# Package/Ports MITM, and Trust



## kosci (Oct 19, 2011)

I'm new to FreeBSD and want to use it in a professional capacity in a few different roles but I cant seem to wrap my mind around a few questions of trust.

 Does FreeBSD have any protection against man-in-the-middle attacks or hacked mirrors for packages or ports? Should I only install off of the CDs if I don't trust the network between my servers and freebsd.org? Are there hashes for the other CDs that come from bsdmall besides disk one?

Also, should I really _trust_ the ports tree unless I examine and understand the source for everything I install? Obviously that is the best solution, and a unique advantage for open source software, but I think it might take me a year or two to develop the skills required. I assume there has to be at least community oversight for community contributed software, but what are the concrete details? If I _don't_ trust community ports of third party software, but must run them for functionality, what should I do? Run everything in its own jail? Should I be doing that anyway? Is learning how to port them myself the only answer? What solutions for the question of trust exist outside of the technological? Why is trusted computing such a joke? How can I stop the nightmares of servers rising up and killing all humans??

Honestly, any resources or discussions on the subject of trust, and how to deal with it as a sysadmin without going insane, would be greatly appreciated. I know it is impossible to be *absolutely* sure, but I don't know where the line between trusted and untrusted should be or how to determine where I am in relation to it.


----------



## DutchDaemon (Oct 19, 2011)

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security.html
http://forums.freebsd.org/showthread.php?t=4108
ports(7)
security(7)


----------



## kosci (Oct 19, 2011)

I've read all of those and none of them talk about when and how much to trust the code you compile and run when you use FreeBSD, except the ports man page which answers my question on MITM attacks on port installations. Which says something about checksums? How are they used? Is there any protection from MITM on the checksums themselves when you update your ports tree?

I'm obviously concerned about authentication, attack surface reduction, intrusion detection, damage control and all the other things a sysadmin should be concerned about, and those pages talk about those subjects. But I was asking about how and when to trust the code you encounter when running a FreeBSD box, and what to do if you don't.


----------



## SirDice (Oct 19, 2011)

At one point you have to trust _something_.

Classic literature: Reflections on trusting trust


----------



## kosci (Oct 19, 2011)

SirDice said:
			
		

> At one point you have to trust _something_.
> 
> Classic literature: Reflections on trusting trust



But I don't have to like it


----------



## DutchDaemon (Oct 19, 2011)

You will find a distinfo file in every port's directory. This will contain the SHA256 checksum and the file size of the port's distfile (the tarball that contains the source code). These are stored on the ports repository servers, whereas the tarballs themselves are downloaded from whoever hosts the sources.

Moreover, the ports tree itself has checksums for each and every of its port directories. See /var/db/portsnap/files. They are all individually checksummed before they are extracted to /usr/ports/. The portsnap(8) utility itself uses a key, and it talks to specific servers.


----------



## SirDice (Oct 19, 2011)

It's no guarantee though. The [thread=19849]ProFTP hack[/thread] made that pretty clear.


----------



## DutchDaemon (Oct 19, 2011)

If a port's source code is compromised _before_ the tarball is made, the tarball's sha256 hash is created, and the tarball's file size is calculated, you're SOL, of course. But that's a clear case of garbage in, garbage out.


----------



## kosci (Oct 19, 2011)

But I _don't_ have to worry about simple MITM attacks because the ports are checksummed, the checksums are checksummed, and eventually signed with a key. And I can probably assume that if a popular port had a backdoor it would get noticed eventually. And although everything on a computer is fundamentally untrustworthy I think this is good enough for me to sleep well at night, assuming I don't do anything literally life-or-death over networked computers.

Thank you


----------



## DutchDaemon (Oct 19, 2011)

Make sure you have ports-mgmt/portaudit installed and you should be informed soon enough.


----------



## rusty (Oct 19, 2011)

If all projects dealt with bugs the same way FreeBSD's Chief Security Officer does, there would a lot more trust in the world - http://www.daemonology.net/blog/2011-01-18-tarsnap-critical-security-bug.html


----------



## kosci (Oct 20, 2011)

The packages that sysinstall grabs over ftp are signed too, right? And is "package" the right term for those? It seems to be used more often for precompiled ports.


----------



## SirDice (Oct 20, 2011)

kosci said:
			
		

> The packages that sysinstall grabs over ftp are signed too, right?


No, they're not.



> And is "package" the right term for those? It seems to be used more often for precompiled ports.



A package is a pre-compiled port. Nothing more, nothing less. You can even make your own packages, see ports(7).


----------

