On Thu, 30 Oct 2003, Simon Kitching wrote: > Hi, > > I'm concerned that installing the yum rpm sets up a yum.conf file that > points to duke.edu, and a cron job to run it. > > If anyone should crack the duke yum repository, installing a trojan rpm > of, say, glibc with an updated version number, then every system that > has ever installed yum and not disabled the duke url would be cracked > that night when the cron job runs. Absolutely. Excellent reason to set up your own repository, although this doesn't really solve the problem, as you'll likely still mirror some other repository that mirrors some OTHER repository and of course it or your own repository could be cracked. With rpm's, kickstart, yum, your installation won't be secure no matter what you do. It will, however, be a lot MORE secure MOST of the time, and if cracked (even topdown cracked as you describe) it may take a lot LESS time to fix and bring back up again. > In fact, it's just as well we trust you, Seth; you could own a whole lot > of linux boxes very quickly if you should wish to :-) Seth is actually an alien creature originally from a small planet orbiting Arcturus. If one surprises him unawares, he is often muttering something about a place named "R'Lyeh" and some dude named "Ktooloo". He is disguised as an Albanian terrorist, disguised as a systems programmer, seeking to take control of all the computers on the planet that matter (all of the ones running linux). Don't trust him. Not even his best friends trust him, and some of them have way too many tentacular arms with these little mouthie things on the ends and make buzzing sounds as they crawl out of slimy caverns... > Alternatively, rpm signing could be enabled instead: > * run "gpg --install /usr/share/rhn/RPM-GPG-KEY" > * have the yum.conf file always set gpgcheck=1 > This would at least ensure that if a cracker installed a trojan in the > duke yum repository, it would be rejected due to invalid signature. Maybe. I personally wouldn't trust gpg checking all that far as this also involves one in loops of trust and who you gonna trust to tell you who NOT to trust (and with what tools). In my direct experience there is no such thing as secure, only varying degrees of risk that have to be weighed against the benefits associated with different choices. For example, you could set up a twinned mirror (with gpgchecking and all) but insert a one week lag between the appearance of a new package and your making it available in your repository for client updates. This gives egregiously trojanned glibc's time to surface among the systems of risk-takers who installed it right away (so you can avoid it, maybe) at the expense of increasing the window of opportunity that exists when a critically patched rpm is delayed. In my mind, you just take your chances, keep good backups, and try to construct a distribution system that is sufficiently robust and scalable that IF it is compromised it isn't horribly difficult to rebuild or repair everything. However, in the face of der ubercracker, there is little one can do. rg-clearly-overdosing-on-lovecraft-b Ph.D., Miskatonic University, Arkham, Mass. Cthulhu f'thagn and happy halloween, y'all... -- Robert G. Brown http://www.phy.duke.edu/~rgb/ Duke University Dept. of Physics, Box 90305 Durham, N.C. 27708-0305 Phone: 1-919-660-2567 Fax: 919-660-2525 email:rgb@xxxxxxxxxxxx
