Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Security during emerge --sync
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
pavel_prochazka
n00b
n00b


Joined: 29 Sep 2008
Posts: 26

PostPosted: Wed Nov 05, 2014 8:44 am    Post subject: Security during emerge --sync Reply with quote

Hi there,
Just a short question about protection of mirrors. I mean when I provide

Code:

emerge --sync


I check carefully where the sync server is located. For example I cancel the synchronization process, when the server is situated in Ukraine (especially the eastern part). My question is if I'm paranoid that somebody can insert some a harmful software into a particular mirror such that it will be scheduled to merge after synchronization (I have no background in the network security - I'm just an inferior Gentoo user 8) ).

Pavel
Back to top
View user's profile Send private message
apathetic
n00b
n00b


Joined: 28 Aug 2014
Posts: 24

PostPosted: Wed Nov 05, 2014 12:11 pm    Post subject: Re: Security during emerge --sync Reply with quote

pavel_prochazka wrote:
Hi there,
Just a short question about protection of mirrors. I mean when I provide

Code:

emerge --sync


I check carefully where the sync server is located. For example I cancel the synchronization process, when the server is situated in Ukraine (especially the eastern part). My question is if I'm paranoid that somebody can insert some a harmful software into a particular mirror such that it will be scheduled to merge after synchronization (I have no background in the network security - I'm just an inferior Gentoo user 8) ).

Pavel


Actually, this is quite possible.
Back to top
View user's profile Send private message
GrueXYZ
Tux's lil' helper
Tux's lil' helper


Joined: 16 Aug 2010
Posts: 79

PostPosted: Wed Nov 05, 2014 12:28 pm    Post subject: Re: Security during emerge --sync Reply with quote

apathetic wrote:

Actually, this is quite possible.


What an apathetic reply. :mrgreen:

Otherwise, check the handbook on how to fetch a validated, signed tree. Just keep in mind you can't rsync modified parts only, you have to download the entire, signed tarball which is done automatically:

https://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=3#webrsync-gpg

Also, each port is using hashes to check the patches and binaries it downloads, so that's an additional level of protection (since those hashes are "validated" in the context of downloading a validated portage tarball). That said, of course nothing is absolute in security and "stuff" can happen, but that is not specific to gentoo.
Back to top
View user's profile Send private message
hasufell
Developer
Developer


Joined: 29 Oct 2011
Posts: 260

PostPosted: Fri Nov 07, 2014 3:04 am    Post subject: Reply with quote

I've said that before: never use rsync to update your tree. It's so inherently insecure that it's embarrassing that we still provide it. Manifest signing is still not enforced and inconsistent. Eclasses are NOT signed whatsoever and would be my first target.

Only use the signed tarballs.
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2592
Location: UK

PostPosted: Fri Nov 07, 2014 4:15 am    Post subject: Reply with quote

Okay, that... was a very needed wakeup call. Thank you.

I'll be doing that next time I sync, even though I'm using half a dozen overlays that are objectively worse... Hopefully Paludis has enough of this built in to make it easy, but if it doesn't I'll *make* it work.
_________________
runit-init howto | Overlay
Back to top
View user's profile Send private message
hasufell
Developer
Developer


Joined: 29 Oct 2011
Posts: 260

PostPosted: Fri Nov 07, 2014 1:15 pm    Post subject: Reply with quote

Paludis can handle overlays internally, however you can still use emerge-webrsync and layman to update stuff. If you use layman, you have to create the repository conf files yourself ofc.
Back to top
View user's profile Send private message
sera
Developer
Developer


Joined: 29 Feb 2008
Posts: 1012
Location: CET

PostPosted: Fri Nov 07, 2014 3:05 pm    Post subject: Reply with quote

Ant P. wrote:
Okay, that... was a very needed wakeup call. Thank you.

I'll be doing that next time I sync, even though I'm using half a dozen overlays that are objectively worse... Hopefully Paludis has enough of this built in to make it easy, but if it doesn't I'll *make* it work.


There are tar syncers, though non which supports deltas afair, however, I'm positive your are capable of wrapping emerge-delta-webrsync in a custom paludis syncer should you wish.
Back to top
View user's profile Send private message
user
Tux's lil' helper
Tux's lil' helper


Joined: 08 Feb 2004
Posts: 133

PostPosted: Fri Nov 07, 2014 9:26 pm    Post subject: Reply with quote

By the way:
Is there any hope that we will see a daily signed portage squashfs xz-compressed file again?
Last portage sqfs dated from mar 2014.

squashfs can directly mounted as /usr/portage without the need of extracting tar archives.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 5743
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Sat Nov 08, 2014 2:03 am    Post subject: Reply with quote

Ant P. wrote:
Okay, that... was a very needed wakeup call. Thank you.

I'll be doing that next time I sync, even though I'm using half a dozen overlays that are objectively worse... Hopefully Paludis has enough of this built in to make it easy, but if it doesn't I'll *make* it work.


indeed !

seems like the only overlay, which I use, that solely relies on rsync is zugaina

will probably have to remove it for security reasons, then ... & add stuff from it manually ...


thanks hasufell :!:
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.3.0-r2
2.6.37.2_plus_v1: BFS, CFS,THP,compaction, zcache or TOI
Hardcore Linux user since 2004 :D
Back to top
View user's profile Send private message
tld
l33t
l33t


Joined: 09 Dec 2003
Posts: 879

PostPosted: Sat Nov 08, 2014 4:36 pm    Post subject: Re: Security during emerge --sync Reply with quote

GrueXYZ wrote:

Otherwise, check the handbook on how to fetch a validated, signed tree. Just keep in mind you can't rsync modified parts only, you have to download the entire, signed tarball which is done automatically:

https://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=2&chap=3#webrsync-gpg

Also, each port is using hashes to check the patches and binaries it downloads, so that's an additional level of protection (since those hashes are "validated" in the context of downloading a validated portage tarball). That said, of course nothing is absolute in security and "stuff" can happen, but that is not specific to gentoo.

I have to confess, this issue actually never even occurred to me before. I suppose it should have. I'm switching to that method for sure.

Question: I usually sync the system I'm on now from the outside and sync my other Gentoo systems from this one. I assume I can just continue to use rsync when doing the latter correct?

Tom
Back to top
View user's profile Send private message
GrueXYZ
Tux's lil' helper
Tux's lil' helper


Joined: 16 Aug 2010
Posts: 79

PostPosted: Sat Nov 08, 2014 4:45 pm    Post subject: Re: Security during emerge --sync Reply with quote

tld wrote:
I assume I can just continue to use rsync when doing the latter correct?


Correct, one machine can download signed tarballs and unpack them, the others can rsync unpacked tree from it.
Back to top
View user's profile Send private message
krinn
Advocate
Advocate


Joined: 02 May 2003
Posts: 4433

PostPosted: Sat Nov 08, 2014 4:57 pm    Post subject: Reply with quote

I wonder why someone sync to random server to endup breaking it if the rsync server is from Ukraine or other.
Just sync with server you want, define them in your make.conf
It's just from a security point of view, stupid, but if you can rsync without jumping on your keyboard everytime you fall on a "bad" server country hosting, it will saved your keyboard.
If you assume Ukrainian country have more hackers, you still cannot assume Ukrainian servers are the best to hack to propagate virus or something, the best would be the more secure server, as the more secure are the more trust and the more used, and any flow in it should affect a greater number of users.
Just like assuming Ukrainian have more capable devs, so more potential hackers base, you should then assume Ukrainian servers are the best secure as they have a greater competent server admin base too.
When it comes to security, assuming anything is stupid and the best way to fall into what you were trying to avoid :)
Back to top
View user's profile Send private message
Ant P.
Advocate
Advocate


Joined: 18 Apr 2009
Posts: 2592
Location: UK

PostPosted: Thu Nov 13, 2014 12:44 am    Post subject: Reply with quote

Random thought: if someone put together a MITM proof-of-concept and gave the media snowball a little push, maybe it'd cause enough embarrassment to finally get us out of CVS hell.

I'm sure there's a few Arch users looking for payback after all the times their package manager got laughed at for doing the same thing ;)
_________________
runit-init howto | Overlay
Back to top
View user's profile Send private message
tld
l33t
l33t


Joined: 09 Dec 2003
Posts: 879

PostPosted: Thu Nov 13, 2014 5:59 pm    Post subject: Reply with quote

I got this set up and used it the other day. Everything worked fine. The instructions around this leave a little to be desired, for example (as I've seen in other posts on the forum), the key server subkeys.pgp.net in the instructions does NOT work for receiving the 0xDB6B8C1F96D8BF6D key, though keys.gnupg.net does. That really had me going.
hasufell wrote:
It's so inherently insecure that it's embarrassing that we still provide it.

Well, as I mentioned above, it still makes sense for syncing from one machine to another on a LAN for example...but using it by default isn't too good.

Tom
Back to top
View user's profile Send private message
arnvidr
Guru
Guru


Joined: 19 Aug 2004
Posts: 468
Location: Oslo, Norway

PostPosted: Fri Nov 14, 2014 10:02 am    Post subject: Reply with quote

tld wrote:
the key server subkeys.pgp.net in the instructions does NOT work for receiving the 0xDB6B8C1F96D8BF6D key
Huh, it worked for me when I did it last week.
_________________
Noone wrote:
anything
Back to top
View user's profile Send private message
GrueXYZ
Tux's lil' helper
Tux's lil' helper


Joined: 16 Aug 2010
Posts: 79

PostPosted: Fri Nov 14, 2014 11:50 am    Post subject: Reply with quote

Yeah it doesn't work today for me either. So what are the trusted alternatives, I don't really do PGP so I'm not in the loop.

http://people.skolelinux.org/pere/blog/Good_bye_subkeys_pgp_net__welcome_pool_sks_keyservers_net.html

Found that post. Any thoughts about that pool from more security-savvy folks? Why doesn't Gentoo store such keys on its own infra?
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2464
Location: Germany

PostPosted: Fri Nov 14, 2014 2:45 pm    Post subject: Reply with quote

The last time I had malware (a suid binary that provided local root exploit) on my system, it was part of the official ebuild in the tree, signed and sealed. Not Gentoo's fault since the exploit was part of some fancy GUI software that had the best of intentions... but this kind of thing is to be expected. Gentoo users want the latest software in the tree yesterday, and no one is getting paid for doing code reviews.
_________________
Linux-User @ VServer (Debian), Desktop (Gentoo), Netbook (Ubuntu), Router (OpenWRT), PDA (Cacko), Smartphone (Android)
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Fri Nov 14, 2014 5:25 pm    Post subject: Reply with quote

GrueXYZ wrote:
Why doesn't Gentoo store such keys on its own infra?

That's a bloody good question. It should be available at documented, fixed http and https addresses, as well as ftp.

I can't see any reason why a pubkey can't be in the portage rsync either, personally (though I'm sure someone will tell me of some..;)
Note that I don't mean for updates, but for verification.
Back to top
View user's profile Send private message
djdunn
l33t
l33t


Joined: 26 Dec 2004
Posts: 710
Location: Arrakis

PostPosted: Mon Nov 17, 2014 2:57 am    Post subject: Reply with quote

I had to fetch the key once, ctrl C it then fetch it again and it worked, i donno why
_________________
A process cannot be understood by stopping it. Understanding must move with the flow of the process, must join it and flow with it.

