Document the (in)security features of CTM, especially ctm_rmail.

1 files changed, 27 insertions, 1 deletions

diff --git a/usr.sbin/ctm/ctm/ctm.1 b/usr.sbin/ctm/ctm/ctm.1
index 4656301..d51bbc2 100644
--- a/usr.sbin/ctm/ctm/ctm.1
+++ b/usr.sbin/ctm/ctm/ctm.1
@@ -222,7 +222,33 @@ Pathnames can be selected for CTM's consideration using the
 option.
 
 .El
-
+.Pp
+.Sh SECURITY
+.Pp
+CTM is an
+.Bf Em 
+INSECURE PROTOCOL
+.Ef
+- there is no authentication performed that the
+changes applied to the source code were sent by a
+trusted party, and so care should be taken if the
+CTM deltas are obtained via an unauthenticated
+medium such as email.
+It is a relatively simple matter for an attacker
+to forge a CTM delta to replace or precede the
+legitimate one and insert malicious code into your
+source tree.
+If the legitimate delta is somehow prevented from
+arriving, this will go unnoticed until a later
+delta attempts to touch the same file, at which
+point the MD5 checksum will fail.
+.Pp
+A future version of
+.Fx
+may solve this problem by authenticating CTM
+deltas using cryptographic signatures, but in the
+mean time it is strongly recommended that you
+obtain the CTM deltas via FTP, and not via email.
 .Sh ENVIRONMENT
 .Ev TMPDIR,
 if set to a pathname, will cause ctm to use that pathname