From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 4286 invoked by uid 1002); 5 Sep 2003 12:37:20 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 31247 invoked from network); 5 Sep 2003 12:37:20 -0000 From: Mike Frysinger Reply-To: vapier@gentoo.org To: gentoo-dev@gentoo.org Date: Fri, 5 Sep 2003 08:37:18 -0400 User-Agent: KMail/1.5.3 References: <200309050110.44445.jk@microgalaxy.net> <200309050017.47227.vapier@gentoo.org> <200309051413.17311.jk@microgalaxy.net> In-Reply-To: <200309051413.17311.jk@microgalaxy.net> MIME-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_/NIW/DXG9d+mT/Y"; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-Id: <200309050837.19177.vapier@gentoo.org> Subject: Re: [gentoo-dev] Ports Security X-Archives-Salt: c10d2b8b-c300-424b-9b72-7072618cc648 X-Archives-Hash: 82bc1bb7d06207ebefc4a720b5db1184 --Boundary-02=_/NIW/DXG9d+mT/Y Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: signed data Content-Disposition: inline On Friday 05 September 2003 10:13, Jan Krueger wrote: > a guide for portage developers how to make sure the things installed are > secure. Just like > http://www.openbsd.org/porting.html#Security we dont have one and i dont believe there are plans for one ... again, the= =20 people who would be writing it are the gentoo-hardened team but i havent se= en=20 any mentions of it on the hardened list ... > Thats your point of view. not really ... the performance hit is not acceptable > No, it should not. Site Security doesnt stop at the ebuild maintainer. > I, as a potential user of "trusted gentoo", would like to have a way to > verify the work of the developer. then verify it ... either you trust gentoo developers or you dont ... > I might want to use 3rd party ebuilds, commercial ebuilds, special > super-hardened ebuild not in normal portage > tree, i might have requirement complety different from what the developer > thought. like i said this is were the special util or pkg could be utilized that wou= ld=20 do this kind of security scan ... basically it is used whenever the user=20 wants to do that kind of research. but again, no such think (afaik) exists. > And also it is impossible to bring all those ebuild to the high > security standard i mention here, so i should have the possibility to > verify at emerge time. So, instead of "esecurity_check" it should be a > portage feature that i can switch on. in that vein, no work has been done > After every unpack or even building > the image, just before installation, i would like to see what security > impacts the package might have in its source or how many suid progs it > wants to install or whatever. And if i say so, the ebuild should not > install as soon as the scanners detect that the installed software would > not conform to my requirements (that i would have to define in make.conf). talk to hardened ... there is already work to trim out all (if possible) su= id=20 binaries ... > According to whats written on the project side the issue i bring up here = is > not (yet) covered. a secure box can always be compromised by installing > insecure software. So installing secure software (only) should be made ea= sy > and verifyable. As portage is responsible for installing software on our > gentoo machines it should support us in developing and installing secure > software. well, there are instances where this is not true, but lets not bother minci= ng=20 words on a moot point ;) > It is dumb (no offense meant) to believe the ebuild-maintainer knows about > and respects the local Site Security Requirements. It is dumb to believe > every administrator or user is a security expert and can audit each > software package before installation. agreed but all in all, i'd suggest taking this thread to the hardened list. the=20 people who are on that list make security their #1 focus. you'd get a very= =20 different reception (probably more useful input) than here on -dev. =2Dmike --Boundary-02=_/NIW/DXG9d+mT/Y Content-Type: application/pgp-signature Content-Description: signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iQIVAwUAP1iDfkFjO5/oN/WBAQIgzA//aUNT8fmdzbo3VhtGUD2zSpdINPC/VlE4 0w5dNa3fSt1YeZNpXCCKEm1gMCygPleHp6oVsxQJFvtu3krdXjDKlL653i01LYTR FpGRW+pQSaUq0H7rqIdqt9Ky5sAF8tNJQPZ9xVO9/a9GaQpMC0tZ0Xj9rzYuO0Lu 2wa9aMuKrmUGiNHU0mm4ACgIiNinVgSh6ZZdDxrmOaj+hls7oRA/bgmZoe+e0DZ4 Wuw8nIDxN43B3WHtQ2SLO1+qd3AZKQmTBJNJ6rb6SI2E48lFNu0tz58Z6vbKJL8t +nxrqBMH/jYYCf2ZLQyRMg2wx7NeImHRYKYGwQXpIOd9qP3MO4CcNWQ0KOcsFuxK mUDid/UKt6x8mBMEK/sVhqibwyFFysqJu1ibg3omQyk/tKrK6FYnMEb6FBaXpH0q 256nhGz2YI8Wbd9TBhZkrgjrUCBJuUvWj3BouCGBfEdX1L8dsoXLCgABAIcIvoyS oVcNnGl/sBqia/n3FRh96PYEC69d7zQJMRH8iXuuhRMSW8NJ/exKDv9WAFieymfM Osr9RtepGr5qaA6fqu0SoE7j8cCD70/66ECk3iPQ1Z/pJBw+exkcRe5VEg1ID/Ll P5IP8DohAialklFKKkomPzLbHO+9cZ0dxDt3hUwd6GDnoHXoEwhE7tfJQ+J/E8OK 3gZxZxRMh8I= =vm16 -----END PGP SIGNATURE----- --Boundary-02=_/NIW/DXG9d+mT/Y--