| 1 |
Hi, |
| 2 |
|
| 3 |
why do you extract all files in the tar archive? it doesn't make sense at all, |
| 4 |
you can sign und hash the tar as it is, no security will be gained by |
| 5 |
extracting the whole archive thats crap like your script. |
| 6 |
only performance will be worse. |
| 7 |
|
| 8 |
how about: |
| 9 |
|
| 10 |
SIGNKEYID="blablubb" |
| 11 |
MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives |
| 12 |
TEMP="/tmp/xxxxxxx/" #working directory |
| 13 |
PORTARCHIVE="portage.tar.bz2" |
| 14 |
MD5SUM="/usr/bin/md5sum" |
| 15 |
GPG="/usr/bin/gpg" |
| 16 |
|
| 17 |
${MD5SUM} "${PORTARCHIVE}" > "${PORTARCHIVE}.md5" |
| 18 |
${GPG} --batch -u "${SIGNKEYID}" --armor --detach-sign --output |
| 19 |
"${PORTARCHIVE}.sig" "${PORTARCHIVE}" |
| 20 |
|
| 21 |
Now only some parts in emerge-webrsync have to be modified to proof the |
| 22 |
signature and hash to be correct before extracting the portage package or you |
| 23 |
can do it by hand. |
| 24 |
|
| 25 |
And please stop your sarcastic expressions. |
| 26 |
|
| 27 |
cu |
| 28 |
|
| 29 |
> -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD} |
| 30 |
> +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output |
| 31 |
> ${FILENAME}.gpgsig ${FILENAME} +/bin/mv ${FILENAME} ${FILENAME}.md5sum |
| 32 |
> ${FILENAME}.gpgsig ${UPLOAD} |
| 33 |
|
| 34 |
Am Donnerstag, 11. November 2004 03:04 schrieb Peter Simons: |
| 35 |
> Dear Gentoo Security Experts, |
| 36 |
> |
| 37 |
> I am very proud to announce that I have managed to perform |
| 38 |
> the crucial security fix assignment I have been given by |
| 39 |
> Kurt Lieber and Dan Margolis. After I had kissed some ass, |
| 40 |
> publicly humiliated myself, and swallowed a couple of dozen |
| 41 |
> insults, I was deemed worthy enough to do what Kurt referred |
| 42 |
> to as "to work with [him] to help [finding] ways to fix it". |
| 43 |
> |
| 44 |
> For various reasons which he didn't bother to elaborate on |
| 45 |
> the public mailing list -- probably for good reason --, it |
| 46 |
> turned out that my suggested solution to the fact that |
| 47 |
> Gentoo users all over the Internet are completely |
| 48 |
> defenseless against man-in-the-middle attacks was considered |
| 49 |
> absolutely unfeasible. |
| 50 |
> |
| 51 |
> So he informed me that the ONLY WAY to do anything against |
| 52 |
> that little glitch is to sign the daily Portage snapshot |
| 53 |
> that's available for download with "emerge-webrsync". This |
| 54 |
> does protect a flabbergasting total of ... I dunno ... maybe |
| 55 |
> .1 percent of the user base, so it is better than nothing. |
| 56 |
> |
| 57 |
> Since all the Gentoo developers were unavailable to perform |
| 58 |
> the necessary modifications to the snapshot creation script |
| 59 |
> -- for the last 1.5 years -- he kindly sent it to me as a |
| 60 |
> MIME attachment so that I could "write the code". |
| 61 |
> |
| 62 |
> Needless to say I was thrilled. |
| 63 |
> |
| 64 |
> Finally my chance to prove that I am not an idiot, but an |
| 65 |
> idiot who also contributes to Gentoo! |
| 66 |
> |
| 67 |
> I managed to software-engineer the necessary "patch" to make |
| 68 |
> the script generate a full-blown GPG signature for the |
| 69 |
> snapshot archive, and I would like to post the diffs here so |
| 70 |
> that the procedure can be peer-reviewed. |
| 71 |
> |
| 72 |
> So without further ado, here is my contribution: |
| 73 |
> |
| 74 |
> --- snapshots-create.sh |
| 75 |
> +++ snapshots-create.sh |
| 76 |
> @@ -12,7 +12,7 @@ |
| 77 |
> # |
| 78 |
> # Define locations for stuff |
| 79 |
> # |
| 80 |
> - |
| 81 |
> +SIGNKEYID="41BC28FE99089D72" |
| 82 |
> MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives |
| 83 |
> TEMP="/tmp/xxxxxxx/" #working directory |
| 84 |
> #UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing |
| 85 |
> @@ -42,7 +42,8 @@ |
| 86 |
> |
| 87 |
> /bin/tar --exclude=CVS -cjf ${FILENAME} portage |
| 88 |
> /usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum |
