Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Volker Armin Hemmann writes: > On Wednesday 17 September 2008, kashani wrote: > > Vaeth wrote: > > >> Could you please use a mail client which insert correctly the > > >> fields "In-Reply-To" ans "Reference" ? > > > > > > Thanks for the hint, I was not aware of this. But unfortunately, it > > > appears that it is not just a question of the mail client: > > > I am subsribed to the list as post-only (for several reasons which > > > I do not want to discuss now) and I am actually reading/replying > > > the usenet copy linux.gentoo.user of this list. > > > If you know how I could find out (and use with pine) the correct > > > data in this way, I would be glad to do so, but I am afraid it is > > > impossible. [...] > > Trying to follow the thirty odd threads your client is creating when > > their should be only one is really really annoying. > > > > And you're completely wring about NAT routers, but damned if I can > > find the actual parts of the thread I want to respond to. > > > > kashani > > there is no problem with his posts in kmail. Hmm, I have about seven Threads started by him with "Re: [gentoo-user] Is there a way...". The other of his respsonses, which do not start a new thread, have this own posts as reference, not the one he is actually replying to. All references look like <[EMAIL PROTECTED]>, seems like the mail-to-usenet gateway changes them. Couldn't he just reply with his usenet client, and the gateway would convert things back so it shows up correctly on the list? I agree it's a little annoying, but as long as it's just him and only occasionally, I don't mind. Wonko
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Hi Vaeth, on Wed, Sep 17, 2008 at 10:40:47AM +0200, you wrote: > > > Alan Cox: "chroot is not and never has been a security tool", see e.g. > > > http://kerneltrap.org/Linux/Abusing_chroot > > > > No disrespect to Mr. Cox but a silly argument stays a silly argument > > even if brought forward by Alan. Programs like postfix certainly don't > > use chroots for security because they were designed noobs or incompetent > > people. > > I did not cite the webpage because of the insults but because it shows > how much the kernel programmers are interested in closing possible ways > to break out of a chroot as root > : not at all, because they think it is ok. > That's why I said that _only_ with grsecurity a chroot _might perhaps_ > be considered as a serious security measurement (but in fact, people > which really need chroot to run binaries from two systems cannot activate > these security enhancements). Sure, you can't expect that the Debian-loving friend you gave root on your Debian-chrooted-on-Gentoo system will stay confined to that chroot. Big deal, just don't do it. That's not what any sane person would recommend chroot for anyway. > > Alan acknowledges that "Normal users cannot use chroot() > > themselves so they can't use chroot to get back out" > > Yes, _this_ method of breaking out does not work without additional > exploits like privilege escalation. (grsecurity closes a lot more methods; > I did never reasearch which tricks might perhaps work as a user). > But if everything works as it should, just running with low privileges > does not make much of a difference than running with low privileges in > a chroot: In any case you should only have access to those data which > the privileges allow. ...which is usually pretty much everything in the bin directories, a lot of stuff in /etc, and most importantly a shell. In a non-chrooted program, an attacker who can exploit a bug can simply bind /bin/sh to a port, run netcat, even use your compiler to prepare the next steps for perhaps a local privilege escalation. In a chroot, nothing of the sort is possible, you're limited to what you can do in your injected code. > (Admittedly there is a _slight_ increase in security: You might now be > safe of ways of privilege escalation by bugs in certain > SUID-programms). ...plus safe from most information disclosure that would otherwise be possible. > > That's not to say that setting up a vserver for each of > > your programs exposed to the net wasn't *more* secure than a chroot > > That's a different topic, but a vserver might also even be more > dangerous than doing nothing, because it has to be implemented (of course) > with the highest available privileges, and so you have an additional > risk of bugs (i.e. possible exploits) of the vserver - and in such a > case the attacker has immediately the highest privileges. That's true, I just mentioned it because that's what Alan mentioned as the true security tool. > > but it's certainly a whole lot more secure if used > > properly than not doing it at all. > > ...as is the usage of NAT as a "security feature". > Of course, saying that using NAT or using chroot would not increase > security at all would be a lie. But