Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

On Mon, 15 Sep 2008, Michael Sullivan wrote:
> On Mon, 2008-09-15 at 16:17 +0200, Alan McKinnon wrote:
> > On Monday 15 September 2008 16:09:42 Michael Sullivan wrote:
> > > Is there a way to do this?  The problem with my
> > > theories on how to do this fall apart when I get to the part where a
> > > password has to be entered for rsync/scp.
> > 
> > ssh keys. [...]
> Create ssh keys without passphrases?  That's not recommended...

It depends: If you use these keys for nothing else than to login to
your "server" machine (to fetch the portage tree) (and of course if
you keep the key readable only for the cron-job on the client) then
the only risk you have is: If the client (or the user for the cron-job)
gets compromised then also the server might get compromised/spied to some
extend (depending on which permissions allows the server to the account
which you use for syncing, i.e. which is accepting the corresponding
ssh key).

But this risk is always there, no matter which approach you choose...

An alternative - if you really just want to use keys with a passphrase -
is to use net-misc/keychain. Of course, this means that you have to
(manually) enter the passphrase at least once after booting or otherwise
your cron-job will fail.

> > and if you use eix to run update-eix afterward

I would even recommend to use eix-sync to do all in the correct order:
Call it on the client side with option "-s user@server[:dir]"
(or put the line with this option into /etc/eix-sync.conf if you want
to use this option practically always); this supports even keychain:
Put e.g. the line
~keychain --quiet ~/.ssh/id_rsa ; cat ~/.keychain/"$(hostname)-sh"
into /etc/eix-sync.conf; see the eix manpage and eix-sync -h for details).

An alternative might be to use option "-2 ..." on the server side,
but this supports currently _one_ client and requires that eix-sync -u
(or at least update-eix) is called afterwards on the client side.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

> > What wrong with running an rsync 
> > server with a suitable "host allow" in the config? That would allow local
> > connections only without the need for passwords or keys.
> 
> That is indeed the preferred way

It is much more dangerous than the ssh approach: It is not so hard to
fake an IP (unless you local net ist physically separated) but it is
close to impossible to fake an ssh key without compromising the machine
holding it.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 21774 bytes --]

On Tue, 16 Sep 2008 09:29:59 +0200 (CEST), Vaeth wrote:

> > > What wrong with running an rsync 
> > > server with a suitable "host allow" in the config? That would allow
> > > local connections only without the need for passwords or keys.  
> > 
> > That is indeed the preferred way  
> 
> It is much more dangerous than the ssh approach: It is not so hard to
> fake an IP (unless you local net ist physically separated) but it is
> close to impossible to fake an ssh key without compromising the machine
> holding it.

Leaving aside the difficulties of faking a LAN IP from the public side
of the router, or even the fact that the router may have the rsync ports
closed, what is so secret about the contents of the portage tree?


-- 
Neil Bothwick

Feminism: the radical notion that women are people.
Neil Bothwick

O.K. I'm weird, but I'm saving up to become eccentric.
Neil Bothwick

It's kinda fun to consummate the impossible.
Neil Bothwick

Top Oxymorons Number 35: Legally drunk
Neil Bothwick

Micro-: (prefix) anything both very small and very expensive.
Neil Bothwick

The Flintstones probably had a PC!
Neil Bothwick

What is the difference between Mechanical Engineers and Civil Engineers?
Mechanical Engineers build weapons, Civil Engineers build targets.
Neil Bothwick

Last words of a Windows user: = Why does that work now?
Neil Bothwick

Locutous for Pontiac: Excitment is irrelivent.
Neil Bothwick

If someone with multiple personalities threatens to kill himself, is it
considered a hostage situation?
Neil Bothwick

Adolescence, n.: The stage between puberty and adultery.
Neil Bothwick

If you hear an Onion ring, please answer it!
Neil Bothwick

leep is an excellent way of listening to an opera. - James Stephens
(1882-1950) Neil Bothwick

STATUS QUO is Latin for "the mess we're in."
Neil Bothwick

Talk is cheap because supply exceeds demand.
Neil Bothwick

Failure is not an option. It comes bundled with your Microsoft product.
Neil Bothwick

Atheism is a non-prophet organization.
Neil Bothwick

BBS: (n.) a system for connecting computers and exchanging gossip,
     facts, and uninformed speculation under false names.
Neil Bothwick

Where the system is concerned, you're not allowed to ask `Why?'
Neil Bothwick

Always proofread carefully to see if you any words out.
Neil Bothwick

There is never enough beer, sex or disk space!
Neil Bothwick

Your lack of organisation does not represent an
emergency in my world.
Neil Bothwick

"Bother," said Pooh, as he reloaded his AK-47.
Neil Bothwick

Macro: (n.) a series of keystrokes used to simulate a missing but
essential command. Neil Bothwick

IBM: Inferior But Marketable.
Neil Bothwick

During a raid on a local chemist's shop, 2000 Viagra tablets were stolen
Police are looking for hardened criminals!
Neil Bothwick

NOTE: The most fundamental particles in your computer are held together
by a "glueing" force about which little is known and whose adhesive power
cannot therefore be permanently guaranteed.
Neil Bothwick

Mosquito - designed to make houseflies look better.
Neil Bothwick

Death is a nonmaskable interrupt.
Neil Bothwick

0 and 1. Now what could be so hard about that?
Neil Bothwick

She's always late. Her ancestors arrived on the June flower.
Neil Bothwick

"There's more to life than sex, beer and computers.
Not a lot more admittedly..."
Neil Bothwick

I backed up my hard drive and ran into a bus.
Neil Bothwick

If at first you don't succeed, you're about normal.
Neil Bothwick

Locutous for Pontiac: Excitment is irrelivent.
Neil Bothwick

Ultimate memory manager; Windows, it manages to use it all..
Neil Bothwick

The careful application of terror is also a form of communication.
Neil Bothwick

Tell me, and I will forget. Show me, and I will remember. Involve me, and
I will learn. Neil Bothwick

Drive not ready: (R)etry (G)o to Impulse (C)all Engineering
Neil Bothwick

Groucho Borg: "That's the silliest thing I ever assimilated..."
Neil Bothwick

If it was easy, the hardware people would take care of it.
Neil Bothwick

Acute sufferer of B5 deprivation syndrome; Owner of redundant television .
Neil Bothwick

That's not a bug, it's a Free Enhanced Feature!
Neil Bothwick

Protect your software at all costs -- all else is meat.
Neil Bothwick

We are phasing in a "paperless office," starting with the restrooms.
Neil Bothwick

Men who have playful kittens shouldn't sleep in the nude.
Neil Bothwick

Octal: (n.) a base-8 counting system designed so that one hand may count
upon the fingers of the other. Thumbs are not used, and the index finger
is reserved for the 'carry.'
Neil Bothwick