-The First Law of Mentat
Back to top
View user's profile Send private message
djdunn
l33t
l33t


Joined: 26 Dec 2004
Posts: 710
Location: Arrakis

PostPosted: Mon Nov 17, 2014 2:58 am    Post subject: Reply with quote

GrueXYZ wrote:
Yeah it doesn't work today for me either. So what are the trusted alternatives, I don't really do PGP so I'm not in the loop.

http://people.skolelinux.org/pere/blog/Good_bye_subkeys_pgp_net__welcome_pool_sks_keyservers_net.html

Found that post. Any thoughts about that pool from more security-savvy folks? Why doesn't Gentoo store such keys on its own infra?


like here https://www.gentoo.org/proj/en/releng/ ?
_________________
A process cannot be understood by stopping it. Understanding must move with the flow of the process, must join it and flow with it.

-The First Law of Mentat
Back to top
View user's profile Send private message
ulenrich
Veteran
Veteran


Joined: 10 Oct 2010
Posts: 1197

PostPosted: Mon Nov 17, 2014 8:49 pm    Post subject: Reply with quote

user wrote:
By the way:
Is there any hope that we will see a daily signed portage squashfs xz-compressed file again?
Last portage sqfs dated from mar 2014.

squashfs can directly mounted as /usr/portage without the need of extracting tar archives.

A Gentoo official torrent of such a portage squashfs file?
Why not? Isn't torrent a secured method of sharing?
_________________
fun2gen2
Back to top
View user's profile Send private message
steveL
Advocate
Advocate


Joined: 13 Sep 2006
Posts: 3043
Location: The Peanut Gallery

PostPosted: Tue Nov 18, 2014 3:36 am    Post subject: Reply with quote

djdunn wrote:
like here https://www.gentoo.org/proj/en/releng/ ?

Heh yeah that's an essential page; though I don't see why a pubkey itself can't be downloadable over https from a gentoo site (as well as in keyservers.)
Back to top
View user's profile Send private message
tld
l33t
l33t


Joined: 09 Dec 2003
Posts: 879

PostPosted: Mon Dec 15, 2014 5:59 pm    Post subject: Reply with quote

I just noticed something regarding emerge-webrsync that I hadn't noticed...something to be aware of:

Using "emerge --sync" has always warned me when there was a new version of portage available...recommending to update that first. It appears the same isn't true with emerge-webrsync. I just ran that and got no such warning, and happened to notice this when I went to update:

Code:
[ebuild     U  ] sys-apps/portage-2.2.14 [2.2.8-r2] USE="(ipc) -build -doc -epydoc (-selinux) -xattr (-pypy2_0%) (-python2%) (-python3%)" LINGUAS="-ru" PYTHON_TARGETS="python2_7 python3_3 (-pypy) -python3_4 (-pypy2_0%) (-python2_6%) (-python3_2%)" 876 kB


Maybe that warning is only for more major version updates(??), but I didn't think so.

Tom
Back to top
View user's profile Send private message
frostschutz
Advocate
Advocate


Joined: 22 Feb 2005
Posts: 2464
Location: Germany

PostPosted: Mon Dec 15, 2014 8:22 pm    Post subject: Reply with quote

Update portage first? I haven't done that in a long time... if it was so important, portage should do this by itself, on a world update... if it doesn't do it already.
_________________
Linux-User @ VServer (Debian), Desktop (Gentoo), Netbook (Ubuntu), Router (OpenWRT), PDA (Cacko), Smartphone (Android)
Back to top
View user's profile Send private message
tld
l33t
l33t


Joined: 09 Dec 2003
Posts: 879

PostPosted: Mon Dec 15, 2014 9:28 pm    Post subject: Reply with quote

frostschutz wrote:
Update portage first? I haven't done that in a long time... if it was so important, portage should do this by itself, on a world update... if it doesn't do it already.
You're probably right...never much thought about it. I was sort of used to getting a message after "emerge --sync" that said when a new version was available and, as I recall it always said it was "highly recommended" that you update.

Come to think of it however, portage updating itself sounds a little kludged to me, given that it would have to completely restart itself with whatever the original requested emerge command was.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum