On Sat, 20 May 2006 15:37:54 +0100, Chris Bainbridge wrote:
> On 20/05/06, Peter <[EMAIL PROTECTED]> wrote:
>> PMFJI, but as a user, not a security expert, I had a few thoughts that I'd
>> like to throw in. Thanks to Patrick, he helped me to drill down some of
>> the ideas and I present them for consideration. It's just a framework, so
>> I will be brief
>
Thanks for not throwing me overboard to the sharks! I had a few comments.
> Thanks for your input. From a security point of view your scheme is
> fine, but as pointed out by others you won't be able to selectively
> rsync parts of the tree. That will require a signature for each
> manifest, and a manifest for every directory. The problem I see is that
> the manifest is going to have to include a hash for each subdirectory -
> otherwise you open the possibility of someone replacing a directory with
> one from the past that contains some known insecurity, or corrupting the
> tree by swapping random directories, and yet the signatures remain
> valid. Of course, that hash changes if you allow people to rsync_exclude
> directories, and hence the signature changes. So you can either accept
> that if you selectively rsync then you won't be able to verify the
> signed tree, or accept that there is a known security problem with
> having no signed link between parent and child directories, or come up
> with a different scheme.
I'm not sure this is so. Yes, the Manifest file will have to include all
files in it's current and child[ren] directories. However, this is done
now. You would have to include eclass and profiles to have Manifests also.
I do not see how using rsync exclude would affect this scheme. If someone
wants to emerge samba and exclude KDE, the hash of the samba Manifest
will be there to check against. I'm not interested in signing the entire
tree. I am interested in signing the hashes of all Manifests in the tree
as a list. So, during the emerge process, as each package is emerged, the
first thing that occurs is to check the hash of the package Manifest file
against the stored hash in the signed Master Manifest file. Sort of like:
In pigeon bash and pseudo code, here's how I envision the check.
gpg --verify MasterManifestFile
# if error then abort
M_HASH=${grep "samba/Manifest" MasterManifestFile)
# probably need to use cut or something here...
C_HASH=$(md5sum samba/Manifest)
if M_HASH -ne C_HASH then abort
> Obviously the manifests also have to be checked to make sure they're
> valid - this is currently done for package directories at emerge time,
> it would need to be extended to all other directories. I'd prefer the
> checks done at sync time since that's a one time cost and you don't have
> to figure out exactly what files will be used by each emerge operation.
My thought was, that even if someone inserted a rogue package onto one of
the mirrors, a) altering the MasterManifest file would be difficult since
the signed part would not match, b) The Manifest hash would not match, or
if the bad guy did not alter the Manifest, the hash of its files would not
match (such as replacing a source dl location).
Anyway, thanks for taking a look.
--
Peter
--
[email protected] mailing list