WinErr 00F: Unexplained error - Please tell us how this happened
Neil Bothwick

Try to be the best of whatever you are, even if what you are is no good.
Neil Bothwick

The value of a program is proportional to the weight of its output.
Neil Bothwick

"There's more to life than sex, beer and computers.
Not a lot more admittedly..."
Neil Bothwick

Are you sure this isn't the time for a colorful metaphor?
Neil Bothwick

After two weeks of dieting, all I lost was two weeks.
Neil Bothwick

Error reading FAT record: Try the SKINNY one? (Y/N)
Neil Bothwick

What do you have when you have six lawyers buried up to their necks in
sand? Not enough sand.
Neil Bothwick

She's fine, upstanding, and wonderful laying down.
Neil Bothwick

Committee (noun): A group of people spending hours taking minutes
Neil Bothwick

A computer scientist is someone who, when told to "Go to Hell,"
sees the "go to," rather than the destination, as harmful.
Neil Bothwick

Today's subliminal message is:                  .
Neil Bothwick

If it isn't broken, I can fix it.
Neil Bothwick

Due to inflation, all clouds will now be lined with zinc.
Neil Bothwick

DATA COMPRESSION: What You Get When You Squish An Android
Neil Bothwick

IBM - I Blame Microsoft
Neil Bothwick

Photons have mass? I didn't know they were catholic!
Neil Bothwick

Me? FAT? No, just horizontally disproportionate...
Neil Bothwick

Acute sufferer of B5 deprivation syndrome; Owner of redundant television .
Neil Bothwick

I@love~my,;It's%made in Taiwa~##$ ` #@
Neil Bothwick

Scientists decode the first confirmed alien transmission from outer space
...
"This really works! Just send 5*10^50 H atoms to each of the five star
systems listed below. Then, add your own system to the top of the list,
delete the system at the bottom, and send out copies of this message to
100 other solar systems. If you follow these instructions, within 0.25 of
a galactic rotation you are guaranteed to receive enough hydrogen in
return to power your civilization until entropy reaches its maximum!"
Neil Bothwick

There's an old proverb that says just about whatever you want it to
Neil Bothwick

Why do programmers get Halloween and Christmas confused?
Because oct 31 is the same as dec 25.
Neil Bothwick

She's always late. Her ancestors arrived on the June flower.
Neil Bothwick

Are you using Windows or is that just an XT?
Neil Bothwick

"Did you sleep well?" "No, I made a couple of mistakes."
Neil Bothwick

Top Oxymorons Number 18: Taped live
Neil Bothwick

The sergeant walked into the shower and caught me giving myself a
dishonorable discharge. Without missing a beat, I said, "It's my dick
and I can wash it as fast as I want!"
Neil Bothwick

Your lack of organisation does not represent an
emergency in my world.
Neil Bothwick

I am Flatulus of Borg. Pull my finger.
Neil Bothwick

Tact is for people who don't understand sarcasm.
Neil Bothwick

User - a technical term used by computer pros. See idiot.
Neil Bothwick

Top Oxymorons Number 33: American history
Neil Bothwick

Obscenity is the crutch of inarticulate motherfuckers.
Neil Bothwick

Captain, I sense millions of minds focused on my cleavage.
Neil Bothwick

Excuse me for butting in, but I'm interrupt-driven.
Neil Bothwick

Are you using Windows or is that just an XT?
Neil Bothwick

WinErr 003: Dynamic linking error - Your mistake is now in every file
Neil Bothwick

Unable to open TROUSER.ZIP - replace floppy and retry.
Neil Bothwick

Windows Error #05: Nonexisent error. This cannot really be happening
Neil Bothwick

Despite the cost of living, have you noticed how it remains so popular?
Neil Bothwick

Don't let the computer bugs bite!
Neil Bothwick

"God created the world in six days.  On the seventh day he also decided
to create England... just to try out his Practical Joke Weather Machine."
Neil Bothwick

A closed mouth gathers no foot.
Neil Bothwick

Oxymoron: Reagan memoirs.
Neil Bothwick

Hard work has a future payoff. Laziness pays off now.
Neil Bothwick

Eye of newt, toe of frog, regular Coke and fries to go, please.
Neil Bothwick

Ninety-Ninety Rule Of Project Schedules - The first ninety percent of
the task takes ninety percent of the time, and the last ten percent
takes the other ninety percent of the time.
Neil Bothwick

I am Flatulus of Borg. Pull my finger.
Neil Bothwick

Q. Why did the koala fall out of the tree?
A. It was dead.
Neil Bothwick

Sects, sects, sects, is that all you monks think about?
Neil Bothwick

If the post office has machines that can sort snail mail at 1000's of
times per minute, then why do they give it to a little old man on a bike
to deliver? Neil Bothwick

He who laughs last thinks slowest!
Neil Bothwick

why do kamikazee pilots wear helmets?
Neil Bothwick

2 + 2 = 5 for extremely large values of 2.
Neil Bothwick

To poldly bow air mobius gumby four: Trek on novocaine.
Neil Bothwick

When your pet bird sees you reading the newspaper, does he wonder why
you're just sitting there, staring at carpeting?
Neil Bothwick

Call out the vice squad! Someone's mounting a disk drive!
Neil Bothwick

(A)bort (R)etry (T)ake an axe to it?
Neil Bothwick

Age and treachery will always overcome youth and skill.
Neil Bothwick

If you're not part of the solution, you're part of the precipitate. *
Wright Neil Bothwick

Windows Error #02: Multitasking attempted. System confused.
Neil Bothwick

If it ain't broke, break it and charge for repair.
Neil Bothwick

Did you hear about the dyslexic devil worshiper?
He sold his soul to Santa!
Neil Bothwick

If there is light at the end of the tunnel...order more tunnel.
Neil Bothwick

The law of Probability Dispersal decrees that whatever it is that hits
the fan will not be evenly distributed.
Neil Bothwick

To most people solutions mean finding the answers. But to chemists
solutions are things that are still all mixed up.
Neil Bothwick

And if you say "No", I shall be forced to shoot you.
Neil Bothwick

Facts are stubborn, but statistics are more pliable
Neil Bothwick

ASCII stupid question... get a stupid ANSI!
Neil Bothwick

.                            <-Stealth Tagline
Neil Bothwick

... "I'm simply not a nice girl", she whispered tartly.
Neil Bothwick

Me, indecisive? I'm not so sure about that.
Neil Bothwick

Windows 98, the most installed system in the world, I know, I've done it
5 or 6 times myself. Neil Bothwick

"I need your clothes, your boots, and your tagline!"
Neil Bothwick

When you said you wanted to live in sin, I didn't know you meant "sloth"
Neil Bothwick

Last words of a Windows user: = Where do I have to click now? - There?
Neil Bothwick

