| 1 |
On 20/05/06, Peter <pete4abw@×××××××.net> wrote: |
| 2 |
> PMFJI, but as a user, not a security expert, I had a few thoughts that I'd |
| 3 |
> like to throw in. Thanks to Patrick, he helped me to drill down some of |
| 4 |
> the ideas and I present them for consideration. It's just a framework, so |
| 5 |
> I will be brief |
| 6 |
|
| 7 |
Thanks for your input. From a security point of view your scheme is |
| 8 |
fine, but as pointed out by others you won't be able to selectively |
| 9 |
rsync parts of the tree. That will require a signature for each |
| 10 |
manifest, and a manifest for every directory. The problem I see is |
| 11 |
that the manifest is going to have to include a hash for each |
| 12 |
subdirectory - otherwise you open the possibility of someone replacing |
| 13 |
a directory with one from the past that contains some known |
| 14 |
insecurity, or corrupting the tree by swapping random directories, and |
| 15 |
yet the signatures remain valid. Of course, that hash changes if you |
| 16 |
allow people to rsync_exclude directories, and hence the signature |
| 17 |
changes. So you can either accept that if you selectively rsync then |
| 18 |
you won't be able to verify the signed tree, or accept that there is a |
| 19 |
known security problem with having no signed link between parent and |
| 20 |
child directories, or come up with a different scheme. |
| 21 |
|
| 22 |
Obviously the manifests also have to be checked to make sure they're |
| 23 |
valid - this is currently done for package directories at emerge time, |
| 24 |
it would need to be extended to all other directories. I'd prefer the |
| 25 |
checks done at sync time since that's a one time cost and you don't |
| 26 |
have to figure out exactly what files will be used by each emerge |
| 27 |
operation. |
| 28 |
|
| 29 |
-- |
| 30 |
gentoo-dev@g.o mailing list |
Archives