: Extracting base.txz files missing flags

2021-11-12 Thread Miroslav Lachman


On 12/11/2021 22:33, grarpamp wrote:

Flags are not security since root will bypass everything.


Maybe you missed something - you cannot change flags when your system 
has security level (kern.securelevel) raised above 0. And this level 
cannot be lowered on running system, only at boot time. Also kernel 
modules cannot be loaded. See "man security" for more.



While some may beg for anti-footshooting, but
where might that cry end up... chflags -Rhx schg / .
Nor should freebsd fill that role when local admins
know best for and given their own individual environments.
If local tendency is to run around as root and
disrupt your filesystems so bad that even these...

./libexec/ld-elf.so.1
./libexec/ld-elf32.so.1

... get routinely wrecked, then you have bigger local
problems to work on than freebsd can help you with :)


Kind regards
Miroslav Lachman

Re: Extracting base.txz files missing flags

2021-11-12 Thread Mark Johnston

On Fri, Nov 12, 2021 at 09:04:47PM +0100, Herbert J. Skuhra wrote:
> On Fri, 12 Nov 2021 20:22:38 +0100, "Herbert J. Skuhra" wrote:
> > 
> > Hi!
> > 
> > # uname -rms
> > FreeBSD 12.2-RELEASE-p10 amd64
> > 
> > # cd tmp
> > # fetch 
> > https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
> > # tar -xzvf base.txz
> > # find . -flags schg
> > ./sbin/init
> > ./var/empty
> > ./usr/bin/opieinfo
> > ./usr/bin/passwd
> > ./usr/bin/su
> > ./usr/bin/chpass
> > ./usr/bin/opiepasswd
> > ./usr/bin/login
> > ./usr/bin/crontab
> > ./usr/lib/librt.so.1
> > ./libexec/ld-elf.so.1
> > ./libexec/ld-elf32.so.1
> > ./lib/libc.so.7
> > ./lib/libcrypt.so.5
> > ./lib/libthr.so.3
> > 
> > On 13.0-STABLE (stable/13-n247985-ef1134110e80): 
> > 
> > # cd tmp
> > # fetch 
> > https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
> > # tar -xzvf base.txz
> > # find . -flags schg
> > ./var/empty
> > 
> > On 14.0-CURRENT (main-n250458-c441592a0e15):
> > 
> > # cd tmp
> > # fetch 
> > https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
> > # tar -xzvf base.txz
> > # find . -flags schg
> > # find . -flags schg,uarch
> > ./var/empty
> > 
> > PBKAC or bug?
> 
> 12.3-RC1 (r371003): also affected
> 13.0-RELEASE (releng/13.0-n244733-ea31abc261f): OK

This seems to be a libarchive bug, somewhere in the extraction code.  I
can reproduce it trivially on UFS or ZFS and in a debugger I can see
that SF_IMMUTABLE is present during extraction.  There is some deferral
logic to ensure that setting SF_IMMUTABLE is one of the last steps
during extract, and the problem seems to be related to that mechanism.

Re: Extracting base.txz files missing flags

2021-11-12 Thread grarpamp

Flags are not security since root will bypass everything.
While some may beg for anti-footshooting, but
where might that cry end up... chflags -Rhx schg / .
Nor should freebsd fill that role when local admins
know best for and given their own individual environments.
If local tendency is to run around as root and
disrupt your filesystems so bad that even these...
> ./libexec/ld-elf.so.1
> ./libexec/ld-elf32.so.1
... get routinely wrecked, then you have bigger local
problems to work on than freebsd can help you with :)

nb: /var/empty is an ssh make install-time thing,
that mtree might have picked up, but sshd itself
doesn't check or require schg [theatre] there.

tar should probably get an extended verbose mode format
that lists all metadata that is extractable to disk, such as flags.

Re: Extracting base.txz files missing flags

2021-11-12 Thread Herbert J. Skuhra

On Fri, 12 Nov 2021 20:22:38 +0100, "Herbert J. Skuhra" wrote:
> 
> Hi!
> 
> # uname -rms
> FreeBSD 12.2-RELEASE-p10 amd64
> 
> # cd tmp
> # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
> # tar -xzvf base.txz
> # find . -flags schg
> ./sbin/init
> ./var/empty
> ./usr/bin/opieinfo
> ./usr/bin/passwd
> ./usr/bin/su
> ./usr/bin/chpass
> ./usr/bin/opiepasswd
> ./usr/bin/login
> ./usr/bin/crontab
> ./usr/lib/librt.so.1
> ./libexec/ld-elf.so.1
> ./libexec/ld-elf32.so.1
> ./lib/libc.so.7
> ./lib/libcrypt.so.5
> ./lib/libthr.so.3
> 
> On 13.0-STABLE (stable/13-n247985-ef1134110e80): 
> 
> # cd tmp
> # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
> # tar -xzvf base.txz
> # find . -flags schg
> ./var/empty
> 
> On 14.0-CURRENT (main-n250458-c441592a0e15):
> 
> # cd tmp
> # fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
> # tar -xzvf base.txz
> # find . -flags schg
> # find . -flags schg,uarch
> ./var/empty
> 
> PBKAC or bug?

12.3-RC1 (r371003): also affected
13.0-RELEASE (releng/13.0-n244733-ea31abc261f): OK

--
Herbert

Extracting base.txz files missing flags

2021-11-12 Thread Herbert J. Skuhra

Hi!

# uname -rms
FreeBSD 12.2-RELEASE-p10 amd64

# cd tmp
# fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
# tar -xzvf base.txz
# find . -flags schg
./sbin/init
./var/empty
./usr/bin/opieinfo
./usr/bin/passwd
./usr/bin/su
./usr/bin/chpass
./usr/bin/opiepasswd
./usr/bin/login
./usr/bin/crontab
./usr/lib/librt.so.1
./libexec/ld-elf.so.1
./libexec/ld-elf32.so.1
./lib/libc.so.7
./lib/libcrypt.so.5
./lib/libthr.so.3

On 13.0-STABLE (stable/13-n247985-ef1134110e80): 

# cd tmp
# fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
# tar -xzvf base.txz
# find . -flags schg
./var/empty

On 14.0-CURRENT (main-n250458-c441592a0e15):

# cd tmp
# fetch https://download.freebsd.org/ftp/releases/amd64/13.0-RELEASE/base.txz
# tar -xzvf base.txz
# find . -flags schg
# find . -flags schg,uarch
./var/empty

PBKAC or bug? 

--
Herbert

Re: Extracting base.txz files missing flags

Re: Extracting base.txz files missing flags

Re: Extracting base.txz files missing flags

Re: Extracting base.txz files missing flags

Re: Extracting base.txz files missing flags

Extracting base.txz files missing flags

6 matches

Site Navigation

Mail list logo

Footer information