Every morning is the dawn of a new error...
Neil Bothwick

Excuse me for butting in, but I'm interrupt-driven.
Neil Bothwick

Stupidity is NOT a handicap. You'll have to park elsewhere.
Neil Bothwick

Warp 5.. engage. No, no, Mr. Data, more clutch!
Neil Bothwick

WinErr 103: Error buffer overflow - Too many errors encountered.
            Additional errors may not be displayed or recorded.
Neil Bothwick

Get your copy at http://www.geekthing.com/~robf/gensig/
Neil Bothwick

All things considered, insanity may be the only reasonable alternative.
Neil Bothwick

Phasers don't kill people...Unless you set them too high.
Neil Bothwick

Celery is not food. It is a member of the plywood family.
Neil Bothwick

Code: (n.) a means of concealing bugs favored by programmers.
      (v.) the process of concealing bugs by programming.
Neil Bothwick

Approx. 1 in 36000 people will break a leg within 3 weeks of reading this
post Neil Bothwick

All things being equal, fat people use more soap.
Neil Bothwick

Honk if you love peace and quiet.
Neil Bothwick

And the Lord said, "Thou shalt not leave hairs unsplit."
Neil Bothwick

Reboot America.
Neil Bothwick

WORM: (n.) acronym for Write Once, Read Mangled. Used to describe a
      normally-functioning computer disk of the very latest design.
Neil Bothwick

"Bother," said Pooh, as he drained the vodka bottle dry.
Neil Bothwick

Is it a bigger crime to rob a bank or to open one?
Neil Bothwick

Committee (noun): A group of people spending hours taking minutes
Neil Bothwick

Our bikinis are exciting. They are simply the tops.
Neil Bothwick

Suicidal twin kills sister by mistake!
Neil Bothwick

Give a man a fish and you feed him for a day; teach him
to use the Net and he won't bother you for weeks.
Neil Bothwick

Computers make very fast, very accurate mistakes.
Neil Bothwick

Reboot America.
Neil Bothwick

If you use envelopes, why not encryption ?
Neil Bothwick

Any given program will expand to fill available memory.
Neil Bothwick

Accept that some days you're the pigeon, and some days you're the statue.
Neil Bothwick

Life is a sexually transmitted disease and the mortality rate is 100%.
Neil Bothwick

I am Barry Norman of the Borg - you will be assimilated - and why not?
Neil Bothwick

Okay, I pulled the pin. Now what? Hey, where are you going?
Neil Bothwick

Minds are like parachutes; they only function when fully open. * Sir
James Dewar Neil Bothwick

...context...
Neil Bothwick

Home is where you hang your @.
Neil Bothwick

DOS: Defunct Operating System
Neil Bothwick

Q. How many mathematicians does it take to change a light bulb?
A. Only one - who gives it to six Californians, thereby reducing the
problem to an earlier joke.
Neil Bothwick

It might look like I'm doing nothing, but at the cellular level I'm
really quite busy.
Neil Bothwick

If it's tourist season, why can't we shoot them?
Neil Bothwick

Change is inevitable. Except from a vending machine.
Neil Bothwick

Use Colgate toothpaste or end up with teeth like a Ferengi.
Neil Bothwick

"Bother," said Pooh, as he said f**k in the wrong conference.
Neil Bothwick

Pound for pound, the amoeba is the most vicious animal on the earth.
Neil Bothwick

I'm Pink, Therefore I'm Spam
Neil Bothwick

Crayons can take you more places than starships. * Guinan
Neil Bothwick

Tact is for people who don't understand sarcasm.
Neil Bothwick

How do "Do not walk on the grass" signs get there?
Neil Bothwick

Very funny Scotty.. now beam down my pants!
Neil Bothwick

All things being equal, fat people use more soap.
Neil Bothwick

If a stealth bomber crashes in a forest, will it make a sound?
Neil Bothwick

* <-Tribble
Neil Bothwick

I couldn't possibly be wrong. I use an error correcting modem!
Neil Bothwick

PC DOS Error #03: Windows not found: (C)heer (P)arty (D)ance
Neil Bothwick

Knock firmly but softly. I like soft firm knockers.
Neil Bothwick

Anything is possible if you don't know what
you are talking about.
Neil Bothwick

New Klingon hair salon: "Today is a good day to dye"
Neil Bothwick

Shotgun wedding: A case of wife or death.
Neil Bothwick

Top Oxymorons Number 32: Living dead
Neil Bothwick

"Bother," said Pooh, when he found Tigger stoned on his hash
Neil Bothwick

Where do you think you're going today?
Neil Bothwick

 Q:  How does a Zen Master order a hot dog?
 A: "Make me one with everything."
Neil Bothwick

I just took an IQ test. The results were negative.
Neil Bothwick

Soooo... We are in Law Enforcment. -Worf-
Neil Bothwick

I am Barney of Borg: I love you. You love me. We're a happy Borg.
Neil Bothwick

I don't know if I can assimilate one more Borg Tagline!
Neil Bothwick

--T-A+G-L-I+N-E--+M-E-A+S-U-R+I-N-G+--G-A+U-G-E--
Neil Bothwick

I don't work here. I'm a consultant.
Neil Bothwick

DOS: Defunct Operating System
Neil Bothwick

A friend in need may turn out to be a nuisance.
Neil Bothwick

User-friendly: (adj.) trivialized, slow, incapable, and boring.
Neil Bothwick

He who laughs last probably made a back-up.
Neil Bothwick

If you think that there is good in everybody, you haven't met everybody.
Neil Bothwick

"He's dead, Jim.  You get his phaser, I'll grab his wallet."
Neil Bothwick

Of course it's not your day,
Neil Bothwick

Windows '96 artificial intelligence: Cant Compress Hard Drive but dont
worry I'll delete all files over size 50,000 that'll give you some space.
Neil Bothwick

Those who live by the sword get shot by those who don't.",
Neil Bothwick

Gotta run, cat's caught in the printer...
Neil Bothwick

Hello.. Incontinence Hotline.. Can you hold?
Neil Bothwick

How do a fool and his money GET together?
Neil Bothwick

Unsolicited advice is the junk mail of life
Neil Bothwick

If you think the problem is bad now, just wait until we've solved it.
Neil Bothwick

EMail - garbage at the speed of light.
Neil Bothwick

User-friendly: (adj.) trivialized, slow, incapable, and boring.
Neil Bothwick

Sir! Romulan warbird decloaki»®õ÷üÁ NO CARRIER
Neil Bothwick

Windows will never cease.
Neil Bothwick

If someone with multiple personalities threatens to kill himself, is it
considered a hostage situation?
Neil Bothwick

Windows '96 artificial intelligence: Unable to FORMAT A: Having a go at C:
Neil Bothwick

Few women admit their age. Few men act theirs.
Neil Bothwick

An example of hard water is ice.
Neil Bothwick

Captain, I believe there's an energy source in the liver of the cloud.
Neil Bothwick

Ad - Save regularly in our bank. You'll never reget it.
Neil Bothwick

Don't use a long word if a diminutive one will do.
Neil Bothwick

Top Oxymorons Number 16: Peace force
Neil Bothwick

New sig wanted good price paid.
Neil Bothwick

COBOL: Completely Obsolete Business Oriented Language
Neil Bothwick

I'm Bugs Bunny of Borg.  What's up Collective?
Neil Bothwick

Loose bits sink chips.
Neil Bothwick

"Bother," said Pooh, when his spliff went out.
Neil Bothwick

"Mr. Worf, scan that ship." "Aye Captain. 300 dpi?"
Neil Bothwick

But I thought YOU did the backups...
Neil Bothwick

"Bother," said Christopher Robin, as Pooh got out the vaseline.
Neil Bothwick

Just got a new car for my wife....Great Trade!
Neil Bothwick

Everywhere is walking distance if you have the time.
Neil Bothwick

"When you play a Microsoft CD backwards you can hear demonic Voices...
that's nothing - when you play it forward it installs Windows"
Neil Bothwick

Drop your carrier .. we have you surrounded
Neil Bothwick

Why do kamikaze pilots wear helmets?
Neil Bothwick

Top Oxymorons Number 2: Exact estimate
Neil Bothwick

I work with User-Surly Software.
Neil Bothwick

Never argue with an idiot. First, they bring you down to their level.
Then they beat you with experience.
Neil Bothwick

"Bother," said Pooh, as the vice squad took his GIFS
Neil Bothwick

"There are no stupid questions, just too many inquisitive idiots."
Neil Bothwick

Velilind's Laws of Experimentation:
1. If reproducibility may be a problem, conduct the test only once.
2. If a straight line fit is required, obtain only two data points.
Neil Bothwick

Age and treachery will always overcome youth and skill.
Neil Bothwick

Don't forget that MS-Windows is just a temporary workaround until you can
switch to a GNU system.
Neil Bothwick

How is it that we put man on the moon before we figured out it would be a
good idea to put wheels on luggage?
Neil Bothwick

ERROR #0915: MONITOR NOT PRESENT. CLICK ON OK TO CONTINUE.
Neil Bothwick

If you catch an exploding manhole cover, you can keep it.
Neil Bothwick

To err is human; to really foul things up requires a computer.
Neil Bothwick

If you only have a hammer, you tend to see every problem as a nail. *
Maslow Neil Bothwick

Windows - so intuitive you only need a meg of help files!
Neil Bothwick

Did you know that eskimos have 17 different words for linguist?
Neil Bothwick

I just got lost in thought. It was unfamiliar territory.
Neil Bothwick

After two weeks of dieting, all I lost was two weeks.
Neil Bothwick

Someone who thinks logically is a nice contrast to the real world.
Neil Bothwick

BUFFERS=20 FILES=15 2nd down, 4th quarter, 5 yards to go!
Neil Bothwick

A phaser is the universal communicator. þ Worf
Neil Bothwick

What did the first man to discover you can get milk from cows think he
was doing? - anon.
Neil Bothwick

Those who can, do. Those who cannot, teach. Those who cannot teach, HACK!
Neil Bothwick

Everywhere is walking distance if you have the time.
Neil Bothwick

Stupidity is NOT a handicap. You'll have to park elsewhere.
Neil Bothwick

Programmers do it bit by bit.
Neil Bothwick

Deliver a pizza? Whoever heard of a liver pizza?
Neil Bothwick

If it ain't broke, break it and charge for repair.
Neil Bothwick

"How long is this Beta guy going to keep testing our stuff?"

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Etaoin Shrdlu]

On Tuesday 16 September 2008, 12:16, Neil Bothwick wrote:

[snip]

Uhm...something bad probably happened while the signature was appended to 
the message :-)

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Iain Buchanan]

Etaoin Shrdlu wrote:
> On Tuesday 16 September 2008, 12:16, Neil Bothwick wrote:
>
> [snip]
>
> Uhm...something bad probably happened while the signature was appended to
> the message :-)
>

probably missed a few delimiters there in his home-spun fortune file!

Hey Neil, you didn't come up with all those attributed to you, did you?

-- 
Iain Buchanan <iaindb at netspace dot net dot au>

"We ought to make the pie higher."

George W. Bush
February 15, 2000
Comment made in Columbia, South Carolina during presidential campaign.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 620 bytes --]

On Tue, 16 Sep 2008 21:19:44 +0930, Iain Buchanan wrote:

> > Uhm...something bad probably happened while the signature was
> > appended to the message :-)
> >  
> 
> probably missed a few delimiters there in his home-spun fortune file!

Except I haven't changed the file lately. Either my tagline file is
corrupted or a recent update has broken signify. This has happened a few
times recently, but I didn't catch this one.

> Hey Neil, you didn't come up with all those attributed to you, did you?

Of course I did! ;-)


-- 
Neil Bothwick

Ifyoucanreadthis,youspendtoomuchtimefiguringouttaglines.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

> Could you please use a mail client which insert correctly the fields
> "In-Reply-To" ans "Reference" ?

Thanks for the hint, I was not aware of this. But unfortunately, it
appears that it is not just a question of the mail client:
I am subsribed to the list as post-only (for several reasons which I do
not want to discuss now) and I am actually reading/replying the
usenet copy linux.gentoo.user of this list.
If you know how I could find out (and use with pine) the correct data
in this way, I would be glad to do so, but I am afraid it is impossible.

However, due to lack of time this will probably anyway be the last
falsely referencing posting for quite a while: my frequent postings in
the previous days were really a big exception.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[kashani]

Vaeth wrote:
>> Could you please use a mail client which insert correctly the fields
>> "In-Reply-To" ans "Reference" ?
> 
> Thanks for the hint, I was not aware of this. But unfortunately, it
> appears that it is not just a question of the mail client:
> I am subsribed to the list as post-only (for several reasons which I do
> not want to discuss now) and I am actually reading/replying the
> usenet copy linux.gentoo.user of this list.
> If you know how I could find out (and use with pine) the correct data
> in this way, I would be glad to do so, but I am afraid it is impossible.
> 
> However, due to lack of time this will probably anyway be the last
> falsely referencing posting for quite a while: my frequent postings in
> the previous days were really a big exception.
> 

Trying to follow the thirty odd threads your client is creating when 
their should be only one is really really annoying.

