Gentoo Logo
Gentoo Spaceship

Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
To: gentoo-security@g.o
From: "Mansour Moufid" <mansourmoufid@...>
Subject: Re: Portage rsync security
Date: Thu, 20 Mar 2008 07:49:12 -0400
On Thu, Mar 20, 2008 at 6:45 AM, Florian Philipp
<lists@...> wrote:
> Hi list!
>  Am I right that there is currently no way portage tries to verify that
>  the rsync-mirror is not spoofed?
>  Doesn't that pose a major threat? If I were able to manipulate the
>  domain name resolution, I could easily trick gentooers into making false
>  updates and thus executing a malicious program with root-permission on
>  their machine.
>  So, why isn't there some kind of public key authentication going on, at
>  least optionally?
>  By the way: How does gentoo's gpg-feature work. The man-page doesn't
>  contain an explanation.

An attacker would need to be able to manipulate both the rsync server
and the actual downloaded packages since Portage verifies checksums
(RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
using DNS spoofing.

I guess one solution would be to resolve your rsync server's IP
address once (e.g. at boot) and include an IPtables rule for it
specifically. My BASH is not very good, but e.g.:

FOO="`grep ^SYNC /etc/make.conf | sed 's/.*rsync:\/\/\([^ ]*\)/\1/'`"
IP="`nslookup $BAR | grep ^Address | sed 's/.*Address: \([^ ]*\)/\1/'
| head -2 | tail -1`"

for i in $IP
  $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $i --dport $RSYNC --syn
-m state --state NEW -j ACCEPT
  $IPT -A INPUT  -i $EXTIF -p tcp -s $i -d $EXTIP --sport $RSYNC --syn
-m state --state NEW -j ACCEPT

Assuming your /etc/resolv.conf was secure at boot, this (I think)
would protect your machine from DNS related attacks. Perhaps others
who are more knowledgeable can chip in here.

Mansour Moufid
gentoo-security@g.o mailing list

Re: Portage rsync security
-- Russell Valentine
Re: Portage rsync security
-- Mario Koppensteiner
Portage rsync security
-- Florian Philipp
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Portage rsync security
Next by thread:
Re: Portage rsync security
Previous by date:
Portage rsync security
Next by date:
Re: Portage rsync security

Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.