Bug 221281

Summary: sysutils/ezjail should verify downloaded tarballs before use
Product: Ports & Packages Reporter: Rene Wagner <rw>
Component: Individual Port(s)Assignee: freebsd-ports-bugs (Nobody) <ports-bugs>
Status: Closed Feedback Timeout    
Severity: Affects Many People CC: erdgeist, joneum, ports-secteam, secteam
Priority: --- Keywords: feature, security
Version: LatestFlags: bugzilla: maintainer-feedback? (erdgeist)
Hardware: Any   
OS: Any   

Description Rene Wagner 2017-08-06 14:07:24 UTC
Dear maintainer,

by default, "ezjail-admin install" will download and install release tarballs fetched via FTP without verifying their integrity. If an FTP mirror is compromised or a man-in-the-middle attack is conducted this will allow an attacker to execute arbitrary code within the jail.

I'm aware of the option to have ezjail-admin use files from a local directory instead and am using this myself. Still, I believe the default should not result in the above situation particularly since the handbook recommends ezjail to novice users.

That said, I'm not sure how to implement this feature in FreeBSD. The .asc release announcements are signed and include checksums of all release artifacts. If the GPG public keys used for signing this .asc were installed on the host one could at least ensure that the downloaded files are as genuine as the host OS. If the user has verified the installation media used for the host OS a proper chain of trust would be established. This is how some Linux distributions (Debian) and OpenBSD have addressed this problem. Unfortunately, FreeBSD does not appear to ship the signing public keys as part of the released images.

At a minimum, ezjail should include a list of trusted checksums as part of the port/package. This does, however, put the burden of verifying this list and keeping it up to date on the maintainer.

Cheers,

Rene
Comment 1 erdgeist 2017-08-06 22:05:57 UTC
I'm currently working on just using "bsdinstall jail" to do the heavy lifting for me. Your issue should just go away, then.
Comment 2 Rene Wagner 2017-08-07 20:16:08 UTC
Thanks for the quick reply! I'm glad to hear you're actively working on ezjail again!

As for "bsdinstall jail", does it actually check any signatures?

If I read its source code correctly it appears that it first fetches the MANIFEST file, then the base.txz listed therein as well as any additional distribution files selected by the user, and finally computes the SHA256 checksums of the downloaded files which are then compared against the checksums from the MANIFEST.

The MANIFEST file is not signed. Thus, this will only prevent accidental corruption of files in transit. It doesn't provide any protection against malicious tampering, does it?
Comment 3 Jochen Neumeister freebsd_committer freebsd_triage 2019-02-15 18:23:54 UTC
what is the current status?
Does ports-secteam have to be active here?