Gentoo Archives: gentoo-security

From: Mansour Moufid <mansourmoufid@×××××.com>
To: gentoo-security@l.g.o
Subject: Re: [gentoo-security] Portage rsync security
Date: Thu, 20 Mar 2008 11:50:08
In Reply to: [gentoo-security] Portage rsync security by Florian Philipp
On Thu, Mar 20, 2008 at 6:45 AM, Florian Philipp
<> wrote:
> Hi list! > > Am I right that there is currently no way portage tries to verify that > the rsync-mirror is not spoofed? > > Doesn't that pose a major threat? If I were able to manipulate the > domain name resolution, I could easily trick gentooers into making false > updates and thus executing a malicious program with root-permission on > their machine. > > > So, why isn't there some kind of public key authentication going on, at > least optionally? > > By the way: How does gentoo's gpg-feature work. The man-page doesn't > contain an explanation. >
An attacker would need to be able to manipulate both the rsync server and the actual downloaded packages since Portage verifies checksums (RMD160, SHA1, SHA256, size). This is possible, as you mentioned, using DNS spoofing. I guess one solution would be to resolve your rsync server's IP address once (e.g. at boot) and include an IPtables rule for it specifically. My BASH is not very good, but e.g.: RSYNC='rsync' FOO="`grep ^SYNC /etc/make.conf | sed 's/.*rsync:\/\/\([^ ]*\)/\1/'`" BAR="${FOO%/*}" IP="`nslookup $BAR | grep ^Address | sed 's/.*Address: \([^ ]*\)/\1/' | head -2 | tail -1`" for i in $IP do $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $i --dport $RSYNC --syn -m state --state NEW -j ACCEPT $IPT -A INPUT -i $EXTIF -p tcp -s $i -d $EXTIP --sport $RSYNC --syn -m state --state NEW -j ACCEPT done Assuming your /etc/resolv.conf was secure at boot, this (I think) would protect your machine from DNS related attacks. Perhaps others who are more knowledgeable can chip in here. Sincerely, Mansour Moufid -- gentoo-security@l.g.o mailing list


Subject Author
Re: [gentoo-security] Portage rsync security Mario Koppensteiner <mariok@×××××××××.org>
Re: [gentoo-security] Portage rsync security Russell Valentine <russ@×××××××××××××.org>