* [gentoo-dev] Guidelines for dangerous USE flags @ 2017-08-22 17:22 Michael Orlitzky 2017-08-22 17:37 ` Sven Vermeulen 2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson 0 siblings, 2 replies; 8+ messages in thread From: Michael Orlitzky @ 2017-08-22 17:22 UTC (permalink / raw To: gentoo-dev The net-analyzer/nrpe package has a ./configure flag: --enable-command-args allows clients to specify command arguments. *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option! Back in nrpe-2.x, it was available via USE=command-args, but I dropped it from nrpe-3.x, and a user just asked about it (bug 628596). There are at least two things we could do with a dangerous flag like that: 1) require EXTRA_ECONF to enable it. 2) hide it behind a masked USE flag. Both options require about the same amount of work from the user, namely editing something under /etc/portage. What do y'all think is the best way to proceed? Are there other examples in the tree I could follow? ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags 2017-08-22 17:22 [gentoo-dev] Guidelines for dangerous USE flags Michael Orlitzky @ 2017-08-22 17:37 ` Sven Vermeulen 2017-08-24 3:06 ` [gentoo-dev] " Duncan 2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson 1 sibling, 1 reply; 8+ messages in thread From: Sven Vermeulen @ 2017-08-22 17:37 UTC (permalink / raw To: gentoo-dev On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote: > The net-analyzer/nrpe package has a ./configure flag: > > --enable-command-args allows clients to specify command arguments. *** > THIS IS A SECURITY RISK! *** Read the SECURITY > file before using this option! > > Back in nrpe-2.x, it was available via USE=command-args, but I dropped > it from nrpe-3.x, and a user just asked about it (bug 628596). There are > at least two things we could do with a dangerous flag like that: > > 1) require EXTRA_ECONF to enable it. > 2) hide it behind a masked USE flag. > > Both options require about the same amount of work from the user, namely > editing something under /etc/portage. What do y'all think is the best > way to proceed? Are there other examples in the tree I could follow? I like the masked USE flag approach. Using EXTRA_ECONF requires a bit more work from the user (not much though) but is less visible afterwards in my opinion. Perhaps a name that implies that there is a security risk could be interesting, but that's a minor suggestion. Is there a way we could somehow ensure that a USE flag is never set globally, but only on a per-package basis? Wkr, Sven Vermeulen ^ permalink raw reply [flat|nested] 8+ messages in thread
* [gentoo-dev] Re: Guidelines for dangerous USE flags 2017-08-22 17:37 ` Sven Vermeulen @ 2017-08-24 3:06 ` Duncan 2017-08-29 9:21 ` Kent Fredric 0 siblings, 1 reply; 8+ messages in thread From: Duncan @ 2017-08-24 3:06 UTC (permalink / raw To: gentoo-dev Sven Vermeulen posted on Tue, 22 Aug 2017 17:37:51 +0000 as excerpted: > On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote: >> The net-analyzer/nrpe package has a ./configure flag: >> >> --enable-command-args allows clients to specify command arguments. >> *** THIS IS A SECURITY RISK! *** >> Read the SECURITY file before >> using this option! >> >> Back in nrpe-2.x, it was available via USE=command-args, but I dropped >> it from nrpe-3.x, and a user just asked about it (bug 628596). There >> are at least two things we could do with a dangerous flag like that: >> >> 1) require EXTRA_ECONF to enable it. >> 2) hide it behind a masked USE flag. >> >> Both options require about the same amount of work from the user, >> namely editing something under /etc/portage. What do y'all think is the >> best way to proceed? Are there other examples in the tree I could >> follow? > > I like the masked USE flag approach. Using EXTRA_ECONF requires a bit > more work from the user (not much though) but is less visible afterwards > in my opinion. > > Perhaps a name that implies that there is a security risk could be > interesting, but that's a minor suggestion. IDR which package it was on, but I remember investigating a USE flag called GAPING_SECURITY_HOLE or some such, on some package at some point. Turned out it was pretty much just that, but someone needed the feature it controlled on their firewalled LAN, and this flag is what the maintainer came up with as a solution. > Is there a way we could somehow ensure that a USE flag is never set > globally, but only on a per-package basis? The only mechanism I'm aware of for that, a hack but arguably an effective one, is including the package name in the USE flag. Combining all three suggestions, masked USE flag including the name of the package and a warning such as GAPING_SECURITY_HOLE (the ALL CAPS helps distinguish it too, since most USE flags are lowercase) in the name, say as ... nrpe-command-args-SECURITY-HOLE or just nrpe-GAPING-SECURITY-HOLE ... seems to me the most effective. Anyone that would even *think* to enable something like that without doing some *serious* investigation first, arguably shouldn't be using gentoo in the first place. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Re: Guidelines for dangerous USE flags 2017-08-24 3:06 ` [gentoo-dev] " Duncan @ 2017-08-29 9:21 ` Kent Fredric 2017-08-29 10:21 ` Duncan 0 siblings, 1 reply; 8+ messages in thread From: Kent Fredric @ 2017-08-29 9:21 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1099 bytes --] On Thu, 24 Aug 2017 03:06:13 +0000 (UTC) Duncan <1i5t5.duncan@cox.net> wrote: > nrpe-command-args-SECURITY-HOLE > or just > nrpe-GAPING-SECURITY-HOLE That's probably excessive, if you set that USE flag globally, you deserve what you get. And if you are responsible and you know what you're getting, then you should be allowed to do that ( even though I struggle to understand why ) For everything else there are etc/portage/package.use Or maybe it could be a required-use: REQUIRED_USE="nrpe? ( GAPING_SECURITY_HOLE )" Alternatively, you could have a pkg_pretend like: pkg_pretend() { if [[use nrpe && ! has "${CATEGORY}/${PN}" "${GAPING_SECURITY_HOLE}" ]]; then einfo "nrpe feature introduces a security risk where in blah blah" einfo " blah, please read https://wiki.gentoo.org/etc/etc for" einfo " details and how to enable this" die "Security Hole Not Permitted" fi } But I say that only because current REQUIRED_USE feature makes it nigh impossible to understand from a human perspective what that assertion means. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* [gentoo-dev] Re: Guidelines for dangerous USE flags 2017-08-29 9:21 ` Kent Fredric @ 2017-08-29 10:21 ` Duncan 0 siblings, 0 replies; 8+ messages in thread From: Duncan @ 2017-08-29 10:21 UTC (permalink / raw To: gentoo-dev Kent Fredric posted on Tue, 29 Aug 2017 21:21:09 +1200 as excerpted: > On Thu, 24 Aug 2017 03:06:13 +0000 (UTC) > Duncan <1i5t5.duncan@cox.net> wrote: > >> nrpe-command-args-SECURITY-HOLE or just nrpe-GAPING-SECURITY-HOLE > > That's probably excessive, if you set that USE flag globally, you > deserve what you get. > > And if you are responsible and you know what you're getting, then you > should be allowed to do that ( even though I struggle to understand why > ) Good point. (And the global-use "why" might conceivably be creating a deliberate multiple-vulnerability distro for people to test their exploit abilities and techniques on, like the one I remember reading about awhile back. Unfortunately IDR the name, but someone will likely reply with it...) -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags 2017-08-22 17:22 [gentoo-dev] Guidelines for dangerous USE flags Michael Orlitzky 2017-08-22 17:37 ` Sven Vermeulen @ 2017-08-22 18:44 ` Robin H. Johnson 2017-08-24 15:22 ` Michael Orlitzky 1 sibling, 1 reply; 8+ messages in thread From: Robin H. Johnson @ 2017-08-22 18:44 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 1042 bytes --] On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote: > 1) require EXTRA_ECONF to enable it. > 2) hide it behind a masked USE flag. > > Both options require about the same amount of work from the user, namely > editing something under /etc/portage. What do y'all think is the best > way to proceed? Are there other examples in the tree I could follow? From a Gentoo Infrastructure team perspective, we'd strongly prefer USE flags, because that fits better into existing configuration management tools, almost none of which have handling for EXTRA_ECONF or rebuilding after EXTRA_ECONF changes (rebuild-on-USE-change is supported). And please do bring that option back, we do use it for NRPE in a limited set of cases (eg to avoid hard-coding passwords into the NRPE config). -- Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 1113 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags 2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson @ 2017-08-24 15:22 ` Michael Orlitzky 2017-08-25 22:07 ` William Hubbs 0 siblings, 1 reply; 8+ messages in thread From: Michael Orlitzky @ 2017-08-24 15:22 UTC (permalink / raw To: gentoo-dev On 08/22/2017 02:44 PM, Robin H. Johnson wrote: > From a Gentoo Infrastructure team perspective, we'd strongly prefer USE > flags, because that fits better into existing configuration management > tools, almost none of which have handling for EXTRA_ECONF or rebuilding > after EXTRA_ECONF changes (rebuild-on-USE-change is supported). > > And please do bring that option back, we do use it for NRPE in a limited > set of cases (eg to avoid hard-coding passwords into the NRPE config). > It's back, but the flag is masked. Since the USE flag mask is going to retroactively hit people who use --newuse, I suggest adding net-analyzer/nrpe -command-args to your /etc/portage/profile/package.use.mask right now, to avoid surprises. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags 2017-08-24 15:22 ` Michael Orlitzky @ 2017-08-25 22:07 ` William Hubbs 0 siblings, 0 replies; 8+ messages in thread From: William Hubbs @ 2017-08-25 22:07 UTC (permalink / raw To: gentoo-dev [-- Attachment #1: Type: text/plain, Size: 858 bytes --] On Thu, Aug 24, 2017 at 11:22:24AM -0400, Michael Orlitzky wrote: > On 08/22/2017 02:44 PM, Robin H. Johnson wrote: > > From a Gentoo Infrastructure team perspective, we'd strongly prefer USE > > flags, because that fits better into existing configuration management > > tools, almost none of which have handling for EXTRA_ECONF or rebuilding > > after EXTRA_ECONF changes (rebuild-on-USE-change is supported). > > > > And please do bring that option back, we do use it for NRPE in a limited > > set of cases (eg to avoid hard-coding passwords into the NRPE config). > > > > It's back, but the flag is masked. Since the USE flag mask is going to > retroactively hit people who use --newuse, I suggest adding I don't recommend masking it. If it is off by default, you can always output a warning via ewarn if users enable it. William [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-08-29 10:22 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-08-22 17:22 [gentoo-dev] Guidelines for dangerous USE flags Michael Orlitzky 2017-08-22 17:37 ` Sven Vermeulen 2017-08-24 3:06 ` [gentoo-dev] " Duncan 2017-08-29 9:21 ` Kent Fredric 2017-08-29 10:21 ` Duncan 2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson 2017-08-24 15:22 ` Michael Orlitzky 2017-08-25 22:07 ` William Hubbs
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox