1 |
On Thu, Mar 20, 2008 at 6:45 AM, Florian Philipp |
2 |
<lists@f_philipp.fastmail.net> wrote: |
3 |
> Hi list! |
4 |
> |
5 |
> Am I right that there is currently no way portage tries to verify that |
6 |
> the rsync-mirror is not spoofed? |
7 |
> |
8 |
> Doesn't that pose a major threat? If I were able to manipulate the |
9 |
> domain name resolution, I could easily trick gentooers into making false |
10 |
> updates and thus executing a malicious program with root-permission on |
11 |
> their machine. |
12 |
> |
13 |
> |
14 |
> So, why isn't there some kind of public key authentication going on, at |
15 |
> least optionally? |
16 |
> |
17 |
> By the way: How does gentoo's gpg-feature work. The man-page doesn't |
18 |
> contain an explanation. |
19 |
> |
20 |
|
21 |
An attacker would need to be able to manipulate both the rsync server |
22 |
and the actual downloaded packages since Portage verifies checksums |
23 |
(RMD160, SHA1, SHA256, size). This is possible, as you mentioned, |
24 |
using DNS spoofing. |
25 |
|
26 |
I guess one solution would be to resolve your rsync server's IP |
27 |
address once (e.g. at boot) and include an IPtables rule for it |
28 |
specifically. My BASH is not very good, but e.g.: |
29 |
|
30 |
RSYNC='rsync' |
31 |
FOO="`grep ^SYNC /etc/make.conf | sed 's/.*rsync:\/\/\([^ ]*\)/\1/'`" |
32 |
BAR="${FOO%/*}" |
33 |
IP="`nslookup $BAR | grep ^Address | sed 's/.*Address: \([^ ]*\)/\1/' |
34 |
| head -2 | tail -1`" |
35 |
|
36 |
for i in $IP |
37 |
do |
38 |
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $i --dport $RSYNC --syn |
39 |
-m state --state NEW -j ACCEPT |
40 |
$IPT -A INPUT -i $EXTIF -p tcp -s $i -d $EXTIP --sport $RSYNC --syn |
41 |
-m state --state NEW -j ACCEPT |
42 |
done |
43 |
|
44 |
Assuming your /etc/resolv.conf was secure at boot, this (I think) |
45 |
would protect your machine from DNS related attacks. Perhaps others |
46 |
who are more knowledgeable can chip in here. |
47 |
|
48 |
Sincerely, |
49 |
Mansour Moufid |
50 |
-- |
51 |
gentoo-security@l.g.o mailing list |