And you're completely wring about NAT routers, but damned if I can find 
the actual parts of the thread I want to respond to.

kashani

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Volker Armin Hemmann]

On Wednesday 17 September 2008, kashani wrote:
> Vaeth wrote:
> >> Could you please use a mail client which insert correctly the fields
> >> "In-Reply-To" ans "Reference" ?
> >
> > Thanks for the hint, I was not aware of this. But unfortunately, it
> > appears that it is not just a question of the mail client:
> > I am subsribed to the list as post-only (for several reasons which I do
> > not want to discuss now) and I am actually reading/replying the
> > usenet copy linux.gentoo.user of this list.
> > If you know how I could find out (and use with pine) the correct data
> > in this way, I would be glad to do so, but I am afraid it is impossible.
> >
> > However, due to lack of time this will probably anyway be the last
> > falsely referencing posting for quite a while: my frequent postings in
> > the previous days were really a big exception.
>
> Trying to follow the thirty odd threads your client is creating when
> their should be only one is really really annoying.
>
> And you're completely wring about NAT routers, but damned if I can find
> the actual parts of the thread I want to respond to.
>
> kashani

there is no problem with his posts in kmail.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Alex Schuster]

Volker Armin Hemmann writes:
> On Wednesday 17 September 2008, kashani wrote:
> > Vaeth wrote:
> > >> Could you please use a mail client which insert correctly the
> > >> fields "In-Reply-To" ans "Reference" ?
> > >
> > > Thanks for the hint, I was not aware of this. But unfortunately, it
> > > appears that it is not just a question of the mail client:
> > > I am subsribed to the list as post-only (for several reasons which
> > > I do not want to discuss now) and I am actually reading/replying
> > > the usenet copy linux.gentoo.user of this list.
> > > If you know how I could find out (and use with pine) the correct
> > > data in this way, I would be glad to do so, but I am afraid it is
> > > impossible.
[...]
> > Trying to follow the thirty odd threads your client is creating when
> > their should be only one is really really annoying.
> >
> > And you're completely wring about NAT routers, but damned if I can
> > find the actual parts of the thread I want to respond to.
> >
> > kashani
>
> there is no problem with his posts in kmail.

Hmm, I have about seven Threads started by him with "Re: [gentoo-user] Is 
there a way...". The other of his respsonses, which do not start a new 
thread, have this own posts as reference, not the one he is actually 
replying to. All references look like <bcMnF-3fg-13@gated-at.bofh.it>, 
seems like the mail-to-usenet gateway changes them.
Couldn't he just reply with his usenet client, and the gateway would 
convert things back so it shows up correctly on the list?

I agree it's a little annoying, but as long as it's just him and only 
occasionally, I don't mind.

	Wonko

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

Matthias Bethke wrote:

> > > I'd say the vast majority of chroot jails are there for nothing
> > > else but security.
> > 
> > Alan Cox: "chroot is not and never has been a security tool", see e.g.
> > http://kerneltrap.org/Linux/Abusing_chroot
> 
> No disrespect to Mr. Cox but a silly argument stays a silly argument
> even if brought forward by Alan. Programs like postfix certainly don't
> use chroots for security because they were designed noobs or incompetent
> people.

I did not cite the webpage because of the insults but because it shows
how much the kernel programmers are interested in closing possible ways
to break out of a chroot: not at all, because they think it is ok.
That's why I said that _only_ with grsecurity a chroot _might perhaps_
be considered as a serious security measurement (but in fact, people
which really need chroot to run binaries from two systems cannot activate
these security enhancements).

> Alan acknowledges that "Normal users cannot use chroot()
> themselves so they can't use chroot to get back out"

Yes, _this_ method of breaking out does not work without additional
exploits like privilege escalation. (grsecurity closes a lot more methods;
I did never reasearch which tricks might perhaps work as a user).
But if everything works as it should, just running with low privileges
does not make much of a difference than running with low privileges in
a chroot: In any case you should only have access to those data which
the privileges allow. (Admittedly there is a _slight_ increase in
security: You might now be safe of ways of privilege escalation by bugs
in certain SUID-programms).

> That's not to say that setting up a vserver for each of
> your programs exposed to the net wasn't *more* secure than a chroot

That's a different topic, but a vserver might also even be more
dangerous than doing nothing, because it has to be implemented (of course)
with the highest available privileges, and so you have an additional
risk of bugs (i.e. possible exploits) of the vserver - and in such a
case the attacker has immediately the highest privileges.

> but it's certainly a whole lot more secure if used
> properly than not doing it at all.

...as is the usage of NAT as a "security feature".
Of course, saying that using NAT or using chroot would not increase
security at all would be a lie.  But it is better to emphasize the
dangers than to support the common misbelieve (as Alan alrady pointed
out) that by using it there is no risk that "closed" ports can come
through or that no other data than those in the chroot can be accessed.
Remember the starting point of the discussion: The statement "rsyncd uses
chroot, so an attacker can do nothing bad" is just false.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Nicolas Sebrecht]

<snip>

Could you please use a mail client which insert correctly the fields
"In-Reply-To" ans "Reference" ?

-- 
Nicolas Sebrecht

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 5045 bytes --]

Hi Vaeth,
on Wed, Sep 17, 2008 at 10:40:47AM +0200, you wrote:
> > > Alan Cox: "chroot is not and never has been a security tool", see e.g.
> > > http://kerneltrap.org/Linux/Abusing_chroot
> > 
> > No disrespect to Mr. Cox but a silly argument stays a silly argument
> > even if brought forward by Alan. Programs like postfix certainly don't
> > use chroots for security because they were designed noobs or incompetent
> > people.
> 
> I did not cite the webpage because of the insults but because it shows
> how much the kernel programmers are interested in closing possible ways
> to break out of a chroot
as root
> : not at all, because they think it is ok.
> That's why I said that _only_ with grsecurity a chroot _might perhaps_
> be considered as a serious security measurement (but in fact, people
> which really need chroot to run binaries from two systems cannot activate
> these security enhancements).

Sure, you can't expect that the Debian-loving friend you gave root on
your Debian-chrooted-on-Gentoo system will stay confined to that chroot.
Big deal, just don't do it. That's not what any sane person would
recommend chroot for anyway.

> > Alan acknowledges that "Normal users cannot use chroot()
> > themselves so they can't use chroot to get back out"
> 
> Yes, _this_ method of breaking out does not work without additional
> exploits like privilege escalation. (grsecurity closes a lot more methods;
> I did never reasearch which tricks might perhaps work as a user).
> But if everything works as it should, just running with low privileges
> does not make much of a difference than running with low privileges in
> a chroot: In any case you should only have access to those data which
> the privileges allow.

...which is usually pretty much everything in the bin directories, a lot
of stuff in /etc, and most importantly a shell. In a non-chrooted
program, an attacker who can exploit a bug can simply bind /bin/sh to a
port, run netcat, even use your compiler to prepare the next steps for
perhaps a local privilege escalation. In a chroot, nothing of the sort
is possible, you're limited to what you can do in your injected code.

> (Admittedly there is a _slight_ increase in security: You might now be
> safe of ways of privilege escalation by bugs in certain
> SUID-programms).

...plus safe from most information disclosure that would otherwise be
possible.

> > That's not to say that setting up a vserver for each of
> > your programs exposed to the net wasn't *more* secure than a chroot
> 
> That's a different topic, but a vserver might also even be more
> dangerous than doing nothing, because it has to be implemented (of course)
> with the highest available privileges, and so you have an additional
> risk of bugs (i.e. possible exploits) of the vserver - and in such a
> case the attacker has immediately the highest privileges.

That's true, I just mentioned it because that's what Alan mentioned as
the true security tool.

> > but it's certainly a whole lot more secure if used
> > properly than not doing it at all.
> 
> ...as is the usage of NAT as a "security feature".
> Of course, saying that using NAT or using chroot would not increase
> security at all would be a lie.  But it is better to emphasize the
> dangers than to support the common misbelieve (as Alan alrady pointed
> out) that by using it there is no risk that "closed" ports can come
> through or that no other data than those in the chroot can be accessed.

Alan would probably emphasize the dangers of a seat belt and say
competent people used it only to keep their shopping bags from falling
over and not as a security tool because if you don't use it the
recommended way you can strangle yourself with it =^>

> Remember the starting point of the discussion: The statement "rsyncd uses
> chroot, so an attacker can do nothing bad" is just false.

Except that statement wasn't Neil's. To quote it correctly:
| In addition, the default rsyncd configuration with Gentoo uses a chroot
| jail. So even if you do allow connections to your portage tree, they
| won't be able to access anything else.

To summarize: for an attacker to be able to compromise a chrooted
rsyncd behind a NATting DSL router:
a) your ISP has to have a router configuration b0rked beyond belief
b) the attacker has to be aware of that and be able to distinguish
between your traffic and that of several hundred others that will
respond to his packets to 192.168.x.x
c) your router has to have a serious security hole
d) rsyncd has to be exploitable
e) your kernel needs to have a local privilege escalation bug

Now if that risk is worth the more complicated configuration using rsync
over ssh, I'm really not sure...I think I'd rather spend the time on
folding tin foil hats for the upcoming attack from Mars ;)

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

Matthias Bethke wrote:

> Hi Vaeth, [...]
> > 
> > Also a chroot jail is not a security feature: There are several
> > ways known how to break out.
> 
> [...] But there's only one reason I can see why you'd use a
> chroot environment *except* for security and that's to have more than
> one set of system binaries active at the same time for different
> applications.

Or simply several systems (e.g. amd64 and x86, or gentoo and debian,
or your boot disk and your newly installed system [the install handbook
makes massive use of chroot]). This is exactly what chroot was made for.

> I'd say the vast majority of chroot jails are there for nothing
> else but security.

Alan Cox: "chroot is not and never has been a security tool", see e.g.
http://kerneltrap.org/Linux/Abusing_chroot

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 1879 bytes --]

Hi Vaeth,
on Tue, Sep 16, 2008 at 08:36:28PM +0200, you wrote:
> > > Also a chroot jail is not a security feature: There are several
> > > ways known how to break out.
> > 
> > [...] But there's only one reason I can see why you'd use a
> > chroot environment *except* for security and that's to have more than
> > one set of system binaries active at the same time for different
> > applications.
> 
> Or simply several systems (e.g. amd64 and x86, or gentoo and debian,
> or your boot disk and your newly installed system [the install handbook
> makes massive use of chroot]). This is exactly what chroot was made for.

Sure, that's why I kept it as general als "more than one set", be it a
different architecture/vendor/purpose/whatever.

> > I'd say the vast majority of chroot jails are there for nothing
> > else but security.
> 
> Alan Cox: "chroot is not and never has been a security tool", see e.g.
> http://kerneltrap.org/Linux/Abusing_chroot

No disrespect to Mr. Cox but a silly argument stays a silly argument
even if brought forward by Alan. Programs like postfix certainly don't
use chroots for security because they were designed noobs or incompetent
people. Alan acknowledges that "Normal users cannot use chroot()
themselves so they can't use chroot to get back out" but insists on his
point, completely ignoring that doing a chroot() immediately followed by
dropping your root privileges is exactly the recommended way to use it
for security. That's not to say that setting up a vserver for each of
your programs exposed to the net wasn't *more* secure than a chroot if
you want to do it but it's certainly a whole lot more secure if used
properly than not doing it at all.

cheers,
	Matthias

-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

On Tue, 16 Sep 2008, Matthias Bethke wrote:

> [...] that in any halfway sane router these NAT problems are not an
> issue. And with many routers running Linux today so you can even get a
> shell and check iptables... :)

We are obviously talking about a different price category of routers.
Most routers people use here in Germany for home systems are from their
ISP, and they are usually proprietary implementations where you cannot do
much more than to configure them by web interface with the enclosed
windows software (if you can decide which ports go through you already
have an "advanced" router). Unless by experimenting it is close to
impossible to decide what the router really does or does not.
I wouldn't trust them as far as I can throw a stone.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 924 bytes --]

Hi Vaeth,
on Wed, Sep 17, 2008 at 09:49:08AM +0200, you wrote:
> > [...] that in any halfway sane router these NAT problems are not an
> > issue. And with many routers running Linux today so you can even get a
> > shell and check iptables... :)
> 
> We are obviously talking about a different price category of routers.
> Most routers people use here in Germany for home systems are from their
> ISP, and they are usually proprietary implementations [...]

Huh? I don't have a good overview of the market here but the ISP I work
at uses only FritzBox routers which run a fine Linux, and as far as I
know so do most of T-Com's Speedport models which should be the most
widely used in Germany. Not that it was significantly cheaper than a
FritzBox or a WRT54...

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Heiko Wundram]

Am Thursday 18 September 2008 12:34:17 schrieb Matthias Bethke:
> Hi Vaeth,
>
> on Wed, Sep 17, 2008 at 09:49:08AM +0200, you wrote:
> > > [...] that in any halfway sane router these NAT problems are not an
> > > issue. And with many routers running Linux today so you can even get a
> > > shell and check iptables... :)
> >
> > We are obviously talking about a different price category of routers.
> > Most routers people use here in Germany for home systems are from their
> > ISP, and they are usually proprietary implementations [...]
>
> Huh? I don't have a good overview of the market here but the ISP I work
> at uses only FritzBox routers which run a fine Linux, and as far as I
> know so do most of T-Com's Speedport models...

Most of the T-Com Speedports (except for the very old ones, which come from 
Siemens) are just rebranded FritzBoxen (with some functionality 
removed/patched), so they also run a(n ARM-)Linux, and are even more or less 
firm-ware compatible with the FritzBox firmwares (I reflashed a Speedport 500 
[?? IIRC] once with a FritzBox firmware to get proper VoIP support).

Just FYI.

