| 1 |
Peter Simons wrote: |
| 2 |
> (1) Run "find /usr/portage -type f | xargs sha1sum -b" on |
| 3 |
> the Gentoo main system. |
| 4 |
> |
| 5 |
> (2) Sign the output with GPG. |
| 6 |
> |
| 7 |
> (3) Put it into the portage tree. |
| 8 |
> |
| 9 |
> (4) If the user has GPG installed and has manually put the |
| 10 |
> appropriate public key in some place _outside_ of the |
| 11 |
> portage tree, have "emerge sync" verify that the |
| 12 |
> signature is intact and all hashes hold. |
| 13 |
> |
| 14 |
> (5) Missing files in the tree are okay (rsync_excludes), |
| 15 |
> files in the tree which do not have a hash are not okay. |
| 16 |
|
| 17 |
This is a good start, but I have some thoughts. |
| 18 |
|
| 19 |
Let's see the attack tree against Gentoo portage. The attacker wants to |
| 20 |
inject malicious code into the tree, he has several choices now: |
| 21 |
|
| 22 |
1) Attack the end user's machine |
| 23 |
|
| 24 |
2) Attack the connection between the end user and the Portage mirror |
| 25 |
|
| 26 |
3) Attack the mirror machine |
| 27 |
|
| 28 |
4) Attack the connection between the main site and the mirror |
| 29 |
|
| 30 |
5) Attack the main site |
| 31 |
|
| 32 |
6) Attack the connection between the developer and the main site |
| 33 |
|
| 34 |
7) Attack the developer's machine |
| 35 |
|
| 36 |
Your algorithm eliminates the risc in leafs from 2 to 4. |
| 37 |
|
| 38 |
How about this: the developers have to sign the files they upload, but |
| 39 |
do this before they upload them,? This would eliminate leafs 5 and 6, too. |
| 40 |
|
| 41 |
|
| 42 |
/Ervin |
| 43 |
|
| 44 |
-- |
| 45 |
gentoo-security@g.o mailing list |
Archives