On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote:> No, this last part is not true. The installer always verifies the > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > variable explicitly contains the MANIFEST.Thank you, Glen. You're correct of course; the installer uses its embedded MANIFEST and doesn't even fetch it from the mirror... during system installation, at least. However, the first time a jail is set up, using the `bsdinstall jail` command, it does in fact fetch and trust the mirror's MANIFEST. I just tested this with a freshly installed 12.1-RELEASE system and a local mirror with a modified base.txz and manifest. It installs the modified files into the new jail without any complaint. Simply, after a clean installation /usr/freebsd-dist doesn't exist on the new system, so the jail script creates it and downloads the MANIFEST from the mirror. See lines 60-70, here: https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 After the first jail, this downloaded manifest and package(s) are saved in /usr/freebsd-dist. So you are only at risk the first time, and there will be some evidence of the tampering. Still, I hope you'll agree that this should be fixed. The installer already has a trusted manifest as you point out, why not simply install that one into the target system's /usr/freebsd-dist at setup time? -nd.
Hi Nathan, On Thu, Jan 30, 2020 at 12:50:06AM +0000, Nathan Dorfman wrote:> On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > > No, this last part is not true. The installer always verifies the > > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > > variable explicitly contains the MANIFEST. > > Thank you, Glen. You're correct of course; the installer uses its > embedded MANIFEST and doesn't even fetch it from the mirror... during > system installation, at least. > > However, the first time a jail is set up, using the `bsdinstall jail` > command, it does in fact fetch and trust the mirror's MANIFEST. I just > tested this with a freshly installed 12.1-RELEASE system and a local > mirror with a modified base.txz and manifest. It installs the modified > files into the new jail without any complaint. > > Simply, after a clean installation /usr/freebsd-dist doesn't exist on > the new system, so the jail script creates it and downloads the MANIFEST > from the mirror. See lines 60-70, here: > > https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 > > After the first jail, this downloaded manifest and package(s) are saved > in /usr/freebsd-dist. So you are only at risk the first time, and there > will be some evidence of the tampering. Still, I hope you'll agree that > this should be fixed. The installer already has a trusted manifest as > you point out, why not simply install that one into the target system's > /usr/freebsd-dist at setup time? >I honestly wasn't aware there was a jail subcommand to bsdinstall. I think, rather than creating /usr/freebsd-dist on the host system, we should instead check if the misc/freebsd-release-manifests package is installed and bail if it does not. This package contains the MANIFEST files from past releases (and in-progress releases, including BETA and RC builds). Does that seem like a reasonable solution? Glen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20200130/90c248f6/attachment.sig>
On Thu, Jan 30, 2020 at 01:22:39PM +0000, Glen Barber wrote:> I honestly wasn't aware there was a jail subcommand to bsdinstall. > I think, rather than creating /usr/freebsd-dist on the host system, we > should instead check if the misc/freebsd-release-manifests package is > installed and bail if it does not. This package contains the MANIFEST > files from past releases (and in-progress releases, including BETA and > RC builds). > > Does that seem like a reasonable solution?Well, that only works for actual releases. The one from the installation medium would work in all cases, such as if one installs a snapshot, or a custom build. It would have to be kept up to date by freebsd-update, though. Also, you would need to add logic to select the correct manifest from the ones in the package, whereas one from the initial install (and freebsd-update) would be the only one. That could be as simple as stripping the -p123 suffixes from `uname -r`, but why? FWIW, the /usr/freebsd-dist location can be overridden by setting $BSDINSTALL_DISTDIR, but the checksum script[1] will expect to find the manifest and sets in the same directory regardless. Perhaps this default could be changed to something under /usr/share? -nd. [1] https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/checksum?view=markup#l29