1 |
Dear Gentoo Security Experts, |
2 |
|
3 |
I am very proud to announce that I have managed to perform |
4 |
the crucial security fix assignment I have been given by |
5 |
Kurt Lieber and Dan Margolis. After I had kissed some ass, |
6 |
publicly humiliated myself, and swallowed a couple of dozen |
7 |
insults, I was deemed worthy enough to do what Kurt referred |
8 |
to as "to work with [him] to help [finding] ways to fix it". |
9 |
|
10 |
For various reasons which he didn't bother to elaborate on |
11 |
the public mailing list -- probably for good reason --, it |
12 |
turned out that my suggested solution to the fact that |
13 |
Gentoo users all over the Internet are completely |
14 |
defenseless against man-in-the-middle attacks was considered |
15 |
absolutely unfeasible. |
16 |
|
17 |
So he informed me that the ONLY WAY to do anything against |
18 |
that little glitch is to sign the daily Portage snapshot |
19 |
that's available for download with "emerge-webrsync". This |
20 |
does protect a flabbergasting total of ... I dunno ... maybe |
21 |
.1 percent of the user base, so it is better than nothing. |
22 |
|
23 |
Since all the Gentoo developers were unavailable to perform |
24 |
the necessary modifications to the snapshot creation script |
25 |
-- for the last 1.5 years -- he kindly sent it to me as a |
26 |
MIME attachment so that I could "write the code". |
27 |
|
28 |
Needless to say I was thrilled. |
29 |
|
30 |
Finally my chance to prove that I am not an idiot, but an |
31 |
idiot who also contributes to Gentoo! |
32 |
|
33 |
I managed to software-engineer the necessary "patch" to make |
34 |
the script generate a full-blown GPG signature for the |
35 |
snapshot archive, and I would like to post the diffs here so |
36 |
that the procedure can be peer-reviewed. |
37 |
|
38 |
So without further ado, here is my contribution: |
39 |
|
40 |
--- snapshots-create.sh |
41 |
+++ snapshots-create.sh |
42 |
@@ -12,7 +12,7 @@ |
43 |
# |
44 |
# Define locations for stuff |
45 |
# |
46 |
- |
47 |
+SIGNKEYID="41BC28FE99089D72" |
48 |
MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives |
49 |
TEMP="/tmp/xxxxxxx/" #working directory |
50 |
#UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing |
51 |
@@ -42,7 +42,8 @@ |
52 |
|
53 |
/bin/tar --exclude=CVS -cjf ${FILENAME} portage |
54 |
/usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum |
55 |
-/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD} |
56 |
+/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output ${FILENAME}.gpgsig ${FILENAME} |
57 |
+/bin/mv ${FILENAME} ${FILENAME}.md5sum ${FILENAME}.gpgsig ${UPLOAD} |
58 |
|
59 |
Now, this is mission-critical software and you really need |
60 |
to be a top-notch security specialist to do this. So to make |
61 |
sure there are no problems integrating the script into the |
62 |
mind-blowingly fragile Gentoo main server setup, I have to |
63 |
make a few comments to make sure nothing gets messed up |
64 |
here. |
65 |
|
66 |
Kurt, I realize that submitting my homework as a diff makes |
67 |
matters more complicated for you. You have to save that |
68 |
snippet above to a file and then use the utility patch(1). |
69 |
If you have _any_ problems with this, please don't hesitate |
70 |
to let me know, and I'll send you the complete script in |
71 |
private e-mail. |
72 |
|
73 |
Before you can use the hardened version of this software, |
74 |
you have to customize it. Since I have NO ACCESS TO THE |
75 |
GENTOO SERVERS, the script is tailored for my own system. |
76 |
The casual readers of this list might want to skip the |
77 |
following paragraphs, because it's getting really technical |
78 |
now for a moment. |
79 |
|
80 |
Everybody else please look closely at the first chunk. |
81 |
You'll find a line like this: |
82 |
|
83 |
SIGNKEYID="41BC28FE99089D72" |
84 |
|
85 |
This statement assigns a variable with the ID of the key |
86 |
that is going to be used later in the script to generate the |
87 |
cryptographic signature. I chose to use a variable here so |
88 |
that the key ID can be configured at the top of the script, |
89 |
instead of burying that parameter amidst 78 lines of |
90 |
comments, whitespace, and several complex calls to tar(1) |
91 |
and other Unix magic. I realize that using a variable adds a |
92 |
level of indirection which might have performance |
93 |
implications that are difficult to predict. Kurt, should |
94 |
this version be too slow to manage the job in time on the |
95 |
machines, I'll remove that again, okay? |
96 |
|
97 |
My point about that line is, though: This key ID will NOT |
98 |
WORK on your machine! The reason is that to issue a |
99 |
signature, you have to use the secret key of the GPG |
100 |
key-pair. So although you can download a key with that ID |
