On Thu, Mar 20, 2008 at 6:45 AM, Florian Philipp
<[EMAIL PROTECTED]> wrote:
> Hi list!
>
> Am I right that there is currently no way portage tries to verify that
> the rsync-mirror is not spoofed?
>
> Doesn't that pose a major threat? If I were able to manipulate the
> domain name resolution, I could easily trick gentooers into making false
> updates and thus executing a malicious program with root-permission on
> their machine.
>
>
> So, why isn't there some kind of public key authentication going on, at
> least optionally?
>
> By the way: How does gentoo's gpg-feature work. The man-page doesn't
> contain an explanation.
>
An attacker would need to be able to manipulate both the rsync server
and the actual downloaded packages since Portage verifies checksums
(RMD160, SHA1, SHA256, size). This is possible, as you mentioned,
using DNS spoofing.
I guess one solution would be to resolve your rsync server's IP
address once (e.g. at boot) and include an IPtables rule for it
specifically. My BASH is not very good, but e.g.:
RSYNC='rsync'
FOO="`grep ^SYNC /etc/make.conf | sed 's/.*rsync:\/\/\([^ ]*\)/\1/'`"
BAR="${FOO%/*}"
IP="`nslookup $BAR | grep ^Address | sed 's/.*Address: \([^ ]*\)/\1/'
| head -2 | tail -1`"
for i in $IP
do
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP -d $i --dport $RSYNC --syn
-m state --state NEW -j ACCEPT
$IPT -A INPUT -i $EXTIF -p tcp -s $i -d $EXTIP --sport $RSYNC --syn
-m state --state NEW -j ACCEPT
done
Assuming your /etc/resolv.conf was secure at boot, this (I think)
would protect your machine from DNS related attacks. Perhaps others
who are more knowledgeable can chip in here.
Sincerely,
Mansour Moufid
--
gentoo-security@lists.gentoo.org mailing list
