Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Gentoo>
  3. Security
portage/rsync question
jbutterworth at mitre
Apr 6, 2010, 12:26 PM
Post #1 of 8 (5886 views)
Permalink
Hi. I have a security-related question for Portage/rsync:



If someone makes a change to a copy of a program (say a backdoor added to
apache) hosted on a public mirror, will the sync'ing between the public
mirror and the main rotation mirror determine that it's corrupted (via 'bad'
checksum) on the public-mirror side and replace it?



Thank you in advance,

-john

Attached Files:

Re: portage/rsync question [ In reply to ]
volkerarmin at googlemail
Apr 6, 2010, 1:20 PM
Post #2 of 8 (5727 views)
Permalink
On Dienstag 06 April 2010, Butterworth, John W. wrote:
> Hi. I have a security-related question for Portage/rsync:
>
>
>
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync'ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via
> 'bad' checksum) on the public-mirror side and replace it?
>
>
>
> Thank you in advance,
>
> -john

what mirror? If he changes the apache tarball on one of the distfile mirrors or
the apache mirrors that one will be caught by the ckecksum check.

If he changes the ebuild - well...
Re: portage/rsync question [ In reply to ]
shimi at shimi
Apr 6, 2010, 1:26 PM
Post #3 of 8 (5729 views)
Permalink
On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <
jbutterworth@mitre.org> wrote:

> Hi. I have a security-related question for Portage/rsync:
>
>
>
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync’ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via 'bad'
> checksum) on the public-mirror side and replace it?
>
>
>
>
> If it's hosted @ Gentoo, if the main server is intact, the next sync will
overwrite the mirror-local copy

If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated
(and I understand that's the scenario you refer to)

Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a
cracker changing stuff at apache.org), when you try to *emerge* the package,
emerge will fail because Portage verifies various different hash signatures
on the source files - which are embedded in the portage package tree [1].

HTH,

-- Shimi

[1] Try: cat /usr/portage/www-servers/apache/Manifest
RE: portage/rsync question [ In reply to ]
jbutterworth at mitre
Apr 6, 2010, 1:45 PM
Post #4 of 8 (5718 views)
Permalink
Thank you Shimi.

I also came across a couple threads in my research:

http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/ and

http://thread.gmane.org/gmane.linux.gentoo.devel/38363



These (from back in 2006/2008) discuss potential changes to make the Gentoo software distribution system more secure. Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done? Does anyone know if anything (else) ever came of these proposals?



I’m new to the Gentoo community and am playing catch-up in regards to what’s going on. Thank you.

-John



From: shimi [mailto:shimi@shimi.net]
Sent: Tuesday, April 06, 2010 4:27 PM
To: gentoo-security@lists.gentoo.org
Cc: Butterworth, John W.
Subject: Re: [gentoo-security] portage/rsync question





On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth@mitre.org> wrote:

Hi. I have a security-related question for Portage/rsync:



If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it?





If it's hosted @ Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy

If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)

Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].

HTH,

-- Shimi

[1] Try: cat /usr/portage/www-servers/apache/Manifest

Attached Files:

Re: portage/rsync question [ In reply to ]
shimi at shimi
Apr 6, 2010, 2:06 PM
Post #5 of 8 (5748 views)
Permalink
On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <
jbutterworth@mitre.org> wrote:

> Thank you Shimi.
>
> I also came across a couple threads in my research:
>
>
> http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/
> and
>
> http://thread.gmane.org/gmane.linux.gentoo.devel/38363
>
>
>
> These (from back in 2006/2008) discuss potential changes to make the
> Gentoo software distribution system more secure. Does Portage verify
> various different hash signatures on the source files as a result of these
> recommendations or is this something Portage has always done? Does anyone
> know if anything (else) ever came of these proposals?
>
>
>

This is with regards to signing; Signing also promises you that the file at
Gnetoo's main distribution is intact, otherwise the signing won't be valid.
Verifying files integrity by hashes is unrelated; Of course, when you do
sign your releases, you have to sign all the relevant stuff, including the
hashes of the files, so everyone can verify that *nothing* was tempered. But
I was merely talking about verifying that the downloaded file matches what
the developer who added the package had on his computer (assuming, again,
that you're syncing from a reliable source, and that this reliable source
who is syncing from gentoo's main tree, is syncing from a non compromised
tree, AND that no one MITM'd it - which is difficult to achieve when rsync
traffic is not SSL with verifiable certs AND the packages themselves not
signed with PGP etc...)

Anyways, the existence of hashes for the files, if memory serves me right,
has been there before I started using Gentoo, which dates back to the end of
2003... the hash algorithms has changed over time, but that's no biggie -
you can look at the Manifest file I gave as example - you just have the hash
there along with the algorithm that needs to verify it (and there's more
than one...)

Sorry but I don't know about the status of actual Signing in Gentoo which is
probably handled by the security people... I am merely an old user :)

HTH,

-- Shimi
Re: portage/rsync question [ In reply to ]
p.labushev at gmail
Apr 6, 2010, 2:15 PM
Post #6 of 8 (5712 views)
Permalink
07.04.2010 04:20, Volker Armin Hemmann пишет:

> If he changes the ebuild - well...

emerge-webrsync with webrsync-gpg FEATURE could be used to mitigate the
aforementioned risks.
Re: portage/rsync question [ In reply to ]
mansourmoufid at gmail
Apr 6, 2010, 7:14 PM
Post #7 of 8 (5706 views)
Permalink
On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W.
<jbutterworth@mitre.org> wrote:
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync’ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via 'bad'
> checksum) on the public-mirror side and replace it?

Package files themselves aren't part of the Portage tree (i.e. they
aren't hosted by the Portage mirrors). Only the ebuilds (and
accompanying metadata files) are. Ebuilds (generally) will point to
the package files on public websites.

If an attacker has access to the package files (say at apache.org),
then your local Portage would indeed notice the corruption. On the
other hand, if they have access to the ebuilds and Manifest files of
the mirror you rsync to, Portage checks protect against nothing. At
that point, unless the attacker also controls the mirror server's
syncing with the main Gentoo tree, then yes, any malicious changes
would be overwritten during its next sync. That's not something to
count on.

--
Mansour Moufid
RE: portage/rsync question [ In reply to ]
jbutterworth at mitre
Apr 7, 2010, 8:06 AM
Post #8 of 8 (5712 views)
Permalink
So to avoid "spamming" with 20+ Thank You emails I'll send out just one and thank you all collectively for the information provided (I hope this isn't rude - I'm not sure of proper protocol in this situation).

I have a lot more insight now and some new ideas of where I need to look to learn more. This is a great community and it reflects in the OS - I don't know why I waited so long to try Gentoo.(??)!
-john

-----Original Message-----
From: Mansour Moufid [mailto:mansourmoufid@gmail.com]
Sent: Tuesday, April 06, 2010 10:15 PM
To: gentoo-security@lists.gentoo.org
Subject: Re: [gentoo-security] portage/rsync question

On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W.
<jbutterworth@mitre.org> wrote:
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync’ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via 'bad'
> checksum) on the public-mirror side and replace it?

Package files themselves aren't part of the Portage tree (i.e. they
aren't hosted by the Portage mirrors). Only the ebuilds (and
accompanying metadata files) are. Ebuilds (generally) will point to
the package files on public websites.

If an attacker has access to the package files (say at apache.org),
then your local Portage would indeed notice the corruption. On the
other hand, if they have access to the ebuilds and Manifest files of
the mirror you rsync to, Portage checks protect against nothing. At
that point, unless the attacker also controls the mirror server's
syncing with the main Gentoo tree, then yes, any malicious changes
would be overwritten during its next sync. That's not something to
count on.

--
Mansour Moufid

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal