Hi Nathan, On Thu, Jan 30, 2020 at 12:50:06AM +0000, Nathan Dorfman wrote: > On Mon, Jan 27, 2020 at 04:42:01PM +0000, Glen Barber wrote: > > No, this last part is not true. The installer always verifies the > > checksums against /usr/freebsd-dist/MANIFEST on the installation medium. > > > > In particular, this was done in r293223, where the LOCAL_DISTRIBUTIONS > > variable explicitly contains the MANIFEST. > > Thank you, Glen. You're correct of course; the installer uses its > embedded MANIFEST and doesn't even fetch it from the mirror... during > system installation, at least. > > However, the first time a jail is set up, using the `bsdinstall jail` > command, it does in fact fetch and trust the mirror's MANIFEST. I just > tested this with a freshly installed 12.1-RELEASE system and a local > mirror with a modified base.txz and manifest. It installs the modified > files into the new jail without any complaint. > > Simply, after a clean installation /usr/freebsd-dist doesn't exist on > the new system, so the jail script creates it and downloads the MANIFEST > from the mirror. See lines 60-70, here: > > https://svnweb.freebsd.org/base/release/12.1.0/usr.sbin/bsdinstall/scripts/jail?view=markup#l60 > > After the first jail, this downloaded manifest and package(s) are saved > in /usr/freebsd-dist. So you are only at risk the first time, and there > will be some evidence of the tampering. Still, I hope you'll agree that > this should be fixed. The installer already has a trusted manifest as > you point out, why not simply install that one into the target system's > /usr/freebsd-dist at setup time? >
I honestly wasn't aware there was a jail subcommand to bsdinstall. I think, rather than creating /usr/freebsd-dist on the host system, we should instead check if the misc/freebsd-release-manifests package is installed and bail if it does not. This package contains the MANIFEST files from past releases (and in-progress releases, including BETA and RC builds). Does that seem like a reasonable solution? Glen
signature.asc
Description: PGP signature
