From the looks of this, I think it's likely better to have the default
be "secure" and ezjail-admin use the "--insecure" flag as an explicit
override. That's the only place I've noticed the need for it although
I've not done an extensive search for any other instances in which it
might be required,
imb
On 5/14/2016 3:46 PM, Tim Kientzle wrote:
A little history about this issue:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2304
On May 14, 2016, at 12:17 PM, Tim Kientzle <t...@kientzle.com> wrote:
Many people consider the traditional behavior to be a security risk, which is
why this was changed.
FreeBSD is welcome to make --insecure the default on FreeBSD, but I'm reluctant
to do that in the upstream libarchive project.
Tim
On May 12, 2016, at 8:54 AM, Martin Matuska <m...@freebsd.org> wrote:
Looks like we have to remove line #174 from cpio/cpio.c:
cpio->extract_flags |= ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS;
This breaks traditional cpio behavior.
Quoting Martin Matuska <m...@freebsd.org>:
Hi Michael, I have looked at the source and this is an intended change in 3.2.0.
An absolute path security check was added, cpio refuses to extract or copy over absolute
paths. To do this anyway the "--insecure" flag must be used.
Here is the commit:
https://github.com/libarchive/libarchive/commit/59357157706d47c365b2227739e17daba3607526
Quoting Michael Butler <i...@protected-networks.net>:
It seems that today's libarchive update breaks cpio's behaviour:
sudo ezjail-admin update -i -s /usr/src
[ .. ]
cd /usr/src/etc/..; install -o root -g wheel -m 444 COPYRIGHT
/usr/local/jails/fulljail/
install -o root -g wheel -m 444
/usr/src/etc/../sys/i386/conf/GENERIC.hints
/usr/local/jails/fulljail/boot/device.hints
/usr/local/jails/basejail/bincpio: bin: Path is absolute: Unknown error: -1
/usr/local/jails/basejail/bin/catcpio: bin/cat: Path is absolute:
Unknown error: -1
/usr/local/jails/basejail/bin/chflagscpio: bin/chflags: Path is
absolute: Unknown error: -1
/usr/local/jails/basejail/bin/chiocpio: bin/chio: Path is absolute:
Unknown error: -1
/usr/local/jails/basejail/bin/chmodcpio: bin/chmod: Path is absolute:
Unknown error: -1
/usr/local/jails/basejail/bin/cpcpio: bin/cp: Path is absolute: Unknown
error: -1
/usr/local/jails/basejail/bin/datecpio: bin/date: Path is absolute:
Unknown error: -1
/usr/local/jails/basejail/bin/ddcpio: bin/dd: Path is absolute: Unknown
error: -1
/usr/local/jails/basejail/bin/dfcpio: bin/df: Path is absolute: Unknown
error: -1
/usr/local/jails/basejail/bin/domainnamecpio: bin/domainname: Path is
absolute: Unknown error: -1
[ .. etc. .. ]
Martin Matuska
FreeBSD committer
http://blog.vx.sk
Martin Matuska
FreeBSD committer
http://blog.vx.sk
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
