Re: [gentoo-dev] Ports Security

[Mike Frysinger <vapier@gentoo.org>]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 3020 bytes --]

On Friday 05 September 2003 10:13, Jan Krueger wrote:
> a guide for portage developers how to make sure the things installed are
> secure. Just like
> http://www.openbsd.org/porting.html#Security

we dont have one and i dont believe there are plans for one ... again, the 
people who would be writing it are the gentoo-hardened team but i havent seen 
any mentions of it on the hardened list ...

> Thats your point of view.

not really ... the performance hit is not acceptable

> No, it should not. Site Security doesnt stop at the ebuild maintainer.
> I, as a potential user of "trusted gentoo", would like to have a way to
> verify the work of the developer.

then verify it ... either you trust gentoo developers or you dont ...

> I might want to use 3rd party ebuilds, commercial ebuilds, special
> super-hardened ebuild not in normal portage
> tree, i might have requirement complety different from what the developer
> thought.

like i said this is were the special util or pkg could be utilized that would 
do this kind of security scan ... basically it is used whenever the user 
wants to do that kind of research.  but again, no such think (afaik) exists.

> And also it is impossible to bring all those ebuild to the high
> security standard i mention here, so i should have the possibility to
> verify at emerge time. So, instead of "esecurity_check" it should be a
> portage feature that i can switch on.

in that vein, no work has been done

> After every unpack or even building
> the image, just before installation, i would like to see what security
> impacts the package might have in its source or how many suid progs it
> wants to install or whatever. And if i say so, the ebuild should not
> install as soon as the scanners detect that the installed software would
> not conform to my requirements (that i would have to define in make.conf).

talk to hardened ... there is already work to trim out all (if possible) suid 
binaries ...

> According to whats written on the project side the issue i bring up here is
> not (yet) covered. a secure box can always be compromised by installing
> insecure software. So installing secure software (only) should be made easy
> and verifyable. As portage is responsible for installing software on our
> gentoo machines it should support us in developing and installing secure
> software.

well, there are instances where this is not true, but lets not bother mincing 
words on a moot point ;)

> It is dumb (no offense meant) to believe the ebuild-maintainer knows about
> and respects the local Site Security Requirements. It is dumb to believe
> every administrator or user is a security expert and can audit each
> software package before installation.

agreed

but all in all, i'd suggest taking this thread to the hardened list.  the 
people who are on that list make security their #1 focus.  you'd get a very 
different reception (probably more useful input) than here on -dev.
-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]