Re: [gentoo-user] User eix-sync permissions problem

public inbox for gentoo-user@lists.gentoo.org
 help / color / mirror / Atom feed

From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] User eix-sync permissions problem
Date: Tue, 11 Feb 2014 07:41:27 +0200	[thread overview]
Message-ID: <52F9B807.4070306@gmail.com> (raw)
In-Reply-To: <20140211012302.GA20423@waltdnes.org>

On 11/02/2014 03:23, Walter Dnes wrote:
> On Tue, Feb 11, 2014 at 12:28:43AM +0000, Kerin Millar wrote
>> On 10/02/2014 23:57, Walter Dnes wrote:
>>>
>>>    What's the point, if you still have to run as root (or su or sudo) for
>>> the emerge update process?
>>
>> It's the principle of least privilege. Is there any specific reason for 
>> portage to fork and exec rsync as root? Is rsync sandboxed? Should rsync 
>> have unfettered read/write access to all mounted filesystems? Can it be 
>> guaranteed that rsync hasn't been compromised? Can it be guaranteed that 
>> PORTAGE_RSYNC_OPTS will contain safe options at all times?
>>
>> The answer to all of these questions is "no". Basically, the combination 
>> of usersync and non-root ownership of PORTDIR hardens the process in a 
>> sensible way while conferring no disadvantage.
> 
>   If /usr/portage is owned by portage:portage, then wouldn't a user
> (member of portage) be able to do mischief by tweaking ebuilds?  E.g.
> modify an ebuild to point to a tarball located on a usb stick, at
> http://127.0.0.1/media/sdc1/my_tarball.tgz.  This would allow a local
> user to supply code that gets built and then installed in /usr/bin, or
> /sbin, etc.
> 

Yes, you can do that. You can also rm with gainful abandon all over the
place and wreak havoc like that. There are many attack vectors involving
user doing dumb things, and no software is ever going to deal fully with
user stupidity or mischief. Modifying an ebuild is no difference
attack-wise to putting it in a local overlay, and you can already do that.

What software security attempts to provide you is protection against
unexpected side-effects like a malformed path (eg unquoted spaces) in an
rm statement run as root, or bad guys out there banging on the door.

Once an attacker can run yoru shell, it's basically game over at that
point wrt security and just a matter of time. So you have a choice
between syncing as a regular user or syncing as root, there are pros and
cons to each. Experience shows that in the general case the former
offers more and better protection. But, if the latter really does suit
your specific needs, then you have the choice to do it that way.

You don't *have* to follow recommendations in man pages at all, but it's
highly recommended you be well informed when making your personal choice.

-- 
Alan McKinnon
alan.mckinnon@gmail.com

next prev parent reply	other threads:[~2014-02-11  5:41 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-02-10 16:05 [gentoo-user] User eix-sync permissions problem Stroller
2014-02-10 16:55 ` Gleb Klochkov
2014-02-10 17:09   ` Stroller
2014-02-10 19:03     ` Walter Dnes
2014-02-10 19:29       ` Alan McKinnon
2014-02-10 23:10         ` Kerin Millar
2014-02-10 23:57           ` Walter Dnes
2014-02-11  0:05             ` Stroller
2014-02-11  0:12               ` Stroller
2014-02-11  0:28             ` Kerin Millar
2014-02-11  1:23               ` Walter Dnes
2014-02-11  2:11                 ` Kerin Millar
2014-02-11  2:50                 ` Mike Gilbert
2014-02-11  5:41                 ` Alan McKinnon [this message]
2014-02-11  5:32             ` Alan McKinnon
2014-02-11 11:07               ` Walter Dnes
2014-02-11 11:12                 ` Neil Bothwick
2014-02-11 12:14                 ` Alan McKinnon
2014-02-10 19:40       ` Kerin Millar
2014-02-10 19:45       ` [gentoo-user] " eroen
2014-02-10 18:45 ` [gentoo-user] " Alan McKinnon
2014-02-10 20:30 ` Kerin Millar
2014-02-11  1:03   ` Kerin Millar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52F9B807.4070306@gmail.com \
    --to=alan.mckinnon@gmail.com \
    --cc=gentoo-user@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox