* [gentoo-dev] Guidelines for dangerous USE flags
@ 2017-08-22 17:22 Michael Orlitzky
2017-08-22 17:37 ` Sven Vermeulen
2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson
0 siblings, 2 replies; 8+ messages in thread
From: Michael Orlitzky @ 2017-08-22 17:22 UTC (permalink / raw
To: gentoo-dev
The net-analyzer/nrpe package has a ./configure flag:
--enable-command-args allows clients to specify command arguments. ***
THIS IS A SECURITY RISK! *** Read the SECURITY
file before using this option!
Back in nrpe-2.x, it was available via USE=command-args, but I dropped
it from nrpe-3.x, and a user just asked about it (bug 628596). There are
at least two things we could do with a dangerous flag like that:
1) require EXTRA_ECONF to enable it.
2) hide it behind a masked USE flag.
Both options require about the same amount of work from the user, namely
editing something under /etc/portage. What do y'all think is the best
way to proceed? Are there other examples in the tree I could follow?
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags
2017-08-22 17:22 [gentoo-dev] Guidelines for dangerous USE flags Michael Orlitzky
@ 2017-08-22 17:37 ` Sven Vermeulen
2017-08-24 3:06 ` [gentoo-dev] " Duncan
2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson
1 sibling, 1 reply; 8+ messages in thread
From: Sven Vermeulen @ 2017-08-22 17:37 UTC (permalink / raw
To: gentoo-dev
On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote:
> The net-analyzer/nrpe package has a ./configure flag:
>
> --enable-command-args allows clients to specify command arguments. ***
> THIS IS A SECURITY RISK! *** Read the SECURITY
> file before using this option!
>
> Back in nrpe-2.x, it was available via USE=command-args, but I dropped
> it from nrpe-3.x, and a user just asked about it (bug 628596). There are
> at least two things we could do with a dangerous flag like that:
>
> 1) require EXTRA_ECONF to enable it.
> 2) hide it behind a masked USE flag.
>
> Both options require about the same amount of work from the user, namely
> editing something under /etc/portage. What do y'all think is the best
> way to proceed? Are there other examples in the tree I could follow?
I like the masked USE flag approach. Using EXTRA_ECONF requires a bit more
work from the user (not much though) but is less visible afterwards in my
opinion.
Perhaps a name that implies that there is a security risk could be
interesting, but that's a minor suggestion.
Is there a way we could somehow ensure that a USE flag is never set
globally, but only on a per-package basis?
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags
2017-08-22 17:22 [gentoo-dev] Guidelines for dangerous USE flags Michael Orlitzky
2017-08-22 17:37 ` Sven Vermeulen
@ 2017-08-22 18:44 ` Robin H. Johnson
2017-08-24 15:22 ` Michael Orlitzky
1 sibling, 1 reply; 8+ messages in thread
From: Robin H. Johnson @ 2017-08-22 18:44 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]
On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote:
> 1) require EXTRA_ECONF to enable it.
> 2) hide it behind a masked USE flag.
>
> Both options require about the same amount of work from the user, namely
> editing something under /etc/portage. What do y'all think is the best
> way to proceed? Are there other examples in the tree I could follow?
From a Gentoo Infrastructure team perspective, we'd strongly prefer USE
flags, because that fits better into existing configuration management
tools, almost none of which have handling for EXTRA_ECONF or rebuilding
after EXTRA_ECONF changes (rebuild-on-USE-change is supported).
And please do bring that option back, we do use it for NRPE in a limited
set of cases (eg to avoid hard-coding passwords into the NRPE config).
--
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer
E-Mail : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [gentoo-dev] Re: Guidelines for dangerous USE flags
2017-08-22 17:37 ` Sven Vermeulen
@ 2017-08-24 3:06 ` Duncan
2017-08-29 9:21 ` Kent Fredric
0 siblings, 1 reply; 8+ messages in thread
From: Duncan @ 2017-08-24 3:06 UTC (permalink / raw
To: gentoo-dev
Sven Vermeulen posted on Tue, 22 Aug 2017 17:37:51 +0000 as excerpted:
> On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote:
>> The net-analyzer/nrpe package has a ./configure flag:
>>
>> --enable-command-args allows clients to specify command arguments.
>> *** THIS IS A SECURITY RISK! ***
>> Read the SECURITY file before
>> using this option!
>>
>> Back in nrpe-2.x, it was available via USE=command-args, but I dropped
>> it from nrpe-3.x, and a user just asked about it (bug 628596). There
>> are at least two things we could do with a dangerous flag like that:
>>
>> 1) require EXTRA_ECONF to enable it.
>> 2) hide it behind a masked USE flag.
>>
>> Both options require about the same amount of work from the user,
>> namely editing something under /etc/portage. What do y'all think is the
>> best way to proceed? Are there other examples in the tree I could
>> follow?
>
> I like the masked USE flag approach. Using EXTRA_ECONF requires a bit
> more work from the user (not much though) but is less visible afterwards
> in my opinion.
>
> Perhaps a name that implies that there is a security risk could be
> interesting, but that's a minor suggestion.
IDR which package it was on, but I remember investigating a USE flag
called GAPING_SECURITY_HOLE or some such, on some package at some point.
Turned out it was pretty much just that, but someone needed the feature
it controlled on their firewalled LAN, and this flag is what the
maintainer came up with as a solution.
> Is there a way we could somehow ensure that a USE flag is never set
> globally, but only on a per-package basis?
The only mechanism I'm aware of for that, a hack but arguably an
effective one, is including the package name in the USE flag.