it is better to emphasize the > dangers than to support the common misbelieve (as Alan alrady pointed > out) that by using it there is no risk that "closed" ports can come > through or that no other data than those in the chroot can be accessed. Alan would probably emphasize the dangers of a seat belt and say competent people used it only to keep their shopping bags from falling over and not as a security tool because if you don't use it the recommended way you can strangle yourself with it =^> > Remember the starting point of the discussion: The statement "rsyncd uses > chroot, so an attacker can do nothing bad" is just false. Except that statement wasn't Neil's. To quote it correctly: | In addition, the default rsyncd configuration with Gentoo uses a chroot | jail. So even if you do allow connections to your portage tree, they | won't be able to access anything else. To summarize: for an attacker to be able to compromise a chrooted rsyncd behind a NATting DSL router: a) your ISP has to have a router configuration b0rked beyond belief b) the attacker has to be aware of that and be able to distinguish between your traffic and that of several hundred others that will respond to his packets to 192.168.x.x c) your router has to have a serious security hole d) rsyncd has to be exploitable e) your kernel needs to have a local privilege escalation bug Now if that risk is worth the more complicated configuration using rsync over ssh, I'm really not sure...I think I'd rather spend the time on folding tin foil hats for the upcoming attack from Mars ;) cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgpEIWGy6o0sA.pgp Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Am Thursday 18 September 2008 12:34:17 schrieb Matthias Bethke: > Hi Vaeth, > > on Wed, Sep 17, 2008 at 09:49:08AM +0200, you wrote: > > > [...] that in any halfway sane router these NAT problems are not an > > > issue. And with many routers running Linux today so you can even get a > > > shell and check iptables... :) > > > > We are obviously talking about a different price category of routers. > > Most routers people use here in Germany for home systems are from their > > ISP, and they are usually proprietary implementations [...] > > Huh? I don't have a good overview of the market here but the ISP I work > at uses only FritzBox routers which run a fine Linux, and as far as I > know so do most of T-Com's Speedport models... Most of the T-Com Speedports (except for the very old ones, which come from Siemens) are just rebranded FritzBoxen (with some functionality removed/patched), so they also run a(n ARM-)Linux, and are even more or less firm-ware compatible with the FritzBox firmwares (I reflashed a Speedport 500 [?? IIRC] once with a FritzBox firmware to get proper VoIP support). Just FYI. -- Heiko Wundram
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Hi Vaeth, on Wed, Sep 17, 2008 at 09:49:08AM +0200, you wrote: > > [...] that in any halfway sane router these NAT problems are not an > > issue. And with many routers running Linux today so you can even get a > > shell and check iptables... :) > > We are obviously talking about a different price category of routers. > Most routers people use here in Germany for home systems are from their > ISP, and they are usually proprietary implementations [...] Huh? I don't have a good overview of the market here but the ISP I work at uses only FritzBox routers which run a fine Linux, and as far as I know so do most of T-Com's Speedport models which should be the most widely used in Germany. Not that it was significantly cheaper than a FritzBox or a WRT54... cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgpJ76v2Z1nkR.pgp Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
On Wednesday 17 September 2008, kashani wrote: > Vaeth wrote: > >> Could you please use a mail client which insert correctly the fields > >> "In-Reply-To" ans "Reference" ? > > > > Thanks for the hint, I was not aware of this. But unfortunately, it > > appears that it is not just a question of the mail client: > > I am subsribed to the list as post-only (for several reasons which I do > > not want to discuss now) and I am actually reading/replying the > > usenet copy linux.gentoo.user of this list. > > If you know how I could find out (and use with pine) the correct data > > in this way, I would be glad to do so, but I am afraid it is impossible. > > > > However, due to lack of time this will probably anyway be the last > > falsely referencing posting for quite a while: my frequent postings in > > the previous days were really a big exception. > > Trying to follow the thirty odd threads your client is creating when > their should be only one is really really annoying. > > And you're completely wring about NAT routers, but damned if I can find > the actual parts of the thread I want to respond to. > > kashani there is no problem with his posts in kmail.
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Vaeth wrote: Could you please use a mail client which insert correctly the fields "In-Reply-To" ans "Reference" ? Thanks for the hint, I was not aware of this. But unfortunately, it appears that it is not just a question of the mail client: I am subsribed to the list as post-only (for several reasons which I do not want to discuss now) and I am actually reading/replying the usenet copy linux.gentoo.user of this list. If you know how I could find out (and use with pine) the correct data in this way, I would be glad to do so, but I am afraid it is impossible. However, due to lack of time this will probably anyway be the last falsely referencing posting for quite a while: my frequent postings in the previous days were really a big exception. Trying to follow the thirty odd threads your client is creating when their should be only one is really really annoying. And you're completely wring about NAT routers, but damned if I can find the actual parts of the thread I want to respond to. kashani
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
> Could you please use a mail client which insert correctly the fields > "In-Reply-To" ans "Reference" ? Thanks for the hint, I was not aware of this. But unfortunately, it appears that it is not just a question of the mail client: I am subsribed to the list as post-only (for several reasons which I do not want to discuss now) and I am actually reading/replying the usenet copy linux.gentoo.user of this list. If you know how I could find out (and use with pine) the correct data in this way, I would be glad to do so, but I am afraid it is impossible. However, due to lack of time this will probably anyway be the last falsely referencing posting for quite a while: my frequent postings in the previous days were really a big exception.
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Could you please use a mail client which insert correctly the fields "In-Reply-To" ans "Reference" ? -- Nicolas Sebrecht
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Matthias Bethke wrote: > > > I'd say the vast majority of chroot jails are there for nothing > > > else but security. > > > > Alan Cox: "chroot is not and never has been a security tool", see e.g. > > http://kerneltrap.org/Linux/Abusing_chroot > > No disrespect to Mr. Cox but a silly argument stays a silly argument > even if brought forward by Alan. Programs like postfix certainly don't > use chroots for security because they were designed noobs or incompetent > people. I did not cite the webpage because of the insults but because it shows how much the kernel programmers are interested in closing possible ways to break out of a chroot: not at all, because they think it is ok. That's why I said that _only_ with grsecurity a chroot _might perhaps_ be considered as a serious security measurement (but in fact, people which really need chroot to run binaries from two systems cannot activate these security enhancements). > Alan acknowledges that "Normal users cannot use chroot() > themselves so they can't use chroot to get back out" Yes, _this_ method of breaking out does not work without additional exploits like privilege escalation. (grsecurity closes a lot more methods; I did never reasearch which tricks might perhaps work as a user). But if everything works as it should, just running with low privileges does not make much of a difference than running with low privileges in a chroot: In any case you should only have access to those data which the privileges allow. (Admittedly there is a _slight_ increase in security: You might now be safe of ways of privilege escalation by bugs in certain SUID-programms). > That's not to say that setting up a vserver for each of > your programs exposed to the net wasn't *more* secure than a chroot That's a different topic, but a vserver might also even be more dangerous than doing nothing, because it has to be implemented (of course) with the highest available privileges, and so you have an additional risk of bugs (i.e. possible exploits) of the vserver - and in such a case the attacker has immediately the highest privileges. > but it's certainly a whole lot more secure if used > properly than not doing it at all. ...as is the usage of NAT as a "security feature". Of course, saying that using NAT or using chroot would not increase security at all would be a lie. But it is better to emphasize the dangers than to support the common misbelieve (as Alan alrady pointed out) that by using it there is no risk that "closed" ports can come through or that no other data than those in the chroot can be accessed. Remember the starting point of the discussion: The statement "rsyncd uses chroot, so an attacker can do nothing bad" is just false.
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
On Tue, 16 Sep 2008, Matthias Bethke wrote: > [...] that in any halfway sane router these NAT problems are not an > issue. And with many routers running Linux today so you can even get a > shell and check iptables... :) We are obviously talking about a different price category of routers. Most routers people use here in Germany for home systems are from their ISP, and they are usually proprietary implementations where you cannot do much more than to configure them by web interface with the enclosed windows software (if you can decide which ports go through you already have an "advanced" router). Unless by experimenting it is close to impossible to decide what the router really does or does not. I wouldn't trust them as far as I can throw a stone.
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Hi Vaeth, on Tue, Sep 16, 2008 at 08:36:28PM +0200, you wrote: > > > Also a chroot jail is not a security feature: There are several > > > ways known how to break out. > > > > [...] But there's only one reason I can see why you'd use a > > chroot environment *except* for security and that's to have more than > > one set of system binaries active at the same time for different > > applications. > > Or simply several systems (e.g. amd64 and x86, or gentoo and debian, > or your boot disk and your newly installed system [the install handbook > makes massive use of chroot]). This is exactly what chroot was made for. Sure, that's why I kept it as general als "more than one set", be it a different architecture/vendor/purpose/whatever. > > I'd say the vast majority of chroot jails are there for nothing > > else but security. > > Alan Cox: "chroot is not and never has been a security tool", see e.g. > http://kerneltrap.org/Linux/Abusing_chroot No disrespect to Mr. Cox but a silly argument stays a silly argument even if brought forward by Alan. Programs like postfix certainly don't use chroots for security because they were designed noobs or incompetent people. Alan acknowledges that "Normal users cannot use chroot() themselves so they can't use chroot to get back out" but insists on his point, completely ignoring that doing a chroot() immediately followed by dropping your root privileges is exactly the recommended way to use it for security. That's not to say that setting up a vserver for each of your programs exposed to the net wasn't *more* secure than a chroot if you want to do it but it's certainly a whole lot more secure if used properly than not doing it at all. cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgpO5vRqjdOl0.pgp Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Hi Vaeth, on Tue, Sep 16, 2008 at 07:54:43PM +0200, you wrote: > > I don't even see why you'd strictly need connection tracking to avoid > > attacks made possible by grossly misconfigured ISP routers. Your router > > knows that packets with a destination address of 10/8, 192.168/16 and > > the like have absolutely no business on the public internet so the only > > sensible behavior would be to just drop them. > > This also requires a special kind of router: Namely one which has a > physical way of distinguishing between the "dangerous" connection to > the net and your local network (if they are dynamic, this can also > sometimes be tricked). Of course, combined router/modems have this > separation practically "by definition". I can only recall one router where this wasn't the case, my first weird and wonderful DSL line in the Philippines :D Normally, why bother routing if you can just physically connect the thwo networks and have their traffic intermix? > However, in any case it requires that the functionality you mention is > implemented on the router and has no bugs and that the router cannot > be compromised by other means. Sure, if your router is compromised you're fuxx0red anyway. I was just saying that in any halfway sane router these NAT problems are not an issue. And with many routers running Linux today so you can even get a shell and check iptables... :) cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgpC3gaCIfo8p.pgp Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
On Tuesday 16 September 2008 19:29:21 Matthias Bethke wrote: > I'd say the vast majority of > chroot jails are there for nothing else but security. Replace "security" with "warm fuzzy feeling of apparent security that actually doesn't exist" and you're close to the mark. The sole positive of using chroot like this is that (like NAT) it does happen to give a marginal increase in security at reasonably low cost. There are much better solutions with real security benefits: vservers, BSD jails, etc, etc. This is nto directed at you, I just seem to spend way too much time these days dispelling persistent myths that have taken hold in people's minds but have no real basis in fact -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Matthias Bethke wrote: > Hi Vaeth, [...] > > > > Also a chroot jail is not a security feature: There are several > > ways known how to break out. > > [...] But there's only one reason I can see why you'd use a > chroot environment *except* for security and that's to have more than > one set of system binaries active at the same time for different > applications. Or simply several systems (e.g. amd64 and x86, or gentoo and debian, or your boot disk and your newly installed system [the install handbook makes massive use of chroot]). This is exactly what chroot was made for. > I'd say the vast majority of chroot jails are there for nothing > else but security. Alan Cox: "chroot is not and never has been a security tool", see e.g. http://kerneltrap.org/Linux/Abusing_chroot
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
On Tue, 16 Sep 2008, Matthias Bethke wrote: > I don't even see why you'd strictly need connection tracking to avoid > attacks made possible by grossly misconfigured ISP routers. Your router > knows that packets with a destination address of 10/8, 192.168/16 and > the like have absolutely no business on the public internet so the only > sensible behavior would be to just drop them. This also requires a special kind of router: Namely one which has a physical way of distinguishing between the "dangerous" connection to the net and your local network (if they are dynamic, this can also sometimes be tricked). Of course, combined router/modems have this separation practically "by definition". However, in any case it requires that the functionality you mention is implemented on the router and has no bugs and that the router cannot be compromised by other means.
