On Wed, Jan 16, 2013 at 10:35 AM, Charlie Brady < [email protected]> wrote:
> Because Shad is very busy, and also because he prefers instant messaging > and Skype, and I choose not to use those media, it's hard to get his > attention to discuss development processes via email. I strike while the > iron is hot. > And I appreciate it when we engage in these discussions. It opens things up and helps clarify things on both sides I think. > I don't know how I can debate a technical issue without you considering it > point scoring. I believe that Shad is risking a root compromise when he > delegates the process of creating new isos. It's probably a low risk, but > it is non-zero. I think he thinks otherwise. Trying to discuss it is not > just a point-scoring exercise. I think we can all agree that security of > the contribs.org infrastructure does matter. > This isn't point scoring. This is how developers communicate :-) I don't think that rebuilding the installer is a zero-risk. I'm putting as much in place though to limit the exposure and leverage that infrastructure I already have for building things. I do appreciate the article of root getting out of a chroot. That "hack" does work to get out of a mock chroot as root. Lets look at the risks of rebuilding the installer. Parts have to be run as root. You either do this manually and watch things but even doing that you still run the risk of being compromised. Given that you have to run parts as root what can be done to limit this exposure. There is only one part of the build process that is run as sudo. This is the /usr/lib/anaconda-runtime/buildinstall script. By running the installer build in a mock chroot on a sacrificial build host and only running the above command as sudo limits as much as I can the exposure of root. In order to compromise anything that script would have to know and break out of the chroot. Compromise the build box and hop from there to one of the other protected boxes that actually house vital information. It is all possible but VERY unlikely. The chroot is populated cleanly every build. The anaconda code and tools are the same used by redhat. The only changes to the installer are branding changes. All other changes take place within the updates.img file. If you see a place where things can be made tighter or a place that was missed in protecting things please let me know and I (we) can look at making the ISO/installer build process more secure. -Shad
_______________________________________________ Discussion about project organisation and overall direction To unsubscribe, e-mail [email protected] Searchable archive at http://lists.contribs.org/mailman/public/discussion/
