| 1 |
Chris Bainbridge wrote: |
| 2 |
>>So for for me the only objective is : |
| 3 |
>>* protect against compromised rsync server |
| 4 |
> |
| 5 |
> Why? There are more gentoo developers than rsync servers. Their machines do |
| 6 |
> more than rsync servers. What reason is there to believe that a compromise of |
| 7 |
> an rsync server is more likely than compromise of a developer machine? |
| 8 |
|
| 9 |
To "compromise a dev box" is in fact to compromise the dev signing key. |
| 10 |
That means having access to the key (which could/should easily be stored |
| 11 |
on removable media) and access to the passphrase. So you need full root |
| 12 |
compromise (or physical) access *and* wait for the dev to enter his |
| 13 |
passphrase. |
| 14 |
|
| 15 |
On the other hand, to compromise a rsync server just needs user level |
| 16 |
access to the repositories. The exploited machine is directly usable, no |
| 17 |
incubation time. Furthermore, you don't even need to compromise the |
| 18 |
rsync server. Just set up one and have it included in the rsync |
| 19 |
rotation. Then just wait for your trojans to call home. |
| 20 |
|
| 21 |
Hack Gentoo boxen howto : |
| 22 |
http://www.gentoo.org/doc/en/rsync.xml |
| 23 |
|
| 24 |
Brandon Hale wrote: |
| 25 |
> We will be moving at some point to Gentoo-only rsync mirrors in the main |
| 26 |
> round robin DNS. Servers controlled by Gentoo have a high standard for |
| 27 |
> security, and are admined by our ever watchful infra team. See |
| 28 |
|
| 29 |
That would take care of the easy exploit above. But I still think the |
| 30 |
best is to quickly get the rsync mirror security out of the equation. |
| 31 |
|
| 32 |
I think there is a consensus on managers to concentrate on the quickest |
| 33 |
solution that would meet the single objective of not relying on all |
| 34 |
rsync mirrors security. 2004.1 seems an unrealistic target, do you think |
| 35 |
2004.2 should be the target ? |
| 36 |
|
| 37 |
Then you should start a specific thread to compare implementations, with |
| 38 |
the single goal of solving the rsync security problem. Every person with |
| 39 |
a detailed solution should post there, and once it's done, we can |
| 40 |
compare how easy (and fast) it is to setup. Use Occam's razor to select |
| 41 |
the best (the easiest), and if the best also solves other security |
| 42 |
problems (compromised dev or rogue dev or whatever), then all the |
| 43 |
better. But I don't think so, and like rac said, I don't want perfect to |
| 44 |
get in the way of better. The winner writes a GLEP. Koon's happy ;) |
| 45 |
|
| 46 |
We already have one detailed post, Robbat2's implementation : |
| 47 |
http://marc.theaimsgroup.com/?l=gentoo-dev&m=108017986400698&w=2 |
| 48 |
|
| 49 |
pauldv : you probably should summarize your fast-rotation signing key |
| 50 |
implementation in a new post for the record. |
| 51 |
|
| 52 |
Once you get decided on the implementation, I can help writing docs if |
| 53 |
the winner developer doesn't have too much time to spend on this problem. |
| 54 |
|
| 55 |
-K |
| 56 |
|
| 57 |
-- |
| 58 |
gentoo-dev@g.o mailing list |
Archives