Full Disclosure mailing list archives
Re: Cronning Update Jobs
From: Alexander Gretencord <Alexander.Gretencord () gedoplan de>
Date: Sat, 27 Mar 2004 23:47:34 +0100
On Saturday 27 March 2004 10:47, Luke Norman wrote:
I can update all the installed packages on the box by typing 'emerge sync && emerge -u world'. I tend to do this when I can, but sometimes im away for a few days, and so am unable to do this manually. My question is this - are there any security risks to adding this command to a cron job, and having it execute say, once every 12 hours.
Actually this is not too good from many perspectives. As was already mentioned, twice a day puts quite some stress on servers even though you probably use the default rsync method. The problem of non-working daemons/configurations was also already mentioned. Now from the security view: Gentoo does not provide any means for verifying ebuilds/packages. Sure there is the MD5 sum but that should be no problem for an attacker. Just imagine a compromised rsync server: All I have to do is modify an ebuild to so what I would like it to do. How about "rm -rf /"? Sure there is the sandbox and userpriv, but as mentioned on the gentoo-dev mailing list starting at Message-ID: <20040323100824.GV26101 () mail lieber org> you can break out of these. (not tried/verified, I just believed them :)) I could also add a malicious patch to the software, which makes it open a (possibly root) shell after installation on a port I choose and/or how about a trojaned /bin/login? pam_unix.so? Whatever you might imagine. If I can mess with this I can also mess with any MD5 checksum. Remember, there was a compromised rsync mirror some time ago although the target was not primarily the gentoo stuff and it was noticed. Of course, these problems are also present for manual updating. The thread on gentoo-dev mentioned earlier is very interesting in this regard. Regards Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Cronning Update Jobs Luke Norman (Mar 27)
- Re: Cronning Update Jobs Max Valdez (Mar 27)
- Re: Cronning Update Jobs Alexander Gretencord (Mar 27)
- RE: Cronning Update Jobs Aditya, ALD [Aditya Lalit Deshmukh] (Mar 27)
- Re: Cronning Update Jobs Nico Golde (Mar 28)
- Re: Cronning Update Jobs <- really a bad idea in Portage Tobias Weisserth (Mar 28)
- Re: Cronning Update Jobs Luke Norman (Mar 28)
- Re: Cronning Update Jobs <- really a bad idea in Portage Wesley D Craig (Mar 28)
- Re: Cronning Update Jobs Remko Lodder (Mar 28)
- Re: Cronning Update Jobs <- really a bad idea in Portage Tobias Weisserth (Mar 28)