As many of you are probably aware, there is a serious security issue that is currently all over the web regarding the GNU BASH shell. We at the PC-BSD project are well aware of the issue, a fix is already in place to plug this security hole, and packages with this fix are currently building. Look for an update to your BASH shell within the next 24 hours in the form of a package update.
As a side note: nothing written by the PC-BSD project uses BASH in any way – and BASH is not built-in to the FreeBSD operating system itself (it is an optional port/package), so the level of severity of this bug is lower on FreeBSD than on other operating systems.
According to the FreeBSD mailing list: Bryan Drewery has already sent a notice that the port is fixed in FreeBSD. However, since he also added some good recommendations in the email for BASH users, we decided to copy that email here for anyone else that is interested.
From: Bryan Drewery – FreeBSD mailing list
The port is fixed with all known public exploits. The package is
However bash still allows the crazy exporting of functions and may still
have other parser bugs. I would recommend for the immediate future not
using bash for forced ssh commands as well as these guidelines:
1. Do not ever link /bin/sh to bash. This is why it is such a big
problem on Linux, as system(3) will run bash by default from CGI.
2. Web/CGI users should have shell of /sbin/nologin.
3. Don’t write CGI in shell script / Stop using CGI 🙂
4. httpd/CGId should never run as root, nor “apache”. Sandbox each
application into its own user.
5. Custom restrictive shells, like scponly, should not be written in bash.
6. SSH authorized_keys/sshd_config forced commands should also not be
written in bash.
For more information the bug itself you can visit arstechnica and read the article by clicking the link below.
Hey everyone! After a brief hiatus from feature updates we are back! We’ve switched from Fridays to Mondays and rather than trying to get an update out every week we aren’t on a specific schedule. We will continue to push out these feature updates when we have some cool new features come out we think you’ll want to know about.
The Warden and PBI_add backend (CLI) management tools have received some exciting new features we’d like to tell you about. You can now create jails on the fly when adding a new PBI to your application library. For instance say you’re adding a PBI using the “pbi_add” command and you want to install the PBI into a new jail that you haven’t created yet. You would specify: “sudo pbi_add -J apache” without the quotes to create a default named jail with the PBI apache installed directly into it. The -J being the new flag that specifies the creation of the new jail.
There’s also a new option now to do a bulk jail creation. By simply using the new –bulk and –ip4pool flag you can easily roll out your preset number of jails quickly and efficiently. To use this cool new feature just type: “warden create <jailname> –bulk 5 –ip4pool 192.168.0.2” and voila you’ve got 5 brand spanking new jails created in no time starting at IP address 192.168.0.2 .
The PC-BSD team is now hanging out in IRC! Get involved in the conversation and come visit us on Freenode in channel #pcbsd. We look forward to seeing you there!
Hey PC-BSDers! This week we’ve been gearing up for the next release of PC-BSD version 10.0.2. In preparation for the next release we have been fine tuning some of the new features and making sure the loose ends are tied up. We were also able to close out a good amount of trac tickets this week and commit the fixes for 10.0.2.
In other news / updates this week:
- Fix a bug where the orphan package filter was also filtering out some base apps.
- Randomize the browser home page so that it only show 10 random “recommended” and “highlighted” applications.
- Add a ton more recommended/highlighted applications to the repo file.
- Fix some minor display bugs
- Add menu option to view the recent vulnerability information for ports through freshports.
- Fix the sizing information for installed meta-pkgs (will show the combined sizes of the direct dependencies instead)
- Fix the sizing information for available applications (will now show the combined size of all the packages that need to be downloaded/installed for that app)
- Add the ability to fetch/read the pkg-plist for a given pkg.
- Add a “bulk” module creation side to EasyPBI which allows for creating PBI modules for an entire FreeBSD category at a time (with all sorts of filters and options)
- Make EasyPBI automatically create up to 5 desktop/menu entries for graphical applications.
- Make the application binaries detected/usable within the module editor for creating new desktop/menu entries.
- Quick fix for filenames that have spaces in them
- Quick fix for making sure that when launching an app it is in the same general system environment. This allows apps like firefox/thunderbird to see other instances of themselves and act appropriately.
