Gentoo Archives: gentoo-user

From: Vaeth <vaeth@××××××××××××××××××××××××.de>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Date: Tue, 16 Sep 2008 17:15:10
1 Neil Bothwick wrote:
3 > On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote:
4 >
5 > > > If you are using NAT on the router, you have to explicitly forward
6 > > > that port somewhere for it to work. [...]
7 > >
8 > > Except that this is not completely true [...]
9 >
10 > "So the router maintains a database of current connections
12 This is not true for a standard NAT router. Only special routers with
13 additional functionality can do this. Not to mention that occassionally
14 also bugs in the implementations of such routers are found (e.g. using
15 DOS to attempt a database overflow is an attack which comes to mind in
16 the "generic" case).
17 In any case, it depends on how much you can trust the router, while if
18 the port is not open on your machine you do not have such a risk at
19 all. So why take an unnecessary risk?
21 > In addition, the default rsyncd configuration with Gentoo uses a chroot
22 > jail.
24 Also a chroot jail is not a security feature: There are several ways known
25 how to break out. Well, if you use grsecurity (hardened-sources), at least
26 the most gapping security holes are closed in this respect, but also this
27 is no guarantee and can hinder you when you have other uses for chroot.
28 Not to speak that rsyncd introduces additional code anyway,
29 which might also be vulnerable in an unexpected manner (e.g. in connection
30 with a kernel bug or who-knows-what).
32 > After all, isn't that exactly how Gentoo mirrors work?
34 If you offer something on the net you have certainly an increased
35 risk that the corresponding machine is compromised - every mirror
36 administrator is aware of this (or at least he should be so). But
37 there is no reason to take any such sort of risk in a network which
38 is not supposed to offer services to other people.