Combining all three suggestions, masked USE flag including the name of
the package and a warning such as GAPING_SECURITY_HOLE (the ALL CAPS
helps distinguish it too, since most USE flags are lowercase) in the
name, say as ...
nrpe-command-args-SECURITY-HOLE
or just
nrpe-GAPING-SECURITY-HOLE
... seems to me the most effective. Anyone that would even *think* to
enable something like that without doing some *serious* investigation
first, arguably shouldn't be using gentoo in the first place.
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags
2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson
@ 2017-08-24 15:22 ` Michael Orlitzky
2017-08-25 22:07 ` William Hubbs
0 siblings, 1 reply; 8+ messages in thread
From: Michael Orlitzky @ 2017-08-24 15:22 UTC (permalink / raw
To: gentoo-dev
On 08/22/2017 02:44 PM, Robin H. Johnson wrote:
> From a Gentoo Infrastructure team perspective, we'd strongly prefer USE
> flags, because that fits better into existing configuration management
> tools, almost none of which have handling for EXTRA_ECONF or rebuilding
> after EXTRA_ECONF changes (rebuild-on-USE-change is supported).
>
> And please do bring that option back, we do use it for NRPE in a limited
> set of cases (eg to avoid hard-coding passwords into the NRPE config).
>
It's back, but the flag is masked. Since the USE flag mask is going to
retroactively hit people who use --newuse, I suggest adding
net-analyzer/nrpe -command-args
to your
/etc/portage/profile/package.use.mask
right now, to avoid surprises.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Guidelines for dangerous USE flags
2017-08-24 15:22 ` Michael Orlitzky
@ 2017-08-25 22:07 ` William Hubbs
0 siblings, 0 replies; 8+ messages in thread
From: William Hubbs @ 2017-08-25 22:07 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 858 bytes --]
On Thu, Aug 24, 2017 at 11:22:24AM -0400, Michael Orlitzky wrote:
> On 08/22/2017 02:44 PM, Robin H. Johnson wrote:
> > From a Gentoo Infrastructure team perspective, we'd strongly prefer USE
> > flags, because that fits better into existing configuration management
> > tools, almost none of which have handling for EXTRA_ECONF or rebuilding
> > after EXTRA_ECONF changes (rebuild-on-USE-change is supported).
> >
> > And please do bring that option back, we do use it for NRPE in a limited
> > set of cases (eg to avoid hard-coding passwords into the NRPE config).
> >
>
> It's back, but the flag is masked. Since the USE flag mask is going to
> retroactively hit people who use --newuse, I suggest adding
I don't recommend masking it. If it is off by default, you can always
output a warning via ewarn if users enable it.
William
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [gentoo-dev] Re: Guidelines for dangerous USE flags
2017-08-24 3:06 ` [gentoo-dev] " Duncan
@ 2017-08-29 9:21 ` Kent Fredric
2017-08-29 10:21 ` Duncan
0 siblings, 1 reply; 8+ messages in thread
From: Kent Fredric @ 2017-08-29 9:21 UTC (permalink / raw
To: gentoo-dev
[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]
On Thu, 24 Aug 2017 03:06:13 +0000 (UTC)
Duncan <1i5t5.duncan@cox.net> wrote:
> nrpe-command-args-SECURITY-HOLE
> or just
> nrpe-GAPING-SECURITY-HOLE
That's probably excessive, if you set that USE flag globally, you
deserve what you get.
And if you are responsible and you know what you're getting, then you
should be allowed to do that ( even though I struggle to understand why
)
For everything else there are etc/portage/package.use
Or maybe it could be a required-use:
REQUIRED_USE="nrpe? ( GAPING_SECURITY_HOLE )"
Alternatively, you could have a pkg_pretend like:
pkg_pretend() {
if [[use nrpe && ! has "${CATEGORY}/${PN}" "${GAPING_SECURITY_HOLE}" ]]; then
einfo "nrpe feature introduces a security risk where in blah blah"
einfo " blah, please read https://wiki.gentoo.org/etc/etc for"
einfo " details and how to enable this"
die "Security Hole Not Permitted"
fi
}
But I say that only because current REQUIRED_USE feature makes it nigh
impossible to understand from a human perspective what that assertion
means.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* [gentoo-dev] Re: Guidelines for dangerous USE flags
2017-08-29 9:21 ` Kent Fredric
@ 2017-08-29 10:21 ` Duncan
0 siblings, 0 replies; 8+ messages in thread
From: Duncan @ 2017-08-29 10:21 UTC (permalink / raw
To: gentoo-dev
Kent Fredric posted on Tue, 29 Aug 2017 21:21:09 +1200 as excerpted:
> On Thu, 24 Aug 2017 03:06:13 +0000 (UTC)
> Duncan <1i5t5.duncan@cox.net> wrote:
>
>> nrpe-command-args-SECURITY-HOLE or just nrpe-GAPING-SECURITY-HOLE
>
> That's probably excessive, if you set that USE flag globally, you
> deserve what you get.
>
> And if you are responsible and you know what you're getting, then you
> should be allowed to do that ( even though I struggle to understand why
> )
Good point.
(And the global-use "why" might conceivably be creating a deliberate
multiple-vulnerability distro for people to test their exploit abilities
and techniques on, like the one I remember reading about awhile back.
Unfortunately IDR the name, but someone will likely reply with it...)
--
Duncan - List replies preferred. No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master." Richard Stallman
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-08-29 10:22 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-08-22 17:22 [gentoo-dev] Guidelines for dangerous USE flags Michael Orlitzky
2017-08-22 17:37 ` Sven Vermeulen
2017-08-24 3:06 ` [gentoo-dev] " Duncan
2017-08-29 9:21 ` Kent Fredric
2017-08-29 10:21 ` Duncan
2017-08-22 18:44 ` [gentoo-dev] " Robin H. Johnson
2017-08-24 15:22 ` Michael Orlitzky
2017-08-25 22:07 ` William Hubbs
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox