| 1 |
On Thu, 30 Sep 2004, Chris L. Mason wrote: |
| 2 |
|
| 3 |
> Hi all, |
| 4 |
> |
| 5 |
> I've checked the documentation and man pages and couldn't find what I |
| 6 |
> was looking for. If I've missed something, please point me in the |
| 7 |
> right direction. |
| 8 |
> |
| 9 |
> I've been trying to figure out if it is possible to have all emerges |
| 10 |
> (especially the builds) to be done as a non-root user, and have the |
| 11 |
> process call sudo (or similar) only for the final merge. All |
| 12 |
> downloading, unpacking, compiling and installing to the fake target |
| 13 |
> should be doable without root permissions. So, you'd just need to be |
| 14 |
> in the portage group, and be configured in sudo. |
| 15 |
> |
| 16 |
... |
| 17 |
> |
| 18 |
> This is desirable both for security reasons and just to avoid |
| 19 |
> accidentally trashing the system because of a broken build script, for |
| 20 |
> example. |
| 21 |
|
| 22 |
Illusion of security only. If someone competent wanted to attack your |
| 23 |
system, they would not do it in the build script; they'd do it in the |
| 24 |
resulting code. As such, this methodology only protects against broken |
| 25 |
build scripts. |
| 26 |
|
| 27 |
For those that don't understand the concept, which would you think a |
| 28 |
cracker would more likely want: one time access to your system, or |
| 29 |
access to your system forever, whenver they wanted? |
| 30 |
|
| 31 |
We may find out about some malicious code updates through such |
| 32 |
protections, but that's generally due to the cracker not knowing how to |
| 33 |
code properly. The crackers who *do* know how to code will pass right |
| 34 |
through your checks if you're depending upon such mechanisms to detect |
| 35 |
them. (Admittedly, I've only heard of one decent cracker who dared Open |
| 36 |
Source.) I would really prefer we find out about all the malicious |
| 37 |
updates through code review and patch signature verification (this does, |
| 38 |
of course, include the preference for finding out about all of them.). |
| 39 |
|
| 40 |
Admittedly, build scripts tend to not get quite as much review as code |
| 41 |
people realize is going to continue running on their systems, and I have |
| 42 |
seen one or two packages that tried to install root kits in configure. |
| 43 |
(They, incidentally, did not pass the signature verification check. But |
| 44 |
I was curious.) |
| 45 |
|
| 46 |
Ed |
| 47 |
|
| 48 |
-- |
| 49 |
gentoo-dev@g.o mailing list |
Archives