TRON-DELTA.ORG – TrueOS PC-Updatemanager Security Review 2018


#1

Recently the TRON-DELTA.ORG commenced a security review on TrueOS (github.com/trueos), which included a manual code and configuration review/audit (no static or dynamic code analysis) and a review of documentation as needed. It focused on backdoors and obviously problematic or questionable items, within the TrueOS PC-UPDATEMANAGER sub-project.

Please note, that our organization has not found any backdoor whatsoever within the TrueOS PC-UPDATEMANAGER sub-project.

However, to conclude the security review we have a remark/issue, directed to the TrueOS developers or TrueOS helpers, as listed below. We are aware of the complexity of this remark, which probably will take some time to address. However, we would greatly appreciate a short reply on it, as soon as time permits, to conclude our security review. Thank you!

A review of the Lumina project as well as the SysAdm project will take place in due course. In addition to that extensive image/ISO testing took place in Q1 2018. Depending on our resources the TRON-DELTA.ORG will also commence a FreeBSD and FreeBSD-ports project review, including code analysis.

R#1: During extensive testing of TrueOS we saw several errors, as described in post #18 in thread TrueOS Update Problem 17.12 to 18.02

The errors found are:

No packages matched for pattern, wrong pkg installed, No schema found, tar: Error exit delayed from previous errors), plus some minor errors.

Due to the difficulties in debugging the scripts we strongly suggest to add debug options to the script doPkgUp.sh (potentially all important TrueOS shell scripts, like rc-doupdate, etc.), especially for function run_cmd_wtee(). That should be done to improve the situation with debugging Errors like “Failed Updating!” and “Rolling back…” in the future, since we were unable to ultimately determine the reason for that error – probably one of the above, thus failing one function in the script. However, nothing helpful was written out to the logfiles and run_cmd_wtee() just failed without telling why it failed.

Based on these findings we suggest:

  • a partial rewrite of these upgrade scripts with sane debug pipes (plus e.g. an option to add -d or –debug as a parameter), adding debug functions/pipes and sane logging to logfiles

  • to use constructs like trap (if available in sh/bash) within the scripts for better error handling

  • to write out function parameters and return values to logfiles (only when –debug was given as a parameter, for security reasons)

  • that scripts should be split up into pre-install, install and post-install scripts to reduce complexity, even when that means to implement certain functions more than once

  • that function run_cmd_wtee() should be replaced (everywhere) with better logic and not only, quote: “Try to get error status of first command in pipeline”, which was not helpful post error/after the fact

  • that script functions should provide more helpful information on what exactly has failed (in general).

[1] https://github.com/trueos/pc-updatemanager/blob/master/rc-doupdate
[2] https://github.com/trueos/pc-updatemanager/blob/master/doPkgUp.sh


TrueOS Update Problem 17.12 to 18.02
#2

“They” always say OSS is more secure because everyone can check the code.

I say: Not everyone can, and almost nobody actually does.

So, thank you for making the tremendous effort to review OSS code!

As I belong to the majority of users who can and doesn’t read/review code I have to rely on people like you.
So, there still is nothing more “secure” than reviewing the code oneself, but work like yours helps the community a lot!

So, thank you very much and keep digging for even the littlest anomalies. That really does help making OSS more secure - at least more secure than without your detective work.


#3

Thank you to-user, for you nice comment!

We found another request for a debug option within pc-updatemanager, in thread 17.12 -> 18.03 update hangs at “Boot-strapping package base…”.

Yet, the GitHub history for pc-updatemanager/doPkgUp.sh et al. does not indicate a change after Feb. 26, 2018.


#4

should obviously read: who can’t :slight_smile:


#5

That’s right, to-user. Although we think the spelling is not the big problem we have here. Unfortunately we were unable to see any thread-related updates to rc-doupdate or doPkgUp.sh since April 1st, solving the problems described.

At present we evaluate upgrading our legacy GNU/Linux systems and further postponing a TrueOS migration, since we consider the problems with pkg in TrueOS and the pc-updatemanager a show-stopper.


#6

Thanks, Tron-Delta.

I’m waiting for the June-Edition.

I’m using TrueOS sometimes. I like the conceptual goal. But it’s way too early to migrate to it with all that You have.

It’s inherently experimental software.

You have to tinker a bit, and You have to have the knowledge to do so. I myself sometimes don’t have it.

As You suggest it here: Better Error-Messages are urgently needed:

  1. OpenRC-Messages
  2. PackageManagement-Messages

Seemingly, these missing parts could be avoided only by more people working at it. Or by waiting. Or by developing oneself.
I can’t. I’m not a developer.

Let’s be thankful for the developers’ work. But let’s all confess that this isn’t production-ready as yet.

Thanks again for Your helpful remarks.