-- 
Heiko Wundram

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

Neil Bothwick wrote:

> On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote:
> 
> > > If you are using NAT on the router, you have to explicitly forward
> > > that port somewhere for it to work. [...]  
> > 
> > Except that this is not completely true [...]
> 
> "So the router maintains a database of current connections

This is not true for a standard NAT router. Only special routers with
additional functionality can do this. Not to mention that occassionally
also bugs in the implementations of such routers are found (e.g. using
DOS to attempt a database overflow is an attack which comes to mind in
the "generic" case).
In any case, it depends on how much you can trust the router, while if
the  port is not open on your machine you do not have such a risk at
all. So why take an unnecessary risk?

> In addition, the default rsyncd configuration with Gentoo uses a chroot
> jail.

Also a chroot jail is not a security feature: There are several ways known
how to break out. Well, if you use grsecurity (hardened-sources), at least
the most gapping security holes are closed in this respect, but also this
is no guarantee and can hinder you when you have other uses for chroot.
Not to speak that rsyncd introduces additional code anyway,
which might also be vulnerable in an unexpected manner (e.g. in connection
with a kernel bug or who-knows-what).

> After all, isn't that exactly how Gentoo mirrors work?

If you offer something on the net you have certainly an increased
risk that the corresponding machine is compromised - every mirror
administrator is aware of this (or at least he should be so). But
there is no reason to take any such sort of risk in a network which
is not supposed to offer services to other people.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 1030 bytes --]

Hi Vaeth,
on Tue, Sep 16, 2008 at 07:14:48PM +0200, you wrote:
> > In addition, the default rsyncd configuration with Gentoo uses a chroot
> > jail.
> 
> Also a chroot jail is not a security feature: There are several ways known
> how to break out.

Huh? In the case of NAT it's reasonable to say it's not a security
feature---it's a kludge that happens to increase security somewhat in
the standard case. But there's only one reason I can see why you'd use a
chroot environment *except* for security and that's to have more than
one set of system binaries active at the same time for different
applications. Which is normally a pretty bad kludge in itself (not that
I hadn't done it, to avoid endless library woes on a Debian system that
absolutely must be kept on Woody... :-S), I'd say the vast majority of
chroot jails are there for nothing else but security.

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Alan McKinnon]

On Tuesday 16 September 2008 19:29:21 Matthias Bethke wrote:
> I'd say the vast majority of
> chroot jails are there for nothing else but security.

Replace "security" with "warm fuzzy feeling of apparent security that actually 
doesn't exist" and you're close to the mark. The sole positive of using 
chroot like this is that (like NAT) it does happen to give a marginal 
increase in security at reasonably low cost.

There are much better solutions with real security benefits: vservers, BSD 
jails, etc, etc.

This is nto directed at you, I just seem to spend way too much time these days 
dispelling persistent myths that have taken hold in people's minds but have 
no real basis in fact

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

On Tue, 16 Sep 2008, Matthias Bethke wrote:

> I don't even see why you'd strictly need connection tracking to avoid
> attacks made possible by grossly misconfigured ISP routers. Your router
> knows that packets with a destination address of 10/8, 192.168/16 and
> the like have absolutely no business on the public internet so the only
> sensible behavior would be to just drop them.

This also requires a special kind of router: Namely one which has a
physical way of distinguishing between the "dangerous" connection to
the net and your local network (if they are dynamic, this can also
sometimes be tricked). Of course, combined router/modems have this
separation practically "by definition". However, in any case it
requires that the functionality you mention is implemented on the
router and has no bugs and that the router cannot be compromised by
other means.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 1567 bytes --]

Hi Vaeth,
on Tue, Sep 16, 2008 at 07:54:43PM +0200, you wrote:
> > I don't even see why you'd strictly need connection tracking to avoid
> > attacks made possible by grossly misconfigured ISP routers. Your router
> > knows that packets with a destination address of 10/8, 192.168/16 and
> > the like have absolutely no business on the public internet so the only
> > sensible behavior would be to just drop them.
> 
> This also requires a special kind of router: Namely one which has a
> physical way of distinguishing between the "dangerous" connection to
> the net and your local network (if they are dynamic, this can also
> sometimes be tricked). Of course, combined router/modems have this
> separation practically "by definition".

I can only recall one router where this wasn't the case, my first weird
and wonderful DSL line in the Philippines :D Normally, why bother
routing if you can just physically connect the thwo networks and have
their traffic intermix?

> However, in any case it requires that the functionality you mention is
> implemented on the router and has no bugs and that the router cannot
> be compromised by other means.

Sure, if your router is compromised you're fuxx0red anyway. I was just
saying that in any halfway sane router these NAT problems are not an
issue. And with many routers running Linux today so you can even get a
shell and check iptables... :)

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

On Tue, 16 Sep 2008, Neil Bothwick wrote:

> On Tue, 16 Sep 2008 13:49:36 +0200 (CEST), Vaeth wrote:
> 
> > It is always better to have a port not open than to rely on a router
> > to "close" it apparently.
> 
> If you are using NAT on the router, you have to explicitly forward that
> port somewhere for it to work. [...]

Except that this is not completely true: See some of the many articles
in the net which explain why NAT is not a security feature. A quick google
search gave e.g. http://www.nexusuk.org/articles/2005/03/12/nat_security/

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1288 bytes --]

On Tue, 16 Sep 2008 17:29:16 +0200 (CEST), Vaeth wrote:

> > If you are using NAT on the router, you have to explicitly forward
> > that port somewhere for it to work. [...]  
> 
> Except that this is not completely true: See some of the many articles
> in the net which explain why NAT is not a security feature. A quick
> google search gave e.g.
> http://www.nexusuk.org/articles/2005/03/12/nat_security/
> 

"So the router maintains a database of current connections so that traffic
is always allowed through for them, and you can tell it to filter all new
connections made from the internet whilest allowing all new connections
made from inside the local network. This means that noone can make a
connection from the internet to one of your workstations, even though
they can route to its address."

If the relevant ports are not forwarded in the router, this applies and
no one can make a new connection to your rsync server.

In addition, the default rsyncd configuration with Gentoo uses a chroot
jail. So even if you do allow connections to your portage tree, they
won't be able to access anything else. After all, isn't that exactly how
Gentoo mirrors work?


-- 
Neil Bothwick

There is absolutely no substitute for a genuine lack of preparation.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 1341 bytes --]

Hi Neil,
on Tue, Sep 16, 2008 at 04:59:39PM +0100, you wrote:
> > Except that this is not completely true: See some of the many articles
> > in the net which explain why NAT is not a security feature. A quick
> > google search gave e.g.
> > http://www.nexusuk.org/articles/2005/03/12/nat_security/
> 
> "So the router maintains a database of current connections so that traffic
> is always allowed through for them, and you can tell it to filter all new
> connections made from the internet whilest allowing all new connections
> made from inside the local network. This means that noone can make a
> connection from the internet to one of your workstations, even though
> they can route to its address."
> 
> If the relevant ports are not forwarded in the router, this applies and
> no one can make a new connection to your rsync server.

I don't even see why you'd strictly need connection tracking to avoid
attacks made possible by grossly misconfigured ISP routers. Your router
knows that packets with a destination address of 10/8, 192.168/16 and
the like have absolutely no business on the public internet so the only
sensible behavior would be to just drop them.

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Vaeth]

Neil Bothwick wrote:

> On Tue, 16 Sep 2008 09:29:59 +0200 (CEST), Vaeth wrote:
> 
> > > > What wrong with running an rsync
> > > > server with a suitable "host allow" in the config? [...]
> > > 
> > > That is indeed the preferred way  
> > 
> > It is much more dangerous than the ssh approach [...]
> 
> Leaving aside the difficulties of faking a LAN IP from the public side
> of the router, or even the fact that the router may have the rsync ports
> closed, what is so secret about the contents of the portage tree?

It is always better to have a port not open than to rely on a router
to "close" it apparently.
Moreover, who can guarantee you that the portage tree is the only thing
which is possible to see with a faked IP: Every program might have
vulnerabilities, so the less you provide to the outside world
(even if visible only through IP faking) the more secure you are.
Probably, sshd is needed anyway, so if possible this should be the only
thing potentially visible from the outside.

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 668 bytes --]

On Tue, 16 Sep 2008 13:49:36 +0200 (CEST), Vaeth wrote:

> > Leaving aside the difficulties of faking a LAN IP from the public side
> > of the router, or even the fact that the router may have the rsync
> > ports closed, what is so secret about the contents of the portage
> > tree?  
> 
> It is always better to have a port not open than to rely on a router
> to "close" it apparently.

If you are using NAT on the router, you have to explicitly forward that
port somewhere for it to work. I use an rsync server on my network, but it
is inaccessible from the Internet.


-- 
Neil Bothwick

Guns don't kill people--it's those little pieces of lead.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

[gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Michael Sullivan]

I've got three PCs.  I want to only have to have one run emerge --sync,
but for the box running the emerge --sync to be able to rsync the tree
to the other two boxes automatically (like in the middle of the night
while I'm asleep).  Is there a way to do this?  The problem with my
theories on how to do this fall apart when I get to the part where a
password has to be entered for rsync/scp.  I used to do this with NFS,
but the box that will be running emerge --sync has a history of locking
up if there is more than one semi-heavy process going on it at a time,
so I want each box to have its own copy of the tree.  Is there a way to
do this?

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Alan McKinnon]

On Monday 15 September 2008 16:09:42 Michael Sullivan wrote:
> Is there a way to do this?  The problem with my
> theories on how to do this fall apart when I get to the part where a
> password has to be entered for rsync/scp.

ssh keys.

To avoid running more than one sync at a time, have the clients pull the tree 
from the server in a cron spaced 30 minutes or an hour apart. Make sure you 
pull the entire tree, and if you use eix to run update-eix afterwards on the 
clients



-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Michael Sullivan]

On Mon, 2008-09-15 at 16:17 +0200, Alan McKinnon wrote:
> On Monday 15 September 2008 16:09:42 Michael Sullivan wrote:
> > Is there a way to do this?  The problem with my
> > theories on how to do this fall apart when I get to the part where a
> > password has to be entered for rsync/scp.
> 
> ssh keys.
> 
> To avoid running more than one sync at a time, have the clients pull the tree 
> from the server in a cron spaced 30 minutes or an hour apart. Make sure you 
> pull the entire tree, and if you use eix to run update-eix afterwards on the 
> clients
> 
> 
> 

Create ssh keys without passphrases?  That's not recommended...

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Alan McKinnon]

On Monday 15 September 2008 16:31:45 Michael Sullivan wrote:
> On Mon, 2008-09-15 at 16:17 +0200, Alan McKinnon wrote:
> > On Monday 15 September 2008 16:09:42 Michael Sullivan wrote:
> > > Is there a way to do this?  The problem with my
> > > theories on how to do this fall apart when I get to the part where a
> > > password has to be entered for rsync/scp.
> >
> > ssh keys.
> >
> > To avoid running more than one sync at a time, have the clients pull the
> > tree from the server in a cron spaced 30 minutes or an hour apart. Make
> > sure you pull the entire tree, and if you use eix to run update-eix
> > afterwards on the clients
>
> Create ssh keys without passphrases?  That's not recommended...

True, but it's infinitely better than a passwordless account. You did say that 
you want an automated rsync/scp solution, that precludes setting up an rsync 
server. I don't see that any other realistic options exist.

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 592 bytes --]

On Mon, 15 Sep 2008 16:41:05 +0200, Alan McKinnon wrote:

> True, but it's infinitely better than a passwordless account. You did
> say that you want an automated rsync/scp solution, that precludes
> setting up an rsync server. I don't see that any other realistic
> options exist.

Why does it preclude an rsync server? What wrong with running an rsync
server with a suitable "host allow" in the config? That would allow local
connections only without the need for passwords or keys.


-- 
Neil Bothwick

"Bad dog! Leave that wire alone.....click.....###@*##....NO TERRIER


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Alan McKinnon]

On Monday 15 September 2008 23:34:43 Neil Bothwick wrote:
> On Mon, 15 Sep 2008 16:41:05 +0200, Alan McKinnon wrote:
> > True, but it's infinitely better than a passwordless account. You did
> > say that you want an automated rsync/scp solution, that precludes
> > setting up an rsync server. I don't see that any other realistic
> > options exist.
>
> Why does it preclude an rsync server? 

No good technical reason. I inferred from the OP's original mail that he 
wanted to use plain rsync or scp and his intention was not to set up an rsync 
server

> What wrong with running an rsync 
> server with a suitable "host allow" in the config? That would allow local
> connections only without the need for passwords or keys.

That is indeed the preferred way

-- 
alan dot mckinnon at gmail dot com

Re: [gentoo-user] Is there a way to automate rsync of updated portage tree across multiple boxes without each having to pull it down from a gentoo mirror

[Aniruddha]

On Mon, 2008-09-15 at 09:09 -0500, Michael Sullivan wrote:
> I've got three PCs.  I want to only have to have one run emerge --sync,
> but for the box running the emerge --sync to be able to rsync the tree
> to the other two boxes automatically (like in the middle of the night
> while I'm asleep).  Is there a way to do this?  The problem with my
> theories on how to do this fall apart when I get to the part where a
> password has to be entered for rsync/scp.  I used to do this with NFS,
> but the box that will be running emerge --sync has a history of locking
> up if there is more than one semi-heavy process going on it at a time,
> so I want each box to have its own copy of the tree.  Is there a way to
> do this?

Just setup two boxes to rsync to you primary "emerge --sync box" using
cron. See: http://www.gentoo.org/doc/en/rsync.xml

Regards,

Aniruddha