lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200403272347.34436.Alexander.Gretencord@gedoplan.de> From: Alexander.Gretencord at gedoplan.de (Alexander Gretencord) Subject: Cronning Update Jobs On Saturday 27 March 2004 10:47, Luke Norman wrote: > I can update all the installed packages on the box by typing 'emerge sync && > emerge -u world'. I tend to do this when I can, but sometimes im away for a > few days, and so am unable to do this manually. > My question is this - are there any security risks to adding this command > to a cron job, and having it execute say, once every 12 hours. Actually this is not too good from many perspectives. As was already mentioned, twice a day puts quite some stress on servers even though you probably use the default rsync method. The problem of non-working daemons/configurations was also already mentioned. Now from the security view: Gentoo does not provide any means for verifying ebuilds/packages. Sure there is the MD5 sum but that should be no problem for an attacker. Just imagine a compromised rsync server: All I have to do is modify an ebuild to so what I would like it to do. How about "rm -rf /"? Sure there is the sandbox and userpriv, but as mentioned on the gentoo-dev mailing list starting at Message-ID: <20040323100824.GV26101@...l.lieber.org> you can break out of these. (not tried/verified, I just believed them :)) I could also add a malicious patch to the software, which makes it open a (possibly root) shell after installation on a port I choose and/or how about a trojaned /bin/login? pam_unix.so? Whatever you might imagine. If I can mess with this I can also mess with any MD5 checksum. Remember, there was a compromised rsync mirror some time ago although the target was not primarily the gentoo stuff and it was noticed. Of course, these problems are also present for manual updating. The thread on gentoo-dev mentioned earlier is very interesting in this regard. Regards Alex
Powered by blists - more mailing lists