[gentoo-dev] Ports Security

[gentoo-dev] Ports Security

[Jan Krueger]

Hi,

is there a guide like
http://www.openbsd.org/porting.html#Security
in progress? available?

Or even better tools bundled in a "esecurity_check":

src_unpack() {
	blabla
	unpack
	epatch
	blabla

	# check unpacked and patched source tree for security issues
	# like in http://www.openbsd.org/porting.html#Security
	esecurity_check || die
}

? Something like that? In progress? Or even ready for testing?
already finished? Someone just forgot to mention? I was to blind to see?

Gruß
Jan


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Ports Security

[Mike Frysinger]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 873 bytes --]

On Thursday 04 September 2003 21:10, Jan Krueger wrote:
> Hi,
>
> is there a guide like
> http://www.openbsd.org/porting.html#Security
> in progress? available?

uhh we have gentoo-hardened ... not sure what you're asking about ...

> Or even better tools bundled in a "esecurity_check":

putting this in an ebuild to be run everytime a pkg is unpacked is kind of 
dumb (no offense meant) ... we have no 'automated' ways for portage to scan 
source code looking for potential security issues, nor should there be ... 
the responsibility lies on the upstream author and the gentoo maintainer, and 
it should stop there ...
perhaps creating tools for developers to use when testing out a new pkg would 
be feasible ... then again i think if you want a 'secure' box you should 
follow the excellent work the gentoo-hardened team has put together ...
-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Ports Security

[Mike Frysinger]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 3020 bytes --]

On Friday 05 September 2003 10:13, Jan Krueger wrote:
> a guide for portage developers how to make sure the things installed are
> secure. Just like
> http://www.openbsd.org/porting.html#Security

we dont have one and i dont believe there are plans for one ... again, the 
people who would be writing it are the gentoo-hardened team but i havent seen 
any mentions of it on the hardened list ...

> Thats your point of view.

not really ... the performance hit is not acceptable

> No, it should not. Site Security doesnt stop at the ebuild maintainer.
> I, as a potential user of "trusted gentoo", would like to have a way to
> verify the work of the developer.

then verify it ... either you trust gentoo developers or you dont ...

> I might want to use 3rd party ebuilds, commercial ebuilds, special
> super-hardened ebuild not in normal portage
> tree, i might have requirement complety different from what the developer
> thought.

like i said this is were the special util or pkg could be utilized that would 
do this kind of security scan ... basically it is used whenever the user 
wants to do that kind of research.  but again, no such think (afaik) exists.

> And also it is impossible to bring all those ebuild to the high
> security standard i mention here, so i should have the possibility to
> verify at emerge time. So, instead of "esecurity_check" it should be a
> portage feature that i can switch on.

in that vein, no work has been done

> After every unpack or even building
> the image, just before installation, i would like to see what security
> impacts the package might have in its source or how many suid progs it
> wants to install or whatever. And if i say so, the ebuild should not
> install as soon as the scanners detect that the installed software would
> not conform to my requirements (that i would have to define in make.conf).

talk to hardened ... there is already work to trim out all (if possible) suid 
binaries ...

> According to whats written on the project side the issue i bring up here is
> not (yet) covered. a secure box can always be compromised by installing
> insecure software. So installing secure software (only) should be made easy
> and verifyable. As portage is responsible for installing software on our
> gentoo machines it should support us in developing and installing secure
> software.

well, there are instances where this is not true, but lets not bother mincing 
words on a moot point ;)

> It is dumb (no offense meant) to believe the ebuild-maintainer knows about
> and respects the local Site Security Requirements. It is dumb to believe
> every administrator or user is a security expert and can audit each
> software package before installation.

agreed

but all in all, i'd suggest taking this thread to the hardened list.  the 
people who are on that list make security their #1 focus.  you'd get a very 
different reception (probably more useful input) than here on -dev.
-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Ports Security

[Jan Krueger]

On Friday 05 September 2003 04:17, Mike Frysinger wrote:
> On Thursday 04 September 2003 21:10, Jan Krueger wrote:
> > Hi,
> >
> > is there a guide like
> > http://www.openbsd.org/porting.html#Security
> > in progress? available?
>
> uhh we have gentoo-hardened ... not sure what you're asking about ...
I am asking about something like 
http://www.openbsd.org/porting.html#Security

a guide for portage developers how to make sure the things installed are 
secure. Just like
http://www.openbsd.org/porting.html#Security

And i am asking about a way for me, the user, administrator, to check the 
potential security impacts of the software to install before it is put into 
action. 

> > Or even better tools bundled in a "esecurity_check":
>
> putting this in an ebuild to be run everytime a pkg is unpacked is kind of
> dumb (no offense meant) ...
Thats your point of view.

> we have no 'automated' ways for portage to scan
> source code looking for potential security issues, nor should there be ...
> the responsibility lies on the upstream author and the gentoo maintainer,
> and it should stop there ...
No, it should not. Site Security doesnt stop at the ebuild maintainer.
I, as a potential user of "trusted gentoo", would like to have a way to verify 
the work of the developer. I might want to use 3rd party ebuilds, commercial 
ebuilds, special super-hardened ebuild not in normal portage tree, i might 
have requirement complety different from what the developer thought. And also 
it is impossible to bring all those ebuild to the high security standard i 
mention here, so i should have the possibility to verify at emerge time. 
So, instead of "esecurity_check" it should be a portage feature that i can 
switch on. After every unpack or even building the image, just before 
installation, i would like to see what security impacts the package might 
have in its source or how many suid progs it wants to install or whatever. 
And if i say so, the ebuild should not install as soon as the scanners detect 
that the installed software would not conform to my requirements (that i 
would have to define in make.conf).

> perhaps creating tools for developers to use when testing out a new pkg
> would be feasible ... 
Yes, that would be very nice.

> then again i think if you want a 'secure' box you
> should follow the excellent work the gentoo-hardened team has put together
According to whats written on the project side the issue i bring up here is 
not (yet) covered. a secure box can always be compromised by installing 
insecure software. So installing secure software (only) should be made easy 
and verifyable. As portage is responsible for installing software on our 
gentoo machines it should support us in developing and installing secure 
software.
The feature i bring to discussion here is for sure not the overall solution 
but a little step in the right direction.

It is dumb (no offense meant) to believe the ebuild-maintainer knows about and 
respects the local Site Security Requirements. It is dumb to believe every 
administrator or user is a security expert and can audit each software 
package before installation.

Jan
> ... -mike


--
gentoo-dev@gentoo.org mailing list