headers
Butterworth, John W. | 6 Apr 2010 21:26
Picon
Favicon

portage/rsync question

Hi.  I have a security-related question for Portage/rsync:

 

If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it?

 

Thank you in advance,

-john  

 

Attachment (smime.p7s): application/x-pkcs7-signature, 3522 bytes
Permalink | Reply |
headers
Volker Armin Hemmann | 6 Apr 2010 22:20

Re: portage/rsync question

On Dienstag 06 April 2010, Butterworth, John W. wrote:
> Hi.  I have a security-related question for Portage/rsync:
> 
> 
> 
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync'ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via
> 'bad' checksum) on the public-mirror side and replace it?
> 
> 
> 
> Thank you in advance,
> 
> -john

what mirror? If he changes the apache tarball on one of the distfile mirrors or 
the apache mirrors that one will be caught by the ckecksum check.

If he changes the ebuild - well...
Permalink | Reply |
headers
Pavel Labushev | 6 Apr 2010 23:15
Picon

Re: portage/rsync question

07.04.2010 04:20, Volker Armin Hemmann пишет:

> If he changes the ebuild - well...

emerge-webrsync with webrsync-gpg FEATURE could be used to mitigate the
aforementioned risks.
Permalink | Reply |
headers
shimi | 6 Apr 2010 22:26

Re: portage/rsync question



On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth <at> mitre.org> wrote:

Hi.  I have a security-related question for Portage/rsync:

 

If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it?

 


If it's hosted <at> Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy

If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)

Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].

HTH,

-- Shimi

[1] Try: cat /usr/portage/www-servers/apache/Manifest

 

Permalink | Reply |
headers
Butterworth, John W. | 6 Apr 2010 22:45
Picon
Favicon

RE: portage/rsync question

Thank you Shimi.  

I also came across a couple threads in my research:

http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/  and

http://thread.gmane.org/gmane.linux.gentoo.devel/38363

 

These (from back in 2006/2008) discuss potential changes  to make the Gentoo software distribution system more secure.   Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done?  Does anyone know if anything (else) ever came of these proposals?

 

I’m new to the Gentoo community and am playing catch-up in regards to what’s going on.  Thank you.

-John

 

From: shimi [mailto:shimi <at> shimi.net]
Sent: Tuesday, April 06, 2010 4:27 PM
To: gentoo-security <at> lists.gentoo.org
Cc: Butterworth, John W.
Subject: Re: [gentoo-security] portage/rsync question

 

 

On Tue, Apr 6, 2010 at 10:26 PM, Butterworth, John W. <jbutterworth <at> mitre.org> wrote:

Hi.  I have a security-related question for Portage/rsync:

 

If someone makes a change to a copy of a program (say a backdoor added to apache) hosted on a public mirror, will the sync’ing between the public mirror and the main rotation mirror determine that it's corrupted (via 'bad' checksum) on the public-mirror side and replace it?

 

 

If it's hosted <at> Gentoo, if the main server is intact, the next sync will overwrite the mirror-local copy

If it's not hosted on on Gentoo's mirror, Gentoo's sync'ing is unrelated (and I understand that's the scenario you refer to)

Anyways, unless the *ebuild* was *also* poisoned (which can't happen by a cracker changing stuff at apache.org), when you try to *emerge* the package, emerge will fail because Portage verifies various different hash signatures on the source files - which are embedded in the portage package tree [1].

HTH,

-- Shimi

[1] Try: cat /usr/portage/www-servers/apache/Manifest

 

 

Attachment (smime.p7s): application/x-pkcs7-signature, 3522 bytes
Permalink | Reply |
headers
shimi | 6 Apr 2010 23:06

Re: portage/rsync question


On Tue, Apr 6, 2010 at 11:45 PM, Butterworth, John W. <jbutterworth <at> mitre.org> wrote:

Thank you Shimi.  

I also came across a couple threads in my research:

http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/  and

http://thread.gmane.org/gmane.linux.gentoo.devel/38363

 

These (from back in 2006/2008) discuss potential changes  to make the Gentoo software distribution system more secure.   Does Portage verify various different hash signatures on the source files as a result of these recommendations or is this something Portage has always done?  Does anyone know if anything (else) ever came of these proposals?