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Hi Vaeth, on Tue, Sep 16, 2008 at 07:14:48PM +0200, you wrote: > > In addition, the default rsyncd configuration with Gentoo uses a chroot > > jail. > > Also a chroot jail is not a security feature: There are several ways known > how to break out. Huh? In the case of NAT it's reasonable to say it's not a security feature---it's a kludge that happens to increase security somewhat in the standard case. But there's only one reason I can see why you'd use a chroot environment *except* for security and that's to have more than one set of system binaries active at the same time for different applications. Which is normally a pretty bad kludge in itself (not that I hadn't done it, to avoid endless library woes on a Debian system that absolutely must be kept on Woody... :-S), I'd say the vast majority of chroot jails are there for nothing else but security. cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgpX7qEZAEROh.pgp Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Hi Neil, on Tue, Sep 16, 2008 at 04:59:39PM +0100, you wrote: > > Except that this is not completely true: See some of the many articles > > in the net which explain why NAT is not a security feature. A quick > > google search gave e.g. > > http://www.nexusuk.org/articles/2005/03/12/nat_security/ > > "So the router maintains a database of current connections so that traffic > is always allowed through for them, and you can tell it to filter all new > connections made from the internet whilest allowing all new connections > made from inside the local network. This means that noone can make a > connection from the internet to one of your workstations, even though > they can route to its address." > > If the relevant ports are not forwarded in the router, this applies and > no one can make a new connection to your rsync server. I don't even see why you'd strictly need connection tracking to avoid attacks made possible by grossly misconfigured ISP routers. Your router knows that packets with a destination address of 10/8, 192.168/16 and the like have absolutely no business on the public internet so the only sensible behavior would be to just drop them. cheers, Matthias -- I prefer encrypted and signed messages. KeyID: FAC37665 Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 pgp79947zvasg.pgp Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
Neil Bothwick wrote: > On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: > > > > If you are using NAT on the router, you have to explicitly forward > > > that port somewhere for it to work. [...] > > > > Except that this is not completely true [...] > > "So the router maintains a database of current connections This is not true for a standard NAT router. Only special routers with additional functionality can do this. Not to mention that occassionally also bugs in the implementations of such routers are found (e.g. using DOS to attempt a database overflow is an attack which comes to mind in the "generic" case). In any case, it depends on how much you can trust the router, while if the port is not open on your machine you do not have such a risk at all. So why take an unnecessary risk? > In addition, the default rsyncd configuration with Gentoo uses a chroot > jail. Also a chroot jail is not a security feature: There are several ways known how to break out. Well, if you use grsecurity (hardened-sources), at least the most gapping security holes are closed in this respect, but also this is no guarantee and can hinder you when you have other uses for chroot. Not to speak that rsyncd introduces additional code anyway, which might also be vulnerable in an unexpected manner (e.g. in connection with a kernel bug or who-knows-what). > After all, isn't that exactly how Gentoo mirrors work? If you offer something on the net you have certainly an increased risk that the corresponding machine is compromised - every mirror administrator is aware of this (or at least he should be so). But there is no reason to take any such sort of risk in a network which is not supposed to offer services to other people.
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote: > > If you are using NAT on the router, you have to explicitly forward > > that port somewhere for it to work. [...] > > Except that this is not completely true: See some of the many articles > in the net which explain why NAT is not a security feature. A quick > google search gave e.g. > http://www.nexusuk.org/articles/2005/03/12/nat_security/ > "So the router maintains a database of current connections so that traffic is always allowed through for them, and you can tell it to filter all new connections made from the internet whilest allowing all new connections made from inside the local network. This means that noone can make a connection from the internet to one of your workstations, even though they can route to its address." If the relevant ports are not forwarded in the router, this applies and no one can make a new connection to your rsync server. In addition, the default rsyncd configuration with Gentoo uses a chroot jail. So even if you do allow connections to your portage tree, they won't be able to access anything else. After all, isn't that exactly how Gentoo mirrors work? -- Neil Bothwick There is absolutely no substitute for a genuine lack of preparation. signature.asc Description: PGP signature
Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror
On Tue, 16 Sep 2008, Neil Bothwick wrote: > On Tue, 16 Sep 2008 13:49:36 +0200 (CEST), Vaeth wrote: > > > It is always better to have a port not open than to rely on a router > > to "close" it apparently. > > If you are using NAT on the router, you have to explicitly forward that > port somewhere for it to work. [...] Except that this is not completely true: See some of the many articles in the net which explain why NAT is not a security feature. A quick google search gave e.g. http://www.nexusuk.org/articles/2005/03/12/nat_security/