Gentoo Archives: gentoo-security

From: Mansour Moufid <mansourmoufid@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 11:50:08
Message-Id: 44a1f4d20803200449i3c24fa6frce5cb62363ec9abb@mail.gmail.com
In Reply to: [gentoo-security] Portage rsync security by Florian Philipp
1 On Thu, Mar 20, 2008 at 6:45 AM, Florian Philipp
2 <lists@f_philipp.fastmail.net> wrote:
3 > Hi list!
4 >
5 > Am I right that there is currently no way portage tries to verify that
6 > the rsync-mirror is not spoofed?
7 >
8 > Doesn't that pose a major threat? If I were able to manipulate the
9 > domain name resolution, I could easily trick gentooers into making false
10 > updates and thus executing a malicious program with root-permission on
11 > their machine.
12 >
13 >
14 > So, why isn't there some kind of public key authentication going on, at
15 > least optionally?
16 >
17 > By the way: How does gentoo's gpg-feature work. The man-page doesn't
18 > contain an explanation.
19 >
20
21 An attacker would need to be able to manipulate both the rsync server
22 and the actual downloaded packages since Portage verifies checksums
23 (RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
24 using DNS spoofing.
25
26 I guess one solution would be to resolve your rsync server's IP
27 address once (e.g. at boot) and include an IPtables rule for it
28 specifically. My BASH is not very good, but e.g.:
29
30 RSYNC='rsync'
31 FOO="`grep ^SYNC /etc/make.conf | sed 's/.*rsync:\/\/\([^ ]*\)/\1/'`"
32 BAR="${FOO%/*}"
33 IP="`nslookup $BAR | grep ^Address | sed 's/.*Address: \([^ ]*\)/\1/'
34 | head -2 | tail -1`"
35
36 for i in $IP
37 do
38 $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $i --dport $RSYNC --syn
39 -m state --state NEW -j ACCEPT
40 $IPT -A INPUT -i $EXTIF -p tcp -s $i -d $EXTIP --sport $RSYNC --syn
41 -m state --state NEW -j ACCEPT
42 done
43
44 Assuming your /etc/resolv.conf was secure at boot, this (I think)
45 would protect your machine from DNS related attacks. Perhaps others
46 who are more knowledgeable can chip in here.
47
48 Sincerely,
49 Mansour Moufid
50 --
51 gentoo-security@l.g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Portage rsync security Mario Koppensteiner <mariok@×××××××××.org>
Re: [gentoo-security] Portage rsync security Russell Valentine <russ@×××××××××××××.org>