| 1 |
On Mon, Jan 13, 2003 at 01:34:31PM -0500, Dylan Carlson wrote: |
| 2 |
> [2] Gentoo project managers need to kill off inactive developers, and |
| 3 |
> regularly hold key-signing parties. |
| 4 |
|
| 5 |
This is IMHO difficult since the developers are from all over the world. You |
| 6 |
would have to have local KSP's, then have a trusted party go over to the |
| 7 |
other countries (or continents) so that by trusting that party all users can |
| 8 |
verify the validity of the keys. |
| 9 |
|
| 10 |
> Having the developer sign each ebuild before a commit will minimize these |
| 11 |
> risks. If a dev's box is rooted -- the hacker can commit as many hacks as |
| 12 |
> they want to the Gentoo CVS tree, but the ebuilds will not be signed, and |
| 13 |
> consequently will be ignored on the Gentoo clients. |
| 14 |
> |
| 15 |
> That is why I'm saying one key sign for the whole tree is a bad idea... |
| 16 |
|
| 17 |
It won't harm to have a second signature :) |
| 18 |
|
| 19 |
My take on this security-aspect (a possible, but probably paranoid solution): |
| 20 |
|
| 21 |
The way in which you trust everything begins at the installation-process of |
| 22 |
the Gentoo Linux distribution. Do you trust the stage-tarballs or provided |
| 23 |
Gentoo Linux ISO's? To be able to trust those, you will have to check the |
| 24 |
validity of these files on your current operating system using some tool |
| 25 |
(let's say a OpenPGP-supporting client). This /assumes/ you trust your |
| 26 |
current system. If you do not, all things are invalid. |
| 27 |
|
| 28 |
So before the paranoid user installs Gentoo Linux using the ISO or tarballs, |
| 29 |
it will have to check the validity of those files. So the first "barrier" is |
| 30 |
a signed .iso or .tgz. Lets say the key is of the Gentoo Developer in charge |
| 31 |
of releases. The paranoid person downloads the public key from a PKI, checks |
| 32 |
the fingerprint from several locations (gentoo.org, #gentoo, mirrors, the |
| 33 |
developer himself (this will make him go nuts, but hey, what are developers |
| 34 |
for :), ...) and/or see if the key is trusted by someone he trusts. |
| 35 |
|
| 36 |
Okay, when this is done, he burns the .iso on the CD (I assume here that he |
| 37 |
installs it using the CD, if he doesn't, he will have to make sure that his |
| 38 |
own system provides the same tools as the CD, but this shouldn't be a |
| 39 |
problem) and boots. |
| 40 |
|
| 41 |
The next security-aspect is the security of the livecd. If I am not mistaken |
| 42 |
there are no daemons on the livecd, and if there are, they should only listen |
| 43 |
to the localhost address per default. Perhaps a firewall blocking all |
| 44 |
incoming connections could be used, but this should be done with care. |
| 45 |
Firewalls are only good if they are configured correctly. If not, they are |
| 46 |
more harmfull then harmless... |
| 47 |
|
| 48 |
When the stage1 tarball is installed, the first thing that is done is an |
| 49 |
"emerge sync". So here lays the next security issue. We will have to make |
| 50 |
sure that whatever is downloaded into the Portage tree is trusted. Since the |
| 51 |
emerge-tool itself is trusted (it is contained on the .iso or .tgz) we could |
| 52 |
have it check for validity. So one implementation is to have Portage support |
| 53 |
OpenPGP. Lets say it uses pyme (a Python interface to GPGME) so GnuPG and |
| 54 |
GPGME are also in stage1 (this increases the download ofcourse). It syncs its |
| 55 |
tree with the remote mirror. |
| 56 |
|
| 57 |
Now there are several ways to implement a secure way of handling the ebuilds, |
| 58 |
most of them have passed the revue. One way of handling (with many thanks to |
| 59 |
the ppl that proposed and discussed this): |
| 60 |
|
| 61 |
1/ Digitally sign each ebuild. This means that all developers have to sign |
| 62 |
their ebuilds, and that they manually check every proposed change in the |
| 63 |
bugzilla. |
| 64 |
Problems: |
| 65 |
- This is a very intensive process and still not completely |
| 66 |
secure. The downloaded files could be malicious (cf. |
| 67 |
sendmail ftp-server hack) but this is something we can't |
| 68 |
