[gentoo-dev] Guidelines for dangerous USE flags

[gentoo-dev] Guidelines for dangerous USE flags

[Michael Orlitzky]

The net-analyzer/nrpe package has a ./configure flag:

--enable-command-args   allows clients to specify command arguments. ***
                        THIS IS A SECURITY RISK! *** Read the SECURITY
                        file before using this option!

Back in nrpe-2.x, it was available via USE=command-args, but I dropped
it from nrpe-3.x, and a user just asked about it (bug 628596). There are
at least two things we could do with a dangerous flag like that:

  1) require EXTRA_ECONF to enable it.
  2) hide it behind a masked USE flag.

Both options require about the same amount of work from the user, namely
editing something under /etc/portage. What do y'all think is the best
way to proceed? Are there other examples in the tree I could follow?

Re: [gentoo-dev] Guidelines for dangerous USE flags

[Sven Vermeulen]

On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote:
> The net-analyzer/nrpe package has a ./configure flag:
> 
> --enable-command-args   allows clients to specify command arguments. ***
>                         THIS IS A SECURITY RISK! *** Read the SECURITY
>                         file before using this option!
> 
> Back in nrpe-2.x, it was available via USE=command-args, but I dropped
> it from nrpe-3.x, and a user just asked about it (bug 628596). There are
> at least two things we could do with a dangerous flag like that:
> 
>   1) require EXTRA_ECONF to enable it.
>   2) hide it behind a masked USE flag.
> 
> Both options require about the same amount of work from the user, namely
> editing something under /etc/portage. What do y'all think is the best
> way to proceed? Are there other examples in the tree I could follow?

I like the masked USE flag approach. Using EXTRA_ECONF requires a bit more
work from the user (not much though) but is less visible afterwards in my
opinion.

Perhaps a name that implies that there is a security risk could be
interesting, but that's a minor suggestion.

Is there a way we could somehow ensure that a USE flag is never set
globally, but only on a per-package basis?

Wkr,
	Sven Vermeulen

Re: [gentoo-dev] Guidelines for dangerous USE flags

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote:
>   1) require EXTRA_ECONF to enable it.
>   2) hide it behind a masked USE flag.
> 
> Both options require about the same amount of work from the user, namely
> editing something under /etc/portage. What do y'all think is the best
> way to proceed? Are there other examples in the tree I could follow?
From a Gentoo Infrastructure team perspective, we'd strongly prefer USE
flags, because that fits better into existing configuration management
tools, almost none of which have handling for EXTRA_ECONF or rebuilding
after EXTRA_ECONF changes (rebuild-on-USE-change is supported).

And please do bring that option back, we do use it for NRPE in a limited
set of cases (eg to avoid hard-coding passwords into the NRPE config).

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Trustee & Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

[gentoo-dev] Re: Guidelines for dangerous USE flags

[Duncan]

Sven Vermeulen posted on Tue, 22 Aug 2017 17:37:51 +0000 as excerpted:

> On Tue, Aug 22, 2017 at 01:22:51PM -0400, Michael Orlitzky wrote:
>> The net-analyzer/nrpe package has a ./configure flag:
>> 
>> --enable-command-args   allows clients to specify command arguments.
>>                         *** THIS IS A SECURITY RISK! ***
>>                         Read the SECURITY file before
>>                         using this option!
>> 
>> Back in nrpe-2.x, it was available via USE=command-args, but I dropped
>> it from nrpe-3.x, and a user just asked about it (bug 628596). There
>> are at least two things we could do with a dangerous flag like that:
>> 
>>   1) require EXTRA_ECONF to enable it.
>>   2) hide it behind a masked USE flag.
>> 
>> Both options require about the same amount of work from the user,
>> namely editing something under /etc/portage. What do y'all think is the
>> best way to proceed? Are there other examples in the tree I could
>> follow?
> 
> I like the masked USE flag approach. Using EXTRA_ECONF requires a bit
> more work from the user (not much though) but is less visible afterwards
> in my opinion.
> 
> Perhaps a name that implies that there is a security risk could be
> interesting, but that's a minor suggestion.

IDR which package it was on, but I remember investigating a USE flag 
called GAPING_SECURITY_HOLE or some such, on some package at some point.  
Turned out it was pretty much just that, but someone needed the feature 
it controlled on their firewalled LAN, and this flag is what the 
maintainer came up with as a solution.

> Is there a way we could somehow ensure that a USE flag is never set
> globally, but only on a per-package basis?

The only mechanism I'm aware of for that, a hack but arguably an 
effective one, is including the package name in the USE flag.

Combining all three suggestions, masked USE flag including the name of 
the package and a warning such as GAPING_SECURITY_HOLE (the ALL CAPS 
helps distinguish it too, since most USE flags are lowercase) in the 
name, say as ...

nrpe-command-args-SECURITY-HOLE
or just
nrpe-GAPING-SECURITY-HOLE

... seems to me the most effective.  Anyone that would even *think* to 
enable something like that without doing some *serious* investigation 
first, arguably shouldn't be using gentoo in the first place.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman

Re: [gentoo-dev] Guidelines for dangerous USE flags

[Michael Orlitzky]

On 08/22/2017 02:44 PM, Robin H. Johnson wrote:
> From a Gentoo Infrastructure team perspective, we'd strongly prefer USE
> flags, because that fits better into existing configuration management
> tools, almost none of which have handling for EXTRA_ECONF or rebuilding
> after EXTRA_ECONF changes (rebuild-on-USE-change is supported).
> 
> And please do bring that option back, we do use it for NRPE in a limited
> set of cases (eg to avoid hard-coding passwords into the NRPE config).
> 

It's back, but the flag is masked. Since the USE flag mask is going to
retroactively hit people who use --newuse, I suggest adding

  net-analyzer/nrpe -command-args

to your

  /etc/portage/profile/package.use.mask

right now, to avoid surprises.

Re: [gentoo-dev] Guidelines for dangerous USE flags

[William Hubbs]

[-- Attachment #1: Type: text/plain, Size: 858 bytes --]

On Thu, Aug 24, 2017 at 11:22:24AM -0400, Michael Orlitzky wrote:
> On 08/22/2017 02:44 PM, Robin H. Johnson wrote:
> > From a Gentoo Infrastructure team perspective, we'd strongly prefer USE
> > flags, because that fits better into existing configuration management
> > tools, almost none of which have handling for EXTRA_ECONF or rebuilding
> > after EXTRA_ECONF changes (rebuild-on-USE-change is supported).
> > 
> > And please do bring that option back, we do use it for NRPE in a limited
> > set of cases (eg to avoid hard-coding passwords into the NRPE config).
> > 
> 
> It's back, but the flag is masked. Since the USE flag mask is going to
> retroactively hit people who use --newuse, I suggest adding

I don't recommend masking it. If it is off by default, you can always
output a warning via ewarn if users enable it.

William


[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: [gentoo-dev] Re: Guidelines for dangerous USE flags

[Kent Fredric]

[-- Attachment #1: Type: text/plain, Size: 1099 bytes --]

On Thu, 24 Aug 2017 03:06:13 +0000 (UTC)
Duncan <1i5t5.duncan@cox.net> wrote:

> nrpe-command-args-SECURITY-HOLE
> or just
> nrpe-GAPING-SECURITY-HOLE

That's probably excessive, if you set that USE flag globally, you
deserve what you get.

And if you are responsible and you know what you're getting, then you
should be allowed to do that ( even though I struggle to understand why
)

For everything else there are etc/portage/package.use

Or maybe it could be a required-use:

REQUIRED_USE="nrpe? ( GAPING_SECURITY_HOLE )"

Alternatively, you could have a pkg_pretend like:

pkg_pretend() {
   if [[use nrpe && ! has "${CATEGORY}/${PN}" "${GAPING_SECURITY_HOLE}" ]]; then
     einfo "nrpe feature introduces a security risk where in blah blah"
     einfo "     blah, please read https://wiki.gentoo.org/etc/etc for"
     einfo "     details and how to enable this"
     die "Security Hole Not Permitted"
   fi
}

But I say that only because current REQUIRED_USE feature makes it nigh
impossible to understand from a human perspective what that assertion
means.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-dev] Re: Guidelines for dangerous USE flags

[Duncan]

Kent Fredric posted on Tue, 29 Aug 2017 21:21:09 +1200 as excerpted:

> On Thu, 24 Aug 2017 03:06:13 +0000 (UTC)
> Duncan <1i5t5.duncan@cox.net> wrote:
> 
>> nrpe-command-args-SECURITY-HOLE or just nrpe-GAPING-SECURITY-HOLE
> 
> That's probably excessive, if you set that USE flag globally, you
> deserve what you get.
> 
> And if you are responsible and you know what you're getting, then you
> should be allowed to do that ( even though I struggle to understand why
> )

Good point.

(And the global-use "why" might conceivably be creating a deliberate 
multiple-vulnerability distro for people to test their exploit abilities 
and techniques on, like the one I remember reading about awhile back.  
Unfortunately IDR the name, but someone will likely reply with it...)

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman