1 |
Chris Bainbridge wrote: |
2 |
>>So for for me the only objective is : |
3 |
>>* protect against compromised rsync server |
4 |
> |
5 |
> Why? There are more gentoo developers than rsync servers. Their machines do |
6 |
> more than rsync servers. What reason is there to believe that a compromise of |
7 |
> an rsync server is more likely than compromise of a developer machine? |
8 |
|
9 |
To "compromise a dev box" is in fact to compromise the dev signing key. |
10 |
That means having access to the key (which could/should easily be stored |
11 |
on removable media) and access to the passphrase. So you need full root |
12 |
compromise (or physical) access *and* wait for the dev to enter his |
13 |
passphrase. |
14 |
|
15 |
On the other hand, to compromise a rsync server just needs user level |
16 |
access to the repositories. The exploited machine is directly usable, no |
17 |
incubation time. Furthermore, you don't even need to compromise the |
18 |
rsync server. Just set up one and have it included in the rsync |
19 |
rotation. Then just wait for your trojans to call home. |
20 |
|
21 |
Hack Gentoo boxen howto : |
22 |
http://www.gentoo.org/doc/en/rsync.xml |
23 |
|
24 |
Brandon Hale wrote: |
25 |
> We will be moving at some point to Gentoo-only rsync mirrors in the main |
26 |
> round robin DNS. Servers controlled by Gentoo have a high standard for |
27 |
> security, and are admined by our ever watchful infra team. See |
28 |
|
29 |
That would take care of the easy exploit above. But I still think the |
30 |
best is to quickly get the rsync mirror security out of the equation. |
31 |
|
32 |
I think there is a consensus on managers to concentrate on the quickest |
33 |
solution that would meet the single objective of not relying on all |
34 |
rsync mirrors security. 2004.1 seems an unrealistic target, do you think |
35 |
2004.2 should be the target ? |
36 |
|
37 |
Then you should start a specific thread to compare implementations, with |
38 |
the single goal of solving the rsync security problem. Every person with |
39 |
a detailed solution should post there, and once it's done, we can |
40 |
compare how easy (and fast) it is to setup. Use Occam's razor to select |
41 |
the best (the easiest), and if the best also solves other security |
42 |
problems (compromised dev or rogue dev or whatever), then all the |
43 |
better. But I don't think so, and like rac said, I don't want perfect to |
44 |
get in the way of better. The winner writes a GLEP. Koon's happy ;) |
45 |
|
46 |
We already have one detailed post, Robbat2's implementation : |
47 |
http://marc.theaimsgroup.com/?l=gentoo-dev&m=108017986400698&w=2 |
48 |
|
49 |
pauldv : you probably should summarize your fast-rotation signing key |
50 |
implementation in a new post for the record. |
51 |
|
52 |
Once you get decided on the implementation, I can help writing docs if |
53 |
the winner developer doesn't have too much time to spend on this problem. |
54 |
|
55 |
-K |
56 |
|
57 |
-- |
58 |
gentoo-dev@g.o mailing list |