do anything about. We will have to trust the official |
| 69 |
ftp-servers of the tools. |
| 70 |
This also means that all developers' keys are available on the .iso. |
| 71 |
Portage will have to check the signature of every ebuild he wants to |
| 72 |
emerge. |
| 73 |
|
| 74 |
2/ Implement the proposed timeframe. If a tree has not been updated for over |
| 75 |
x hours, warn so that the person can re-emerge with another mirror. Use a |
| 76 |
(one or more) filelist(s) which give the latest mtime of each file or |
| 77 |
directory. Implement this properly. I personally don't know how rsync |
| 78 |
works, so I can't elaborate on this any further. Digitally sign these |
| 79 |
files. Because of the nature of this signing, it should be done |
| 80 |
automatically (it is impossible to have a developer checkout a cvs tree, |
| 81 |
create the necessary filelists, signing all of them and then upload the |
| 82 |
whole tree to the server. This is overkill and imposes lots of new |
| 83 |
problems). So have the main server (or the CVS server) do this (CVS: only |
| 84 |
when a tree is pulled out and placed on the FTP, or FTP: only when |
| 85 |
uploading occurs). |
| 86 |
Problems: |
| 87 |
- This assumes we trust the CVS- or FTP-server as we do with |
| 88 |
www.kernel.org. Leave it this way. Users and developers |
| 89 |
will soon see if there is something wrong, since the |
| 90 |
Gentoo Development is very active. If you really want, you |
| 91 |
can have an audit team regularly check if all current |
| 92 |
ebuilds on the main server resemble the currect versions |
| 93 |
of the tools. We should also remove vulnerable ebuilds from |
| 94 |
the server. If one users sees that there is a vulnerable |
| 95 |
version, he can report it. |
| 96 |
Portage will have to check the validity of the filelists with his tree |
| 97 |
(checking the signature of the filelists in general) and the mtime of the |
| 98 |
ebuilds he wants to emerge. |
| 99 |
|
| 100 |
3/ Have Portage individually register every removal of the Portage tree. If |
| 101 |
an ebuild has been removed, register it in, f.i. "removed-ebuilds". If for |
| 102 |
some reason that ebuild is available again, give a warning. |
| 103 |
Since Gentoo doesn't remove "old" ebuilds, the policy of removing only |
| 104 |
vulnerable ebuilds or ebuilds that won't work (because the tarball itself |
| 105 |
is removed) helps in this aspect: ebuilds that return from /dev/null are : |
| 106 |
- risky (a mirror that provides a vulnerable ebuild) |
| 107 |
- strange (the previous mirror that removed a non-vulnerable ebuild) |
| 108 |
The first reason is the reason why this should be implemented. The second |
| 109 |
reason, well, I really don't know why a hacker would remove a |
| 110 |
non-vulnerable ebuild if he knows the vulnerable ebuilds are removed as |
| 111 |
well. But hackers are weird, so even if this happens, this means that |
| 112 |
there is something "wrong" (CVS- or FTP-server hacked). Don't forget that, |
| 113 |
if the mirror just provides vulnerable ebuilds (or remove non-vulnerable |
| 114 |
ebuilds) without having a hacker at service that hacked the CVS- or |
| 115 |
FTP-server) then the filelists will be out-of-sync and Portage will warn |
| 116 |
you of that. |
| 117 |
|
| 118 |
4/ Make the use of sandbox installs mandatory. Using this sandbox, we can |
| 119 |
easily trap trojans that are activated during the ./configure-steps, as |
| 120 |
occur often. |
| 121 |
|
| 122 |
I think this is an implementation that has a realistic approach (if what I |
| 123 |
heard on the mailinglist, that the Gentoo-developers have no problems with |
| 124 |
signing the ebuilds, is true). This doesn't impose restrictions on who can be |
| 125 |
a gentoo mirror, which is - in my vision - a good thing. Mirrors shouldn't be |
| 126 |
restricted; the more the better. |
| 127 |
|
| 128 |
This makes the installationprocess rather secure (more than it is now). If |
| 129 |
you want to secure your installation itself, read the Gentoo Security Guide. |
| 130 |
|
| 131 |
Now go ahead and shoot holes in this one :) |
| 132 |
|
| 133 |
Wkr, |
| 134 |
Sven Vermeulen |
| 135 |
|
| 136 |
-- |
| 137 |
Fighting for peace is like fucking for virginity. |
Archives