| 89 |
> -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD} |
| 90 |
> +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output |
| 91 |
> ${FILENAME}.gpgsig ${FILENAME} +/bin/mv ${FILENAME} ${FILENAME}.md5sum |
| 92 |
> ${FILENAME}.gpgsig ${UPLOAD} |
| 93 |
> |
| 94 |
> Now, this is mission-critical software and you really need |
| 95 |
> to be a top-notch security specialist to do this. So to make |
| 96 |
> sure there are no problems integrating the script into the |
| 97 |
> mind-blowingly fragile Gentoo main server setup, I have to |
| 98 |
> make a few comments to make sure nothing gets messed up |
| 99 |
> here. |
| 100 |
> |
| 101 |
> Kurt, I realize that submitting my homework as a diff makes |
| 102 |
> matters more complicated for you. You have to save that |
| 103 |
> snippet above to a file and then use the utility patch(1). |
| 104 |
> If you have _any_ problems with this, please don't hesitate |
| 105 |
> to let me know, and I'll send you the complete script in |
| 106 |
> private e-mail. |
| 107 |
> |
| 108 |
> Before you can use the hardened version of this software, |
| 109 |
> you have to customize it. Since I have NO ACCESS TO THE |
| 110 |
> GENTOO SERVERS, the script is tailored for my own system. |
| 111 |
> The casual readers of this list might want to skip the |
| 112 |
> following paragraphs, because it's getting really technical |
| 113 |
> now for a moment. |
| 114 |
> |
| 115 |
> Everybody else please look closely at the first chunk. |
| 116 |
> You'll find a line like this: |
| 117 |
> |
| 118 |
> SIGNKEYID="41BC28FE99089D72" |
| 119 |
> |
| 120 |
> This statement assigns a variable with the ID of the key |
| 121 |
> that is going to be used later in the script to generate the |
| 122 |
> cryptographic signature. I chose to use a variable here so |
| 123 |
> that the key ID can be configured at the top of the script, |
| 124 |
> instead of burying that parameter amidst 78 lines of |
| 125 |
> comments, whitespace, and several complex calls to tar(1) |
| 126 |
> and other Unix magic. I realize that using a variable adds a |
| 127 |
> level of indirection which might have performance |
| 128 |
> implications that are difficult to predict. Kurt, should |
| 129 |
> this version be too slow to manage the job in time on the |
| 130 |
> machines, I'll remove that again, okay? |
| 131 |
> |
| 132 |
> My point about that line is, though: This key ID will NOT |
| 133 |
> WORK on your machine! The reason is that to issue a |
| 134 |
> signature, you have to use the secret key of the GPG |
| 135 |
> key-pair. So although you can download a key with that ID |
| 136 |
> from every public key server, this will not work! You really |
| 137 |
> need the secret key. |
| 138 |
> |
| 139 |
> To make the script work nonetheless you have to: |
| 140 |
> |
| 141 |
> (1) Start appropriate text editing software. On most Gentoo |
| 142 |
> machines, the tool nano(1) can be used for this. |
| 143 |
> |
| 144 |
> (2) Repeatedly hit the cursor-down button on your keyboard |
| 145 |
> until that white rectangle you're seeing is right over |
| 146 |
> that SIGNKEYID line from above. |
| 147 |
> |
| 148 |
> (3) Stop hitting cursor-down now! |
| 149 |
> |
| 150 |
> (4) If the white rectangle has moved past that line |
| 151 |
> already, then you have to hit CTRL-Z, then enter |
| 152 |
> |
| 153 |
> kill -9 %1 |
| 154 |
> |
| 155 |
> and go back to step (1) and try again. |
| 156 |
> |
| 157 |
> (5) Don't give up. |
| 158 |
> |
| 159 |
> (6) If you have successfully navigated the white rectangle |
| 160 |
> to the line, hit cursor-right repeatedly until it has |
| 161 |
> reached the point right after the first double quote. |
| 162 |
> |
| 163 |
> (7) Don't give up. |
| 164 |
> |
| 165 |
> (8) Switch into overwrite mode and enter the ID of your |
| 166 |
> secret key. |
| 167 |
> |
| 168 |
> (9) Save the modified script and exit the text editing |
| 169 |
> software. I'd love to give more details on this step, |
| 170 |
