Hello to everyone, new user.
Today the idea of installing FreeBSD 9 on my server came on my mind, so I decided to try it in a VM.
I have noticed some problems: the ezjail script isn't working underfreebsd FreeBSD 9, the structure of the mirror is changed, as you can see here:
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/
and even the package format is changed: packages aren't composed anymore by a list of partial files with an install script; they are zx'ed tar archives of /.
I tried to correct the ezjail script, and as of now, I found this section interesting:
I think it sould be corrected as follows:
and then there sould be some code for extracting the archive, as simple as that.
Unfortunately I'm a student (still in high school) and I have a lot to study for tomorrow, so I can't do it now, and I'm very bad at scripting/coding. Can someone do it for me and, if the changes are working, send them to the ezjail creator/maintainer?
Here's the second problem I've encountered: binary packages aren't cryptographycally signed. An attacker who can perform active attacks could simply create a mirror ftp archive of thefreebsd FreeBSD one and force the client to install malicious packages. The simplest solution, either than signing every single package, would be signing the file containing the list and the hashes of the packages. But I bet it doesn't matter, since I'm a paranoid and on freebsd FreeBSD binary packages are simply shit... [ very mature. -- Mod. ]
Have a good day, and thanks for any response in advantage.
ps: sorry for my english, if I've made any mistake.
Today the idea of installing FreeBSD 9 on my server came on my mind, so I decided to try it in a VM.
I have noticed some problems: the ezjail script isn't working under
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/
and even the package format is changed: packages aren't composed anymore by a list of partial files with an install script; they are zx'ed tar archives of /.
I tried to correct the ezjail script, and as of now, I found this section interesting:
Code:
# Try all paths as stolen from sysinstall, break on success.
for ezjail_path in pub/FreeBSD/releases pub/FreeBSD/snapshot pub/FreeBSD releases snapshots NO; do
if [ "${ezjail_path}" = "NO" ]; then
echo -e "\nCould not fetch ${pkg} from ${ezjail_ftphost}.\n Maybe your release (${ezjail_release}) is specified incorrectly or the
host ${ezjail_ftphost} does not provide that release build.\n Use the -r option to specify an existing release or the -h option to specify an
alternative ftp server." >&2
[ "${ezjail_ftpserverqueried}" ] || ezjail_queryftpserver
exit 1
fi
ftp "${ezjail_ftphost}:${ezjail_path}/${ezjail_installarch}/${ezjail_release}/${pkg}/*" && break
done
# These actions are really ugly: sources want $1 to contain the set
# of sources to install, base asks the user if he is sure, hence the
# yes and the set -- all
[ "${pkg}" = "base" ] && echo "Ignore the next question, ezjail answers it for you."
set -- all
[ -f install.sh ] && yes | . install.sh
[ $? -eq 0 ] || exerr "Error: Package install script for ${pkg} failed."
rm -rf "${ezjail_jailtemp}"
else
cd "${ezjail_reldir}/${ezjail_dir}/${pkg}" || exerr "Error: Could not cd to ${ezjail_dir}."
set -- all
[ -f install.sh ] && yes | . install.sh
[ $? -eq 0 ] || exerr "Error: Package install script for ${pkg} failed."
fi
done
I think it sould be corrected as follows:
Code:
ftp "${ezjail_ftphost}:${ezjail_path}/${ezjail_installarch}/${ezjail_installarch}/${ezjail_release}/*" && break
Unfortunately I'm a student (still in high school) and I have a lot to study for tomorrow, so I can't do it now, and I'm very bad at scripting/coding. Can someone do it for me and, if the changes are working, send them to the ezjail creator/maintainer?
Here's the second problem I've encountered: binary packages aren't cryptographycally signed. An attacker who can perform active attacks could simply create a mirror ftp archive of the
Have a good day, and thanks for any response in advantage.
ps: sorry for my english, if I've made any mistake.