Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Gentoo portage security
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Kasumi_Ninja
Veteran
Veteran


Joined: 18 Feb 2006
Posts: 1825
Location: The Netherlands

PostPosted: Thu Jun 09, 2011 6:08 pm    Post subject: Gentoo portage security Reply with quote

I'm trying to figure out the current state of Gentoo's portage security. If I understand correctly less than 3000 ebuild are signed. This means that if rsync mirror is compromised ebuilds can be manipulated to install malicious software on a users pc syncing with this mirror. Is this correct? And if so is this real risk or more a hypothetical scenario?
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46666
Location: 56N 3W

PostPosted: Thu Jun 09, 2011 6:55 pm    Post subject: Reply with quote

Kasumi_Ninja,

Full tree signing is a work in progress. I can find the GLEPs if you want to know the proposals and current state.

If a Gentoo rsync mirror were compromised and ebuilds were tampered with than anything is possible.
The ebuilds could be directed to download sources from anywhere and the manifests could be made to match.

The attacker would need to stop the compromised rsync server resyncing with the master mirror, or the attack would last at most 30 minutes as thats how ofter rsync mirrors sync.

Further, users can detect and avoid stale servers.

Such an attack would need both a break in and root exploit. While what you say is possible in theory, there are easier targets to compromise.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Kasumi_Ninja
Veteran
Veteran


Joined: 18 Feb 2006
Posts: 1825
Location: The Netherlands

PostPosted: Thu Jun 09, 2011 7:43 pm    Post subject: Reply with quote

There is a bug report which hasn't been updated in a while reject commits of unsigned Manifest files to the tree. Is there any news about the status of rejecting commits of unsigned Manifests?

How do users detect stale servers? I think you've explained very well that it is more an hypothetical than a real world risk. Which makes me wonder what is the difference between Arch Linux unsigned repositories en Gentoo's Portage?
_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved. Help answer the unanswered
Back to top
View user's profile Send private message
m0p
Apprentice
Apprentice


Joined: 20 Jun 2005
Posts: 205
Location: en_GB

PostPosted: Fri Jun 10, 2011 10:46 am    Post subject: Reply with quote

If you're worried about compromised rsync mirrors, use emerge-webrsync with FEATURES="webrsync-gpg" to grab a signed snapshot. Just set PORTAGE_GPG_DIR="/etc/portage/gpg" and add the relevant key with --homedir=/etc/portage/gpg in the args and you're sorted.

The contents of the tree being signed is another matter, but if that gets compromised, there'll be trouble anyway.
Back to top
View user's profile Send private message
cyberjun
Apprentice
Apprentice


Joined: 06 Nov 2005
Posts: 293

PostPosted: Sat Jun 11, 2011 3:52 am    Post subject: Reply with quote

Hi,
Do you think selecting 3 random mirrors to download manifest files for a given ebuild before proceeding with a merge operation could be a good idea?
This way even if one of the mirrors is compromised, the other manifest files will not match. Then portage can flag an error and exit.

--cyberjun
Back to top
View user's profile Send private message
webdawg
n00b
n00b


Joined: 26 Jul 2006
Posts: 34

PostPosted: Fri Aug 19, 2011 2:27 am    Post subject: Interest In This Reply with quote

So can I or can I not be sure if I am getting the right files? What is to stop someone from injecting bad packages and sums into my gentoo updates? This seems like the.very thing a.group would want to do when they.would like to comprimise a system.

This is one of the.main reasons that I want to move from arch. No signed packages.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16178

PostPosted: Fri Aug 19, 2011 3:46 am    Post subject: Reply with quote

You cannot be sure you are getting the right packages. Even if you were sure of the distfile checksum, most ebuilds pull in one or more eclasses which are not cryptographically verified.
Back to top
View user's profile Send private message
webdawg
n00b
n00b


Joined: 26 Jul 2006
Posts: 34

PostPosted: Fri Aug 19, 2011 7:36 pm    Post subject: Gentoo Security Reply with quote

Hmm. Not good my friend. Eclasses? You mean external downloads? I would be satisfied with sha256 sigs of the external files and just have those sums verified.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 16178

PostPosted: Sat Aug 20, 2011 1:07 am    Post subject: Reply with quote

I mean the files that show up when you run find ${PORTDIR:-/usr/portage}/eclass -name '*.eclass'. As far as I know, Portage does not even verify a digest for those files before importing them. However, my information may be stale. It has been a couple of years since I read on it in detail.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum