| 1 |
Dear Gentoo Security Experts, |
| 2 |
|
| 3 |
I am very proud to announce that I have managed to perform |
| 4 |
the crucial security fix assignment I have been given by |
| 5 |
Kurt Lieber and Dan Margolis. After I had kissed some ass, |
| 6 |
publicly humiliated myself, and swallowed a couple of dozen |
| 7 |
insults, I was deemed worthy enough to do what Kurt referred |
| 8 |
to as "to work with [him] to help [finding] ways to fix it". |
| 9 |
|
| 10 |
For various reasons which he didn't bother to elaborate on |
| 11 |
the public mailing list -- probably for good reason --, it |
| 12 |
turned out that my suggested solution to the fact that |
| 13 |
Gentoo users all over the Internet are completely |
| 14 |
defenseless against man-in-the-middle attacks was considered |
| 15 |
absolutely unfeasible. |
| 16 |
|
| 17 |
So he informed me that the ONLY WAY to do anything against |
| 18 |
that little glitch is to sign the daily Portage snapshot |
| 19 |
that's available for download with "emerge-webrsync". This |
| 20 |
does protect a flabbergasting total of ... I dunno ... maybe |
| 21 |
.1 percent of the user base, so it is better than nothing. |
| 22 |
|
| 23 |
Since all the Gentoo developers were unavailable to perform |
| 24 |
the necessary modifications to the snapshot creation script |
| 25 |
-- for the last 1.5 years -- he kindly sent it to me as a |
| 26 |
MIME attachment so that I could "write the code". |
| 27 |
|
| 28 |
Needless to say I was thrilled. |
| 29 |
|
| 30 |
Finally my chance to prove that I am not an idiot, but an |
| 31 |
idiot who also contributes to Gentoo! |
| 32 |
|
| 33 |
I managed to software-engineer the necessary "patch" to make |
| 34 |
the script generate a full-blown GPG signature for the |
| 35 |
snapshot archive, and I would like to post the diffs here so |
| 36 |
that the procedure can be peer-reviewed. |
| 37 |
|
| 38 |
So without further ado, here is my contribution: |
| 39 |
|
| 40 |
--- snapshots-create.sh |
| 41 |
+++ snapshots-create.sh |
| 42 |
@@ -12,7 +12,7 @@ |
| 43 |
# |
| 44 |
# Define locations for stuff |
| 45 |
# |
| 46 |
- |
| 47 |
+SIGNKEYID="41BC28FE99089D72" |
| 48 |
MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives |
| 49 |
TEMP="/tmp/xxxxxxx/" #working directory |
| 50 |
#UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing |
| 51 |
@@ -42,7 +42,8 @@ |
| 52 |
|
| 53 |
/bin/tar --exclude=CVS -cjf ${FILENAME} portage |
| 54 |
/usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum |
| 55 |
-/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD} |
| 56 |
+/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output ${FILENAME}.gpgsig ${FILENAME} |
| 57 |
+/bin/mv ${FILENAME} ${FILENAME}.md5sum ${FILENAME}.gpgsig ${UPLOAD} |
| 58 |
|
| 59 |
Now, this is mission-critical software and you really need |
| 60 |
to be a top-notch security specialist to do this. So to make |
| 61 |
sure there are no problems integrating the script into the |
| 62 |
mind-blowingly fragile Gentoo main server setup, I have to |
| 63 |
make a few comments to make sure nothing gets messed up |
| 64 |
here. |
| 65 |
|
| 66 |
Kurt, I realize that submitting my homework as a diff makes |
| 67 |
matters more complicated for you. You have to save that |
| 68 |
snippet above to a file and then use the utility patch(1). |
| 69 |
If you have _any_ problems with this, please don't hesitate |
| 70 |
to let me know, and I'll send you the complete script in |
| 71 |
private e-mail. |
| 72 |
|
| 73 |
Before you can use the hardened version of this software, |
| 74 |
you have to customize it. Since I have NO ACCESS TO THE |
| 75 |
GENTOO SERVERS, the script is tailored for my own system. |
| 76 |
The casual readers of this list might want to skip the |
| 77 |
following paragraphs, because it's getting really technical |
| 78 |
now for a moment. |
| 79 |
|
| 80 |
Everybody else please look closely at the first chunk. |
| 81 |
You'll find a line like this: |
| 82 |
|
| 83 |
SIGNKEYID="41BC28FE99089D72" |
| 84 |
|
| 85 |
This statement assigns a variable with the ID of the key |
| 86 |
that is going to be used later in the script to generate the |
| 87 |
cryptographic signature. I chose to use a variable here so |
| 88 |
that the key ID can be configured at the top of the script, |
| 89 |
instead of burying that parameter amidst 78 lines of |
| 90 |
comments, whitespace, and several complex calls to tar(1) |
| 91 |
and other Unix magic. I realize that using a variable adds a |
| 92 |
level of indirection which might have performance |
| 93 |
implications that are difficult to predict. Kurt, should |
| 94 |
this version be too slow to manage the job in time on the |
| 95 |
machines, I'll remove that again, okay? |
| 96 |
|
| 97 |
My point about that line is, though: This key ID will NOT |
| 98 |
WORK on your machine! The reason is that to issue a |
| 99 |
signature, you have to use the secret key of the GPG |
| 100 |
key-pair. So although you can download a key with that ID |
| 101 |
from every public key server, this will not work! You really |
| 102 |
need the secret key. |
| 103 |
|
| 104 |
To make the script work nonetheless you have to: |
| 105 |
|
| 106 |
(1) Start appropriate text editing software. On most Gentoo |
| 107 |
machines, the tool nano(1) can be used for this. |
| 108 |
|
| 109 |
(2) Repeatedly hit the cursor-down button on your keyboard |
| 110 |
until that white rectangle you're seeing is right over |
| 111 |
that SIGNKEYID line from above. |
| 112 |
|
| 113 |
(3) Stop hitting cursor-down now! |
| 114 |
|
| 115 |
(4) If the white rectangle has moved past that line |
| 116 |
already, then you have to hit CTRL-Z, then enter |
| 117 |
|
| 118 |
kill -9 %1 |
| 119 |
|
| 120 |
and go back to step (1) and try again. |
| 121 |
|
| 122 |
(5) Don't give up. |
| 123 |
|
| 124 |
(6) If you have successfully navigated the white rectangle |
| 125 |
to the line, hit cursor-right repeatedly until it has |
| 126 |
reached the point right after the first double quote. |
| 127 |
|
| 128 |
(7) Don't give up. |
| 129 |
|
| 130 |
(8) Switch into overwrite mode and enter the ID of your |
| 131 |
secret key. |
| 132 |
|
| 133 |
(9) Save the modified script and exit the text editing |
| 134 |
software. I'd love to give more details on this step, |
| 135 |
but unfortunately the exact procedure is implementation |
| 136 |
defined. |
| 137 |
|
| 138 |
After you have successfully edited the key ID to match the |
| 139 |
one your secret key has, you should be ready to try it out. |
| 140 |
Just enter "snapshots-create.sh" and see what happens. |
| 141 |
|
| 142 |
What do you mean it doesn't work? |
| 143 |
|
| 144 |
Hmmm. Does "./snapshots-create.sh" work? |
| 145 |
|
| 146 |
Doesn't either? |
| 147 |
|
| 148 |
Hmmm. Ah, wait. Enter "chmod +x snapshots-create.sh". |
| 149 |
|
| 150 |
Good, now run the "./snapshots-create.sh" command again. |
| 151 |
|
| 152 |
STILL doesn't work? |
| 153 |
|
| 154 |
What does it say on the screen? |
| 155 |
|
| 156 |
Nothing? |
| 157 |
|
| 158 |
Hahaha, now I got it. No, no, that's perfectly alright. It |
| 159 |
will take a while for the script to return; that thing runs |
| 160 |
a while. Yes, security-related software does require lots |
| 161 |
and lots of CPU time; that really can't be helped in any |
| 162 |
way, so please be patient. |
| 163 |
|
| 164 |
Now, if the script has returned at last you will find the |
| 165 |
following files in the Gentoo download area: |
| 166 |
|
| 167 |
portage-20041109.tar.bz2 |
| 168 |
portage-20041109.tar.bz2.gpgsig |
| 169 |
portage-20041109.tar.bz2.md5sum |
| 170 |
|
| 171 |
Don't be concerned if the filenames don't match exactly. |
| 172 |
These numbers depend on the t-coordinate of the system the |
| 173 |
script is run on; that is a kind of unique hash to guarantee |
| 174 |
that no filename collisions occur. |
| 175 |
|
| 176 |
If this has succeeded, then you have a TOTALLY secure Gentoo |
| 177 |
distribution now; there really is nothing left to worry |
| 178 |
about. |
| 179 |
|
| 180 |
Just execute "emerge sync", wait until it comes back and ... |
| 181 |
everything still works, no hacker has injected any modified |
| 182 |
/usr/portage/eclass/eutils.eclass file into your machine, |
| 183 |
you are totally SAFE! |
| 184 |
|
| 185 |
Of course, I wouldn't install any new software for the next |
| 186 |
1.5 years because there remains a small, insignificant |
| 187 |
chance that doing this will erase your hard disk, install |
| 188 |
Red Hat Linux, or do other horrible things. |
| 189 |
|
| 190 |
But you know how the old saying goes: Never change a running |
| 191 |
system! |
| 192 |
|
| 193 |
Exactly. |
| 194 |
|
| 195 |
WARNING *** WARNING *** WARNING *** WARNING |
| 196 |
|
| 197 |
My instructions have been written for the final version of |
| 198 |
this hardening mechanism. Right now, the "totally secure" |
| 199 |
bit is not quite accurate because I still haven't gotten to |
| 200 |
"patch" any of the Gentoo tools to verify that signature. |
| 201 |
|
| 202 |
Or, to be perfectly honest, I have gotten to but didn't |
| 203 |
manage. |
| 204 |
|
| 205 |
There is some complexity to the task that wasn't quite |
| 206 |
understood when I agreed to do all this for Gentoo, because |
| 207 |
before I can call GPG to verify the signature, I have to |
| 208 |
execute |
| 209 |
|
| 210 |
source /etc/make.conf |
| 211 |
|
| 212 |
to import some more variables, so that the user can |
| 213 |
switch authentication on/off, set the path to the official |
| 214 |
Gentoo key and all that. And frankly, it is just too damn |
| 215 |
difficult. |
| 216 |
|
| 217 |
Anyway, I promise I will do that ASAP. Let's see ... we have |
| 218 |
2004 now ... Man, that is gonna take a while. Because, as it |
| 219 |
happens, I have other stuff to do, too, you know? It's not |
| 220 |
like I am getting paid for all this! |
| 221 |
|
| 222 |
And besides: I simply don't give a shit. |
| 223 |
|
| 224 |
Cheers, |
| 225 |
|
| 226 |
Peter |
| 227 |
|
| 228 |
-- |
| 229 |
gentoo-security@g.o mailing list |
Archives