Gentoo Archives: gentoo-security

From: Peter Simons <simons@××××.to>
To: gentoo-security@l.g.o
Cc: Kurt Lieber <klieber@g.o>, Dan Margolis <krispykringle@g.o>
Subject: [gentoo-security] Gentoo TOTALLY secure now!!!!!!!!!!!!!!!!
Date: Thu, 11 Nov 2004 02:04:34
1 Dear Gentoo Security Experts,
3 I am very proud to announce that I have managed to perform
4 the crucial security fix assignment I have been given by
5 Kurt Lieber and Dan Margolis. After I had kissed some ass,
6 publicly humiliated myself, and swallowed a couple of dozen
7 insults, I was deemed worthy enough to do what Kurt referred
8 to as "to work with [him] to help [finding] ways to fix it".
10 For various reasons which he didn't bother to elaborate on
11 the public mailing list -- probably for good reason --, it
12 turned out that my suggested solution to the fact that
13 Gentoo users all over the Internet are completely
14 defenseless against man-in-the-middle attacks was considered
15 absolutely unfeasible.
17 So he informed me that the ONLY WAY to do anything against
18 that little glitch is to sign the daily Portage snapshot
19 that's available for download with "emerge-webrsync". This
20 does protect a flabbergasting total of ... I dunno ... maybe
21 .1 percent of the user base, so it is better than nothing.
23 Since all the Gentoo developers were unavailable to perform
24 the necessary modifications to the snapshot creation script
25 -- for the last 1.5 years -- he kindly sent it to me as a
26 MIME attachment so that I could "write the code".
28 Needless to say I was thrilled.
30 Finally my chance to prove that I am not an idiot, but an
31 idiot who also contributes to Gentoo!
33 I managed to software-engineer the necessary "patch" to make
34 the script generate a full-blown GPG signature for the
35 snapshot archive, and I would like to post the diffs here so
36 that the procedure can be peer-reviewed.
38 So without further ado, here is my contribution:
40 ---
41 +++
42 @@ -12,7 +12,7 @@
43 #
44 # Define locations for stuff
45 #
46 -
47 +SIGNKEYID="41BC28FE99089D72"
48 MASTER="xxx/xxxxxxxor/rsync" #where the master repository lives
49 TEMP="/tmp/xxxxxxx/" #working directory
50 #UPLOAD="/xx/xx/xx/xxx/upload/" #temp location for testing
51 @@ -42,7 +42,8 @@
53 /bin/tar --exclude=CVS -cjf ${FILENAME} portage
54 /usr/bin/md5sum ${FILENAME} > ${FILENAME}.md5sum
55 -/bin/mv ${FILENAME} ${FILENAME}.md5sum ${UPLOAD}
56 +/usr/bin/gpg --batch -u "${SIGNKEYID}" --armor --detach-sign --output ${FILENAME}.gpgsig ${FILENAME}
57 +/bin/mv ${FILENAME} ${FILENAME}.md5sum ${FILENAME}.gpgsig ${UPLOAD}
59 Now, this is mission-critical software and you really need
60 to be a top-notch security specialist to do this. So to make
61 sure there are no problems integrating the script into the
62 mind-blowingly fragile Gentoo main server setup, I have to
63 make a few comments to make sure nothing gets messed up
64 here.
66 Kurt, I realize that submitting my homework as a diff makes
67 matters more complicated for you. You have to save that
68 snippet above to a file and then use the utility patch(1).
69 If you have _any_ problems with this, please don't hesitate
70 to let me know, and I'll send you the complete script in
71 private e-mail.
73 Before you can use the hardened version of this software,
74 you have to customize it. Since I have NO ACCESS TO THE
75 GENTOO SERVERS, the script is tailored for my own system.
76 The casual readers of this list might want to skip the
77 following paragraphs, because it's getting really technical
78 now for a moment.
80 Everybody else please look closely at the first chunk.
81 You'll find a line like this:
83 SIGNKEYID="41BC28FE99089D72"
85 This statement assigns a variable with the ID of the key
86 that is going to be used later in the script to generate the
87 cryptographic signature. I chose to use a variable here so
88 that the key ID can be configured at the top of the script,
89 instead of burying that parameter amidst 78 lines of
90 comments, whitespace, and several complex calls to tar(1)
91 and other Unix magic. I realize that using a variable adds a
92 level of indirection which might have performance
93 implications that are difficult to predict. Kurt, should
94 this version be too slow to manage the job in time on the
95 machines, I'll remove that again, okay?