> but unfortunately the exact procedure is implementation |
| 171 |
> defined. |
| 172 |
> |
| 173 |
> After you have successfully edited the key ID to match the |
| 174 |
> one your secret key has, you should be ready to try it out. |
| 175 |
> Just enter "snapshots-create.sh" and see what happens. |
| 176 |
> |
| 177 |
> What do you mean it doesn't work? |
| 178 |
> |
| 179 |
> Hmmm. Does "./snapshots-create.sh" work? |
| 180 |
> |
| 181 |
> Doesn't either? |
| 182 |
> |
| 183 |
> Hmmm. Ah, wait. Enter "chmod +x snapshots-create.sh". |
| 184 |
> |
| 185 |
> Good, now run the "./snapshots-create.sh" command again. |
| 186 |
> |
| 187 |
> STILL doesn't work? |
| 188 |
> |
| 189 |
> What does it say on the screen? |
| 190 |
> |
| 191 |
> Nothing? |
| 192 |
> |
| 193 |
> Hahaha, now I got it. No, no, that's perfectly alright. It |
| 194 |
> will take a while for the script to return; that thing runs |
| 195 |
> a while. Yes, security-related software does require lots |
| 196 |
> and lots of CPU time; that really can't be helped in any |
| 197 |
> way, so please be patient. |
| 198 |
> |
| 199 |
> Now, if the script has returned at last you will find the |
| 200 |
> following files in the Gentoo download area: |
| 201 |
> |
| 202 |
> portage-20041109.tar.bz2 |
| 203 |
> portage-20041109.tar.bz2.gpgsig |
| 204 |
> portage-20041109.tar.bz2.md5sum |
| 205 |
> |
| 206 |
> Don't be concerned if the filenames don't match exactly. |
| 207 |
> These numbers depend on the t-coordinate of the system the |
| 208 |
> script is run on; that is a kind of unique hash to guarantee |
| 209 |
> that no filename collisions occur. |
| 210 |
> |
| 211 |
> If this has succeeded, then you have a TOTALLY secure Gentoo |
| 212 |
> distribution now; there really is nothing left to worry |
| 213 |
> about. |
| 214 |
> |
| 215 |
> Just execute "emerge sync", wait until it comes back and ... |
| 216 |
> everything still works, no hacker has injected any modified |
| 217 |
> /usr/portage/eclass/eutils.eclass file into your machine, |
| 218 |
> you are totally SAFE! |
| 219 |
> |
| 220 |
> Of course, I wouldn't install any new software for the next |
| 221 |
> 1.5 years because there remains a small, insignificant |
| 222 |
> chance that doing this will erase your hard disk, install |
| 223 |
> Red Hat Linux, or do other horrible things. |
| 224 |
> |
| 225 |
> But you know how the old saying goes: Never change a running |
| 226 |
> system! |
| 227 |
> |
| 228 |
> Exactly. |
| 229 |
> |
| 230 |
> WARNING *** WARNING *** WARNING *** WARNING |
| 231 |
> |
| 232 |
> My instructions have been written for the final version of |
| 233 |
> this hardening mechanism. Right now, the "totally secure" |
| 234 |
> bit is not quite accurate because I still haven't gotten to |
| 235 |
> "patch" any of the Gentoo tools to verify that signature. |
| 236 |
> |
| 237 |
> Or, to be perfectly honest, I have gotten to but didn't |
| 238 |
> manage. |
| 239 |
> |
| 240 |
> There is some complexity to the task that wasn't quite |
| 241 |
> understood when I agreed to do all this for Gentoo, because |
| 242 |
> before I can call GPG to verify the signature, I have to |
| 243 |
> execute |
| 244 |
> |
| 245 |
> source /etc/make.conf |
| 246 |
> |
| 247 |
> to import some more variables, so that the user can |
| 248 |
> switch authentication on/off, set the path to the official |
| 249 |
> Gentoo key and all that. And frankly, it is just too damn |
| 250 |
> difficult. |
| 251 |
> |
| 252 |
> Anyway, I promise I will do that ASAP. Let's see ... we have |
| 253 |
> 2004 now ... Man, that is gonna take a while. Because, as it |
| 254 |
> happens, I have other stuff to do, too, you know? It's not |
| 255 |
> like I am getting paid for all this! |
| 256 |
> |
| 257 |
> And besides: I simply don't give a shit. |
| 258 |
> |
| 259 |
> Cheers, |
| 260 |
> |
| 261 |
> Peter |
| 262 |
> |
| 263 |
> -- |
| 264 |
> gentoo-security@g.o mailing list |
| 265 |
|
| 266 |
-- |
| 267 |
gentoo-security@g.o mailing list |
Archives