101 |
from every public key server, this will not work! You really |
102 |
need the secret key. |
103 |
|
104 |
To make the script work nonetheless you have to: |
105 |
|
106 |
(1) Start appropriate text editing software. On most Gentoo |
107 |
machines, the tool nano(1) can be used for this. |
108 |
|
109 |
(2) Repeatedly hit the cursor-down button on your keyboard |
110 |
until that white rectangle you're seeing is right over |
111 |
that SIGNKEYID line from above. |
112 |
|
113 |
(3) Stop hitting cursor-down now! |
114 |
|
115 |
(4) If the white rectangle has moved past that line |
116 |
already, then you have to hit CTRL-Z, then enter |
117 |
|
118 |
kill -9 %1 |
119 |
|
120 |
and go back to step (1) and try again. |
121 |
|
122 |
(5) Don't give up. |
123 |
|
124 |
(6) If you have successfully navigated the white rectangle |
125 |
to the line, hit cursor-right repeatedly until it has |
126 |
reached the point right after the first double quote. |
127 |
|
128 |
(7) Don't give up. |
129 |
|
130 |
(8) Switch into overwrite mode and enter the ID of your |
131 |
secret key. |
132 |
|
133 |
(9) Save the modified script and exit the text editing |
134 |
software. I'd love to give more details on this step, |
135 |
but unfortunately the exact procedure is implementation |
136 |
defined. |
137 |
|
138 |
After you have successfully edited the key ID to match the |
139 |
one your secret key has, you should be ready to try it out. |
140 |
Just enter "snapshots-create.sh" and see what happens. |
141 |
|
142 |
What do you mean it doesn't work? |
143 |
|
144 |
Hmmm. Does "./snapshots-create.sh" work? |
145 |
|
146 |
Doesn't either? |
147 |
|
148 |
Hmmm. Ah, wait. Enter "chmod +x snapshots-create.sh". |
149 |
|
150 |
Good, now run the "./snapshots-create.sh" command again. |
151 |
|
152 |
STILL doesn't work? |
153 |
|
154 |
What does it say on the screen? |
155 |
|
156 |
Nothing? |
157 |
|
158 |
Hahaha, now I got it. No, no, that's perfectly alright. It |
159 |
will take a while for the script to return; that thing runs |
160 |
a while. Yes, security-related software does require lots |
161 |
and lots of CPU time; that really can't be helped in any |
162 |
way, so please be patient. |
163 |
|
164 |
Now, if the script has returned at last you will find the |
165 |
following files in the Gentoo download area: |
166 |
|
167 |
portage-20041109.tar.bz2 |
168 |
portage-20041109.tar.bz2.gpgsig |
169 |
portage-20041109.tar.bz2.md5sum |
170 |
|
171 |
Don't be concerned if the filenames don't match exactly. |
172 |
These numbers depend on the t-coordinate of the system the |
173 |
script is run on; that is a kind of unique hash to guarantee |
174 |
that no filename collisions occur. |
175 |
|
176 |
If this has succeeded, then you have a TOTALLY secure Gentoo |
177 |
distribution now; there really is nothing left to worry |
178 |
about. |
179 |
|
180 |
Just execute "emerge sync", wait until it comes back and ... |
181 |
everything still works, no hacker has injected any modified |
182 |
/usr/portage/eclass/eutils.eclass file into your machine, |
183 |
you are totally SAFE! |
184 |
|
185 |
Of course, I wouldn't install any new software for the next |
186 |
1.5 years because there remains a small, insignificant |
187 |
chance that doing this will erase your hard disk, install |
188 |
Red Hat Linux, or do other horrible things. |
189 |
|
190 |
But you know how the old saying goes: Never change a running |
191 |
system! |
192 |
|
193 |
Exactly. |
194 |
|
195 |
WARNING *** WARNING *** WARNING *** WARNING |
196 |
|
197 |
My instructions have been written for the final version of |
198 |
this hardening mechanism. Right now, the "totally secure" |
199 |
bit is not quite accurate because I still haven't gotten to |
200 |
"patch" any of the Gentoo tools to verify that signature. |
201 |
|
202 |
Or, to be perfectly honest, I have gotten to but didn't |
203 |
manage. |
204 |
|
205 |
There is some complexity to the task that wasn't quite |
206 |
understood when I agreed to do all this for Gentoo, because |
207 |
before I can call GPG to verify the signature, I have to |
208 |
execute |
209 |
|
210 |
source /etc/make.conf |
211 |
|
212 |
to import some more variables, so that the user can |
213 |
switch authentication on/off, set the path to the official |
214 |
Gentoo key and all that. And frankly, it is just too damn |
215 |
difficult. |
216 |
|
217 |
Anyway, I promise I will do that ASAP. Let's see ... we have |
218 |
2004 now ... Man, that is gonna take a while. Because, as it |
219 |
happens, I have other stuff to do, too, you know? It's not |
220 |
like I am getting paid for all this! |
221 |
|
222 |
And besides: I simply don't give a shit. |
223 |
|
224 |
Cheers, |
225 |
|
226 |
Peter |
227 |
|
228 |
-- |
229 |
gentoo-security@g.o mailing list |