97 My point about that line is, though: This key ID will NOT
98 WORK on your machine! The reason is that to issue a
99 signature, you have to use the secret key of the GPG
100 key-pair. So although you can download a key with that ID
101 from every public key server, this will not work! You really
102 need the secret key.
104 To make the script work nonetheless you have to:
106 (1) Start appropriate text editing software. On most Gentoo
107 machines, the tool nano(1) can be used for this.
109 (2) Repeatedly hit the cursor-down button on your keyboard
110 until that white rectangle you're seeing is right over
111 that SIGNKEYID line from above.
113 (3) Stop hitting cursor-down now!
115 (4) If the white rectangle has moved past that line
116 already, then you have to hit CTRL-Z, then enter
118 kill -9 %1
120 and go back to step (1) and try again.
122 (5) Don't give up.
124 (6) If you have successfully navigated the white rectangle
125 to the line, hit cursor-right repeatedly until it has
126 reached the point right after the first double quote.
128 (7) Don't give up.
130 (8) Switch into overwrite mode and enter the ID of your
131 secret key.
133 (9) Save the modified script and exit the text editing
134 software. I'd love to give more details on this step,
135 but unfortunately the exact procedure is implementation
136 defined.
138 After you have successfully edited the key ID to match the
139 one your secret key has, you should be ready to try it out.
140 Just enter "" and see what happens.
142 What do you mean it doesn't work?
144 Hmmm. Does "./" work?
146 Doesn't either?
148 Hmmm. Ah, wait. Enter "chmod +x".
150 Good, now run the "./" command again.
152 STILL doesn't work?
154 What does it say on the screen?
156 Nothing?
158 Hahaha, now I got it. No, no, that's perfectly alright. It
159 will take a while for the script to return; that thing runs
160 a while. Yes, security-related software does require lots
161 and lots of CPU time; that really can't be helped in any
162 way, so please be patient.
164 Now, if the script has returned at last you will find the
165 following files in the Gentoo download area:
167 portage-20041109.tar.bz2
168 portage-20041109.tar.bz2.gpgsig
169 portage-20041109.tar.bz2.md5sum
171 Don't be concerned if the filenames don't match exactly.
172 These numbers depend on the t-coordinate of the system the
173 script is run on; that is a kind of unique hash to guarantee
174 that no filename collisions occur.
176 If this has succeeded, then you have a TOTALLY secure Gentoo
177 distribution now; there really is nothing left to worry
178 about.
180 Just execute "emerge sync", wait until it comes back and ...
181 everything still works, no hacker has injected any modified
182 /usr/portage/eclass/eutils.eclass file into your machine,
183 you are totally SAFE!
185 Of course, I wouldn't install any new software for the next
186 1.5 years because there remains a small, insignificant
187 chance that doing this will erase your hard disk, install
188 Red Hat Linux, or do other horrible things.
190 But you know how the old saying goes: Never change a running
191 system!
193 Exactly.
197 My instructions have been written for the final version of
198 this hardening mechanism. Right now, the "totally secure"
199 bit is not quite accurate because I still haven't gotten to
200 "patch" any of the Gentoo tools to verify that signature.
202 Or, to be perfectly honest, I have gotten to but didn't
203 manage.
205 There is some complexity to the task that wasn't quite
206 understood when I agreed to do all this for Gentoo, because
207 before I can call GPG to verify the signature, I have to
208 execute
210 source /etc/make.conf
212 to import some more variables, so that the user can
213 switch authentication on/off, set the path to the official
214 Gentoo key and all that. And frankly, it is just too damn
215 difficult.
217 Anyway, I promise I will do that ASAP. Let's see ... we have
218 2004 now ... Man, that is gonna take a while. Because, as it
219 happens, I have other stuff to do, too, you know? It's not
220 like I am getting paid for all this!
222 And besides: I simply don't give a shit.
224 Cheers,
226 Peter
228 --
229 gentoo-security@g.o mailing list