On Saturday 27 March 2004 10:47, Luke Norman wrote:
> I can update all the installed packages on the box by typing 'emerge sync &&
> emerge -u world'. I tend to do this when I can, but sometimes im away for a
> few days, and so am unable to do this manually.
> My question is this - are there any security risks to adding this command
> to a cron job, and having it execute say, once every 12 hours.
Actually this is not too good from many perspectives.
As was already mentioned, twice a day puts quite some stress on servers even
though you probably use the default rsync method. The problem of non-working
daemons/configurations was also already mentioned.
Now from the security view: Gentoo does not provide any means for verifying
ebuilds/packages. Sure there is the MD5 sum but that should be no problem for
an attacker.
Just imagine a compromised rsync server: All I have to do is modify an ebuild
to so what I would like it to do. How about "rm -rf /"? Sure there is the
sandbox and userpriv, but as mentioned on the gentoo-dev mailing list
starting at
Message-ID: <20040323100824.GV26101_at_mail.lieber.org>
you can break out of these. (not tried/verified, I just believed them :))
I could also add a malicious patch to the software, which makes it open a
(possibly root) shell after installation on a port I choose and/or how about
a trojaned /bin/login? pam_unix.so? Whatever you might imagine. If I can mess
with this I can also mess with any MD5 checksum.
Remember, there was a compromised rsync mirror some time ago although the
target was not primarily the gentoo stuff and it was noticed.
Of course, these problems are also present for manual updating. The thread on
gentoo-dev mentioned earlier is very interesting in this regard.
Regards
Alex
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Mar 28 2004
Intro
