On Wednesday, October 30, 2002, at 03:35 AM, Guillaume Rousse wrote: [...]
hacks into a mirror, and starts replacing updates packages with trojansOK, remember me to implement some specific backdoors in all our packages
that are signed with the PLF key? urpmi will install them without
complaint. Now, I'm not saying the PLF folks are going to do this...
=) This could easily be someone stealing their private key and doing
it.
%postun
if [ $USER = "vdanen" ]; then
# do some really nasty stuff here
# echo "\/\/3 0wN Y0U d1RtY FUd3r"
fi
hehehe... I like... =)
[...]
Because then it's easy to forge. There has to be some form of authentication there. If we put RPM-GPG-KEYS files on the mirrors, what happens if a mirror gets tampered with? Someone can replace that file with their own key easily. If urpmi automatically adds it to the keyring, and there's a trojan rpm, signed with that trojaned key, then urpmi will happily install it as it passes the gpg key check. By the time someone notices it, it will be too late for other people. This is one reason why, in updates, the md5sums files are signed. That way if it's tampered with, someone will know quickly.Yup, my thought exactly. Also, urpmi would need to change before I'dThe whole idea is interesting, but i don't understand why those keys have to
advocate something like this. With apt you can define a key
fingerprint that matches a particular source. For instance, one could
map the security key fp to the updates source; the mdksoft official key
to the cooker or distrib (ie. cd's) source. The logical step is then
to map the rpmhelp key to rpmhelp.net, plf's key to plf, etc.
Until urpmi can do this (Francois?), we shouldn't entertain this idea.
It opens up too many possibilities I'm not comfortable with. Having
urpmi do this sort of checking would make it a lot safer and, as a
result, a good idea. But it's not a good idea with urpmi as it is now.
This is actually something I've thought about for a while, but never
brought up (dunno why). I'd like to see urpmi become more popular, and
possibly adopted by other distros. A fellow locally tried to get urpmi
working on a RH system... he couldn't rebuild it, but he could install
it from what I understood, his preliminary tests worked (ie. he could
"urpmi djbdns-localcache" and it worked, even if the packages
themselves wouldn't work as they're highly mdk-specific).
Francois? What do you think about adding this feature? It could be
something configurable in a /etc/urpmi/sigs.conf or something; if there
is no entry for a mirror, then do the normal thing, but if the entry
exists, not only check that the gpg sig is ok, but make sure the fp
matches the appropriate source.
Just a thought. What do you guys think?
be in a package, not in just another file with other uprmi data files.
Moreover, gpg itself has a nice auto-retrieve option for automatic download ofI never use this. I don't like keys being automatically added to my keyring. It's too easy for abuse. If someone is root and reads an email that is signed by some key and it is automatically retrieved, that key will be added to the keyring. That unknown individual can do the same thing then... trojan an rpm, sign it with their key (which I automatically downloaded) and again urpmi passes the check.
missing keys from keyserver. Provided keys used for signing packages are
available there, it seems sufficient for me.
This is why mapping fingerprints to a particular server (or type of source) is important. It prevents this sort of thing from happening.
Better yet, there should be a keyring outside of root's keyring that is read-only by users and read/write by root (not in /root/.gnupg) that contains rpm gpg keys. That removal from the user environment (especially root) adds another level of integrity.
I'm all for having every source out there urpmiable and easily setup through urpmi, even via the installer. But before that is done, we have to add a little security to the system. We have a responsibility to, in all ways possible, make installing trojan packages as difficult as possible. I'm all for making things easier, but not at the expense of security.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