- lumina-config – Make sure the menu options actually work
Miscellaneous Fixes / improvements
- Fixed several warden bugs relating to new jail creation / package management
- Imported the latest ports and Gnome3 / Cinnamon for 10.0.2
- Fixed some issues prompting for GELI password from GRUB and then mountroot
- Fixed a critical bug with new CUPS 1.7.0 breaking foomatic-rip and associated print drivers
- Imported the latest PEFS code into 11-CURRENT and backported it to our 10-STABLE branches
- Fixed bugs with system update tray notifier not showing freebsd-update” notifications
- Migrated one of my build systems to 11-CURRENT and got it setup for doing PKG/ISO builds
- Misc other trac tickets fixed / closed in cleanup process
- Many other cosmetic / doc bugs fixes as Dru submitted them
- Started investigating bug with BE/GRUB failing if the first dataset is destroyed
We’ve been seeing a lot of confusion and questions about the PBI changes that were recently pushed out those of you running the Edge package sets, and Ken Moore was nice enough to break the changes down in this week’s PC-BSD weekly digest.
First, a little history about the PBI system.
It was initially created when the only/primary application distribution method for FreeBSD was the ports system – meaning that any FreeBSD user who wanted frequent updates to their applications needed to manually compile/install any application through the FreeBSD ports tree on a fairly regular schedule. The PBI system was designed as an alternative to provide simple application packages that could easily be downloaded and installed without the need for the user to compile any source code at all. As an added benefit, the PBI system installed these applications into a seperate container on the system – leaving all the “complicated” system configuration and integration to still be run through the FreeBSD ports system. This allowed PC-BSD to have a stable base system for a release (because the base system packages would almost never get touched/updated), while at the same time provide the ability to keep the main end-user applications up to date between releases.
Now fast-forward a bit to the PC-BSD 10 series.
At this time the FreeBSD ports system, while still existing for the “hardcore” users, has mainly been replaced by the pkgng distribution system for general system/application usage. This has provided quite a bit of confusion for PC-BSD users, because they now had two different ways to install applications, and each application on the system would behave differently depending on how that particular application was installed. To make the distibution model simpler for PC-BSD, the PBI files were already being created from pkgng packages (ensuring that there was a lot less compiling done on the build servers), and those packages were simply being collected into “fat files” with a few compatibility scripts and such thrown in for good measure.This meant that there was a lot of duplication between the pkg and PBI systems, resulting in a lot of effort to maintain compatibility between the two systems. The main problem however, was that the special PBI runtime container itself was causing all sorts of system stability issues. Since the release of PC-BSD 10.0 we have actually tried 3 or 4 different types of application runtime containers, each of which was designed to solve a critical flaw in the previous version, but always kept running into large limitations/problems with each new type of container.
At this point we decided to take a step back and refocus on what the PBI system was originally intended to do – provide a “Push Button Installer” to install and run applications while keeping things as simple as possible for the end user. With this definition for the PBI system, it makes perfect sense that the pkgng system should be chosen as our default application installation method for a couple reasons:
1) Integration with the system environment for things like setting up and running default applications works a lot better (mimetype integration/use).
2) Startup/runtime speed. Applications installed to the base system simply startup and run a lot faster than the ones that are installed into the containers.
3) User Confusion. Lots of people simply did not understand that the “contained” application libraries/files were not installed to the normal location on the system, and that an application in a container could not easily see or use the system-installed applications.
The next-generation PBI system.
This re-implementation is designed so that it no longer uses the “PBI Containers” exclusively and instead returns to its original goal – to provide a simple interface for the end user to install/use applications of all types and in all ways. This means that it is now a system that uses the pkgng packages as it’s basis – but provides all sorts of other information/functionality that the pkgng system does not fully support yet (such as mimetype integration, desktop/menu entries, and graphical information like icons for applications). Additionally, it also provides a number of enhancements to how the user can utilize the different pkgng packages, mainly through how the packages get installed.
1) Standard pkgng installation to the base system.
This allows the user a simple interface to install/remove application on the base system while providing a number of additional safety checks to prevent random “foot-shooting”.
2) Jail management.
By running the AppCafe on the base system, you can now manage all the applications/packages in any of the running jails on your system. Combined with the Warden for creating/managing different kinds of jails, the user now has a simple way to manage and run applications that (for security reasons) should never be installed/used from the base system (such as web servers or network-facing services).
3) Application containers with plugins!