 


This is with regards to signing; Signing also promises you that the file at Gnetoo's main distribution is intact, otherwise the signing won't be valid. Verifying files integrity by hashes is unrelated; Of course, when you do sign your releases, you have to sign all the relevant stuff, including the hashes of the files, so everyone can verify that *nothing* was tempered. But I was merely talking about verifying that the downloaded file matches what the developer who added the package had on his computer (assuming, again, that you're syncing from a reliable source, and that this reliable source who is syncing from gentoo's main tree, is syncing from a non compromised tree, AND that no one MITM'd it - which is difficult to achieve when rsync traffic is not SSL with verifiable certs AND the packages themselves not signed with PGP etc...)

Anyways, the existence of hashes for the files, if memory serves me right, has been there before I started using Gentoo, which dates back to the end of 2003... the hash algorithms has changed over time, but that's no biggie - you can look at the Manifest file I gave as example - you just have the hash there along with the algorithm that needs to verify it (and there's more than one...)

Sorry but I don't know about the status of actual Signing in Gentoo which is probably handled by the security people... I am merely an old user :)

HTH,

-- Shimi

Permalink | Reply |
headers
Mansour Moufid | 7 Apr 2010 04:14
Picon

Re: portage/rsync question

On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W.
<jbutterworth <at> mitre.org> wrote:
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync’ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via 'bad'
> checksum) on the public-mirror side and replace it?

Package files themselves aren't part of the Portage tree (i.e. they
aren't hosted by the Portage mirrors). Only the ebuilds (and
accompanying metadata files) are. Ebuilds (generally) will point to
the package files on public websites.

If an attacker has access to the package files (say at apache.org),
then your local Portage would indeed notice the corruption. On the
other hand, if they have access to the ebuilds and Manifest files of
the mirror you rsync to, Portage checks protect against nothing. At
that point, unless the attacker also controls the mirror server's
syncing with the main Gentoo tree, then yes, any malicious changes
would be overwritten during its next sync. That's not something to
count on.

--

-- 
Mansour Moufid
Permalink | Reply |
headers
Butterworth, John W. | 7 Apr 2010 17:06
Picon
Favicon

RE: portage/rsync question

So to avoid "spamming" with 20+ Thank You emails I'll send out just one and thank you all collectively for the
information provided (I hope this isn't rude - I'm not sure of proper protocol in this situation).  

I have a lot more insight now and some new ideas of where I need to look to learn more.  This is a great community
and it reflects in the OS - I don't know why I waited so long to try Gentoo.(??)!
-john

-----Original Message-----
From: Mansour Moufid [mailto:mansourmoufid <at> gmail.com] 
Sent: Tuesday, April 06, 2010 10:15 PM
To: gentoo-security <at> lists.gentoo.org
Subject: Re: [gentoo-security] portage/rsync question

On Tue, Apr 6, 2010 at 2:56 PM, Butterworth, John W.
<jbutterworth <at> mitre.org> wrote:
> If someone makes a change to a copy of a program (say a backdoor added to
> apache) hosted on a public mirror, will the sync’ing between the public
> mirror and the main rotation mirror determine that it's corrupted (via 'bad'
> checksum) on the public-mirror side and replace it?

Package files themselves aren't part of the Portage tree (i.e. they
aren't hosted by the Portage mirrors). Only the ebuilds (and
accompanying metadata files) are. Ebuilds (generally) will point to
the package files on public websites.

If an attacker has access to the package files (say at apache.org),
then your local Portage would indeed notice the corruption. On the
other hand, if they have access to the ebuilds and Manifest files of
the mirror you rsync to, Portage checks protect against nothing. At
that point, unless the attacker also controls the mirror server's
syncing with the main Gentoo tree, then yes, any malicious changes
would be overwritten during its next sync. That's not something to
count on.

--

-- 
Mansour Moufid
Attachment (smime.p7s): application/x-pkcs7-signature, 3522 bytes
Permalink | Reply |

Gmane