1
  1. Packages for several BSD and Linux operating systems / distributions are downloaded over a potentially insecure connecting or are later on replaced with a malicious version on the local disk.
  2. The whole mirror is malicious and serves you tampered files and signatures/metapackages. Is there some OS independent way to check if the file has been changed?

I think for the major Linux distros based on Fedora, Debian, Suse the package manager should take care of 1 considering it works correctly and itself has not been tampered with. I'm not sure about the BSDs though. But if I want to verify not through the package manager? I can only think of something like: get the meta packages from a trusted source, compare them to the local ones, use the checksums in the meta packages to verify integrity of the local packages. Any easier way, or any ideas if this way would be insecure, maybe any ready made tools which do this? There is debsums but it works only for debs and I don't know if it verifies the whole package or just the files within.

user6756
  • 11
  • Out of interest is this a practical problem you've encountered or a theoretical issue that should be addressed? – Chris Davies Mar 13 '19 at 12:20
  • A related question is https://unix.stackexchange.com/q/332362/5132 . – JdeBP Mar 13 '19 at 12:38
  • 1
    @roaima It's a practical problem and I definitely need to address it somehow. Sounds odd maybe, but I expect the local mirror to be compromised at some point in time and I try to reduce the impact. Something similar for cloned git repos would also be nice. If there is no other way than the one I already lined out then I'll need to write some sort of script. If I trust the package manager itself enough then I could just verify the metapackages through some other channel and then let the package manager do its job. But since there have been security issues with package managers themselves ... – user6756 Mar 13 '19 at 13:46
  • One problem with verification of the metapackages is that the mirrors need to be synchronized. Otherwise verification will fail. So it depends on when the mirrors pull packages from the master. I'm not sure if there is some way (beyond sha checksums) to check if the file is the correct one. Like some trusted master key which I can use to check the package from another system. – user6756 Mar 13 '19 at 13:51

1 Answers1

0

In BSD there are simple solutions how to avoid attacks (1,2) you described.

  • Basic. Use PKG

    The latest supported FreeBSD releases with security updates already includes /etc/pkg/FreeBSD.conf and known public keys.

  • Advanced (should be preffered in production). Use Ports Collection, build your own mirror with Poudriere and configure PKG_REPO_SIGNING_KEY.

    Path to the RSA key to sign the PKG repo with. See pkg-repo(8) PKG_REPO_SIGNING_KEY=/etc/ssl/keys/repo.key

Complete overview of BSD packages/ports security is out of scope here. Short message is that the port system is separated from the base system and each BSD administrator should be able to maintain her own build system and mirrors. To learn details review Absolute FreeBSD and following chapters in particular.

  • Chapter 16: Customizing Software with Ports
  • Chapter 17: Advanced Software Management
  • Chapter 18: Upgrading FreeBSD
  • Chapter 19: Advanced Security Features
Vladimir Botka
  • 2,198