By using the “portjail” creation options in the Warden, you now have a method to safely contain a graphical application while also allowing for a system of installing/removing optional packages into that jail for plugin support without touching your base system packages (very similar to our previous container system, but with a few more layers of separation between the jail and the system).
4) Other installation methods.
Because the PBI system is now installation-method agnostic (almost), we can provide support for alternate types of installation methods (such as into specialized containers like our previous PBI versions have had). While we do not have any other installation methods included at the moment, we can add new methods relatively easy in the future if those installation methods do not break system stability.
So what does this mean for a PC-BSD user?
1) Access to thousands more applications and plugins by default through the AppCafe. The “PBI” applications will show up with things like screenshots, available plugins, nice looking icons, user ratings/tips, and more while you also have the ability to install and use the “raw packages” (which will always have the icon of a box/package) even if the nicer recommendations and information is not available for that raw package.
2) Less confusion about application installations. Since applications will always be installed/integrated into the local system by default, this will prevent a lot of confusion in people who are used to the standard FreeBSD/Linux/Unix installation methods and file locations for applications.
3) Greater flexibility for different installation methods to suite your specific needs. System installation, traditional jail installation, portjail installation, additional future types of installations, it give the user freedom to truly run the system as you need, rather than forcing you to use a particular system that might not be what you were looking for.
Hey everyone just a quick update tonight as much of the work has been the same as last week :). I’ve uploaded a couple of pics to show how the new AppCafe integration with pkgng will look. In the first picture below you’ll see a similar looking app information screen with some sweet new features. The biggest thing you might notice right away is the 5 star rating system in the top left corner under “Firefox”. In the new AppCafe clicking the stars will immediately pop-up the app’s wiki page allowing you to rate the program. We are also looking into the ability to add comments as well that will also populate into AppCafe. Also many programs (especially GUI based applications) will have screenshots in AppCafe to allow you to check them out before you download them to your system.
Notice below right this is the main “installed applications” screen. Here you’ll be able to view all of your installed apps and also filter them based on a few presets built into AppCafe. Similar to the package manager, the new AppCafe will pull more information from the package repository about installed packages for you to review.
Important Correction: I realized after talking with Kris and Ken that I was slightly confused over the new role of pkgng and how it will affect PC-BSD going forward. pkgng is replacing the PBI system in future versions of PC-BSD and AppCafe. PBI’s will be immediately & automatically converted over to use pkgng instead once users update to the next big PC-BSD release. If you have any further questions we will be glad to answer them for you, and I aplogize for the information discrepancy!
PC-BSD has long been very flexible about how you can install software. You have PBI’s, packages, and ports available with just a couple clicks or via a couple of simple terminal commands. For a long time the PBI format has served as an excellent solution for people who may need an offline package install, or just simply prefer the ease and simplicity the PBI format has to offer especially via the AppCafe. Perhaps the “Achilles’ Heel” of this situation is that we have also been severely limited on the amount of software that the AppCafe has to offer as packages had to first be converted into the PBI format.
This week we are announcing a radical change that we think will benefit all PC-BSD users in ways that were previously unthinkable. The PC-BSD team has begun work during the last couple of weeks redesigning our PC-BSD utilities (AppCafe, Update Center) to work with our pkgng software repository that we are currently building to contain detailed information about all the software available through packages and PBIs. What this means for you is that in the near future PC-BSD will have a much broader software pool to pull from, and will not be limited anymore by only having a small subset of PBI’s. You will now be able to install packages and PBI’s in one place, while also being able to update and manage both in one place.
You may be asking yourself “why the change?”. Over the last several months we have noticed a considerable amount of our time has been going into compatibility and fixes for PBIs. So much time in fact that other important development had to be postponed and / or sidelined while we worked on bringing PBIs up to speed. We are hoping by adopting appcafe and the PBI format to work in tandem with pkgng, that we will be able to refocus our efforts on other important endeavours.
We will have more information available soon as development continues on how you can get involved with testing out the new features and submitting ideas to help the project along. Let us know what you think about the changes. Are we headed in the right direction? Do you have ideas related to the redesign that you’d like to contribute? Let us know!
Much larger software library. Instead of 800 available appcafe applications think more like 10000+
Detailed information on all the software available including packages in one place
Ability to search and filter your results to show
Improved compatibility across desktop environments
New rating system is being developed for grading the quality of packages in the AppCafe library