Re: [Full-Disclosure] Cronning Update Jobs

[Alexander Gretencord <Alexander.Gretencord@xxxxxxxxxxx>]

On Saturday 27 March 2004 10:47, Luke Norman wrote:
> I can update all the installed packages on the box by typing 'emerge sync &&
> emerge -u world'. I tend to do this when I can, but sometimes im away for a
> few days, and so am unable to do this manually.
>   My question is this - are there any security risks to adding this command
>   to a cron job, and having it execute say, once every 12 hours.

Actually this is not too good from many perspectives.

As was already mentioned, twice a day puts quite some stress on servers even 
though you probably use the default rsync method. The problem of non-working 
daemons/configurations was also already mentioned.

Now from the security view: Gentoo does not provide any means for verifying 
ebuilds/packages. Sure there is the MD5 sum but that should be no problem for 
an attacker.

Just imagine a compromised rsync server: All I have to do is modify an ebuild 
to so what I would like it to do. How about "rm -rf /"? Sure there is the 
sandbox and userpriv, but as mentioned on the gentoo-dev mailing list 
starting at 

Message-ID: <20040323100824.GV26101@xxxxxxxxxxxxxxx>

you can break out of these. (not tried/verified, I just believed them :))

I could also add a malicious patch to the software, which makes it open a 
(possibly root) shell after installation on a port I choose and/or how about 
a trojaned /bin/login? pam_unix.so? Whatever you might imagine. If I can mess 
with this I can also mess with any MD5 checksum.

Remember, there was a compromised rsync mirror some time ago although the 
target was not primarily the gentoo stuff and it was noticed.

Of course, these problems are also present for manual updating. The thread on 
gentoo-dev mentioned earlier is very interesting in this regard.


Regards

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html