| View previous topic :: View next topic |
| Author |
Message |
rajiv
Retired Dev
Joined: 04 Aug 2002
Posts: 18
Location: Boston, MA, USA
|
 Posted: Wed Aug 07, 2002 3:45 am Post subject: are gentoo machines more likely to be hacked? |
 |
|
while i sit here waiting for my slow powermac 6400 to finish an 'emerge -u world' i can't help but wonder if gentoo machines are more likely to be hacked if a known exploit comes out.
consider this scenario: there is a remote hole in some package. an exploit and the source code for the fix are released to everyone at the same time. binary distribution users wait for their distribution owners or someone else to compile the fix and release a binary package. they download the package and install.
however, gentoo users have to download the fix and then compile it themselves, then install. now if you're a gentoo user with a modern (read: fast) machine, you'll be patched in about the same time as a binary distribution user. but if your gentoo machine is old (read: slow) it could be a while before you have the patch installed.
so unless gentoo users are running faster machines than binary distribution users, more gentoo machines will be exploitable for a longer period of time.
thoughts? |
|
| Back to top |
|
 |
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Wed Aug 07, 2002 3:47 am Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
Shut down the vulnerable server process during the recompilation.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
delta407
Bodhisattva
Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
|
| Posted: Wed Aug 07, 2002 3:56 am Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
| rac wrote: | | Shut down the vulnerable server process during the recompilation. |
It's almost too simple. 
_________________
I don't believe in witty sigs. |
|
| Back to top |
|
|
pjp
Administrator
Joined: 16 Apr 2002
Posts: 20585
|
| Posted: Wed Aug 07, 2002 3:58 am Post subject: |
|
|
Also consider how quickly you usually know about the announcements and fixes. I personally never happen to be using my computer when they come out. I check my mail and see GLSA's. Chances are it isn't that huge a risk. Anyone in a server environment is likely to have a fast enough machine to do this, or another machine to compile on, then distribute.
_________________
Quis separabit? Quo animo? |
|
| Back to top |
|
|
nitro322
Guru
Joined: 24 Jul 2002
Posts: 596
Location: USA
|
| Posted: Wed Aug 07, 2002 5:28 am Post subject: |
|
|
| My view on this is that you're much more likely to NOT be hacked if you're running Gentoo. Think about it - the entire distribution is already source based, so when a new version of a program is released (most likely as source code), you'll be ready to update almost right away. Assuming Gentoo developers are on top of things (and they seem to be doing a great job of that), they'll have a new ebuild for the package a very short time after it's been fixed, and you can instantly upgrade. Pre-packaged distributions such as RedHat, on the other hand, often take quite a while to be updated. Even if the vulnerability is leaked and exploit code is made available before vendors have a chance to patch the problem, they'll still be slow to release an updated package because packaging and testing on multiple systems simply takes a lot longer than working directly with the source. My $.02, anyway. |
|
| Back to top |
|
|
zerogeny
Tux's lil' helper
Joined: 17 Apr 2002
Posts: 85
|
| Posted: Wed Aug 07, 2002 12:44 pm Post subject: |
|
|
is my apple more easily hacked than a lemon?
_________________
Searched the web for zerogeny.
Results 1 - 1 of 1. Search took 0.05 seconds |
|
| Back to top |
|
|
IdBuRnS
n00b
Joined: 01 Aug 2002
Posts: 19
|
| Posted: Wed Aug 07, 2002 2:29 pm Post subject: |
|
|
| zerogeny wrote: | | is my apple more easily hacked than a lemon? |
lol
_________________
Iain
Dell GX1
Pentium2 400MHz w/ 192MB
30GB IBM, Onboard NIC, Onboard Sound |
|
| Back to top |
|
|
dioxmat
Bodhisattva
Joined: 04 May 2002
Posts: 709
Location: /home/mat
|
| Posted: Wed Aug 07, 2002 3:19 pm Post subject: |
|
|
first, the binary package will usually come after the patch, so chances are you had the patch and compiled your fixed version beforce the binary package is actually released.
anyway, most hackers know before the patch is released that there is a vulnerability... and you could take a binary package while recompiling :) (or, just like rac pointed out, shut down the process)
_________________
mat |
|
| Back to top |
|
|
fmalabre
Guru
Joined: 19 Jun 2002
Posts: 376
Location: Chicago
|
| Posted: Wed Aug 07, 2002 5:16 pm Post subject: |
|
|
| In term of package versions, Gentoo seems the most up to date I've never seen. |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Wed Aug 07, 2002 5:24 pm Post subject: |
|
|
I think that Gentoo would be the first Distro to give you the chance to upgrade. I've used LFS, Slack, RH, and MDK. Gentoo never gave me a chance to try Debian or SUSE, but I figure I'm not missing anything.
There are always Gentoo developers on IRC and all well up to date with vulnerabilities as they they are probably subscribed to an array of mailing lists, so, they talk, fix the ebuild, and commit it. At very most, you will have to wait half an hour to get an updated ebuild after it has been commited by CVS (Rsyncs mirrors update run every half an hour on the hour). And if you need it ASP, you can grab it off gentoo.org's CVS viewer. So, the inital solution is released faster, you could even edit the ebuild manually. A GLSA is released later after the vulnerability has recieved attention and the developers are positive they have the bug covered.
Now, you raised an interesting argument about compiling. As long as you are up to date as well, you can start compiling probably before the binary distro gets the RPM or whatever on the mirrors. On even a 2 year old machine @ say about 500MHz, would take at most 30 mins to compile something big such as MySQL.
I guess I don't have solid examples, but with my envolvement with Gentoo and my understanding of the community built around it, I would say a Gentoo box could be secured much sooner then a binary.
My 2 cents.
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
fmalabre
Guru
Joined: 19 Jun 2002
Posts: 376
Location: Chicago
|
| Posted: Wed Aug 07, 2002 5:29 pm Post subject: |
|
|
I think you're absolutly right about the community around Gentoo...
This helps a lot having very recent packages.
However, this may not last forever. I already saw similar community which were first very active, and then moved on to something else (I'm thinking about Slackware). |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Wed Aug 07, 2002 5:38 pm Post subject: |
|
|
| fmalabre wrote: | | However, this may not last forever. I already saw similar community which were first very active, and then moved on to something else (I'm thinking about Slackware). |
Debian has a strong community now as well. Slackware happened before I got envolved with Linux much, and I guess they lost corporate funding. Not sure, anyone prove me wrong/right?
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Wed Aug 07, 2002 6:46 pm Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
| rajiv wrote: |
so unless gentoo users are running faster machines than binary distribution users, more gentoo machines will be exploitable for a longer period of time.
thoughts?
|
It is far more complicated than that.
First of all, the time lag between ancouncement of the bug (and hopefully anouncement of the patch) and the availability of updated packages varies.
To monitor vulnerability reports, subscribe to the bugtraq mailinglist or read the archive at: http://online.securityfocus.com/archive/1
Summary of vulnerabilities: http://online.securityfocus.com/bid
http://www.kb.cert.org/vuls
You can now compare the vulnerabilities with the availability of patches from various "vendors": http://www.suse.de/de/security/index.html
http://rhn.redhat.com/errata/rh73-errata-security.html
http://www.mandrakelinux.com/en/security/mdk-updates.php3?dis=8.2
http://www.debian.org/security/
Usually, you can also subscribe to vendor specific security announcement mailing lists which may be a little faster than the web archives.
Of course, you can also monitor the main home pages of the software packages: http://www.openssh.org
http://openssl.org
http://www.apache.org
...
Apart from the difference in responce times, you may also notice that for some vulnerabilities, some vendors completely lack the required updated packages.
Note that most vendors have a different approach than Gentoo. While Gentoo is a "cutting edge" distro and the portage tree is constantly changing, it's easy for us to always run the newest versions of all packages, including but not limited to those that have had security vulnerabilities in the past. Other linux distros usually have a fixed set of packages for each release that are tested to interact with no problems. For stability reasons, they want to make only minimal changes to the packages when they need to be updated and therefore, they often incorporate the patch into the release-package rather than simply suppplying a new version of the package that may contain other changes besides the security fixes. An example: There were vulnerabilities found in the openssl-libraries. OpenSSL 0.9.6e fixes these problems. The Gentoo portage tree contains this version. SuSE patched an older version and the updated packages is called: openssl-0.9.6c-78.i386.rpm
On the other hand, the updated packages are usually pgp-signed, or the advisories containing the filesnames and md5 checksums are pgp-signed. The Gentoo portage system doesn't check pgp signatures.
On the other hand, even if the package is pgp-signed, you have to trust the person that created the rpm 
An important factor hasn't been mentioned yet: Many people, newbies in particular, don't patch their systems. This is especially dangerous when they are networking services running in the background that may lead to a remote root compromise of the machine. So I think, the right direction is: "secure by default". In this respect, Gentoo is ultra secure because it starts with 0 services after the initial 3 instalation steps and even if services are emerged, they don't start automatically dring the boot process unless you add them using rc-update add foo default. |
|
| Back to top |
|
|
zentek
n00b
Joined: 03 Jul 2002
Posts: 41
|
| Posted: Wed Aug 07, 2002 7:27 pm Post subject: |
|
|
Yep gentoo is mostly one of the best distro.
Cutting edge ( chance to be vulnerable to old explots are quite null )
Active community and fast update
Secure by default ( openBSD can be jalous !!! )
Ill pay 50$ to the first guys to hack a default install of gentoo remotely !!
and on top of it gentoo is easy to manage |
|
| Back to top |
|
|
delta407
Bodhisattva
Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
|
| Posted: Wed Aug 07, 2002 7:55 pm Post subject: |
|
|
| zentek wrote: | | Ill pay 50$ to the first guys to hack a default install of gentoo remotely !! |
The "default install" doesn't set a root password, so that won't be too hard. 
_________________
I don't believe in witty sigs. |
|
| Back to top |
|
|
fmalabre
Guru
Joined: 19 Jun 2002
Posts: 376
Location: Chicago
|
| Posted: Wed Aug 07, 2002 8:02 pm Post subject: |
|
|
| You forgot "remote" I believe... |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Wed Aug 07, 2002 8:08 pm Post subject: |
|
|
| delta407 wrote: |
The "default install" doesn't set a root password, so that won't be too hard. |
It would be impossible, since there are no services running. |
|
| Back to top |
|
|
delta407
Bodhisattva
Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL
|
| Posted: Wed Aug 07, 2002 11:40 pm Post subject: |
|
|
| sschlueter wrote: | | delta407 wrote: |
The "default install" doesn't set a root password, so that won't be too hard. |
It would be impossible, since there are no services running. |
Untrue. Many things start on bootup in the default install. Granted, IIRC none of them take logon credentials, but if the user had (say) told sshd to start automatically, say goodbye to your system.
_________________
I don't believe in witty sigs. |
|
| Back to top |
|
|
kirill
Apprentice
Joined: 01 Aug 2002
Posts: 183
Location: Finland
|
| Posted: Thu Aug 08, 2002 6:54 am Post subject: |
|
|
Okay the sshd is running, the root passwd is empty...
| Code: | /etc/ssh/sshd_config:
#PermitEmptyPasswords no |
I suppose it wouldn't let you in?
and again, if you had a user added before first reboot, you should have added it to the 'wheel' -group to 'su -', which isnt so default.
So the default gentoo installs aren't THAT unsecure after all? 
_________________
--kirill |
|
| Back to top |
|
|
rajiv
Retired Dev
Joined: 04 Aug 2002
Posts: 18
Location: Boston, MA, USA
|
| Posted: Thu Aug 08, 2002 7:41 am Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
| sschlueter wrote: | | Other linux distros usually have a fixed set of packages for each release that are tested to interact with no problems. For stability reasons, they want to make only minimal changes to the packages when they need to be updated and therefore, they often incorporate the patch into the release-package rather than simply suppplying a new version of the package that may contain other changes besides the security fixes. An example: There were vulnerabilities found in the openssl-libraries. OpenSSL 0.9.6e fixes these problems. The Gentoo portage tree contains this version. SuSE patched an older version and the updated packages is called: openssl-0.9.6c-78.i386.rpm |
RedHat's lack of rpms of openssh 3.4 (with priv sep) for 7.2 is one of the reasons i'm trying out gentoo.
i guess that shutting down the affected process while the compile is going on a slow machine is acceptable. |
|
| Back to top |
|
|
rac
Bodhisattva
Joined: 30 May 2002
Posts: 6553
Location: Japanifornia
|
| Posted: Thu Aug 08, 2002 7:47 am Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
| rajiv wrote: | | i guess that shutting down the affected process while the compile is going on a slow machine is acceptable. |
Another option, especially useful if you have a giant farm of suddenly vulnerable machines, is to temporarily firewall affected ports while you address the situation.
_________________
For every higher wall, there is a taller ladder |
|
| Back to top |
|
|
dioxmat
Bodhisattva
Joined: 04 May 2002
Posts: 709
Location: /home/mat
|
| Posted: Thu Aug 08, 2002 8:45 am Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
| sschlueter wrote: |
On the other hand, the updated packages are usually pgp-signed, or the advisories containing the filesnames and md5 checksums are pgp-signed. The Gentoo portage system doesn't check pgp signatures.
On the other hand, even if the package is pgp-signed, you have to trust the person that created the rpm :-)
|
Im raising another issue that is probably offtopic for this thread, but never mind.
Gentoo only does md5 checks. I dont think this is enough. since gentoo developers check the packages they include in the portage tree, they are able to make gpg/pgp signatures for those packages. I think gentoo needs that. there are lots of mirrors, lots of packages, the fact that there is no signature check is quite dangerous. Look at irssi (gentoo not affected since it was the .tar.gz and not the .tar.bz2 which was backdoored), openssl, bitchx, etc, etc. of course signing wont change the fact that some packages may contain backdoors in the original version, but at least if someone hacks a mirror, or something like that, we will be safe.
_________________
mat |
|
| Back to top |
|
|
sschlueter
Guru
Joined: 26 Jul 2002
Posts: 578
Location: Dortmund, Germany
|
| Posted: Thu Aug 08, 2002 11:25 am Post subject: |
|
|
| delta407 wrote: | | sschlueter wrote: | | delta407 wrote: |
The "default install" doesn't set a root password, so that won't be too hard. |
It would be impossible, since there are no services running. |
Untrue. Many things start on bootup in the default install. Granted, IIRC none of them take logon credentials, but if the user had (say) told sshd to start automatically, say goodbye to your system. |
I was refering to inet listening sockets. As far as I remember, there were none after the default install, not even sshd. |
|
| Back to top |
|
|
Nitro
Bodhisattva
Joined: 08 Apr 2002
Posts: 661
Location: San Francisco
|
| Posted: Thu Aug 08, 2002 3:50 pm Post subject: Re: are gentoo machines more likely to be hacked? |
|
|
| dioxmat wrote: | | sschlueter wrote: |
On the other hand, the updated packages are usually pgp-signed, or the advisories containing the filesnames and md5 checksums are pgp-signed. The Gentoo portage system doesn't check pgp signatures.
On the other hand, even if the package is pgp-signed, you have to trust the person that created the rpm
|
Im raising another issue that is probably offtopic for this thread, but never mind.
Gentoo only does md5 checks. I dont think this is enough. since gentoo developers check the packages they include in the portage tree, they are able to make gpg/pgp signatures for those packages. I think gentoo needs that. there are lots of mirrors, lots of packages, the fact that there is no signature check is quite dangerous. Look at irssi (gentoo not affected since it was the .tar.gz and not the .tar.bz2 which was backdoored), openssl, bitchx, etc, etc. of course signing wont change the fact that some packages may contain backdoors in the original version, but at least if someone hacks a mirror, or something like that, we will be safe. |
This exact topic is being discussed on the mailing-lists. Check out http://lists.gentoo.org/pipermail/gentoo-dev/2002-August/014063.html
_________________
- Kyle Manna
Please, please SEARCH before posting.
There are three kinds of people in the world: those who can count, and those who can't. |
|
| Back to top |
|
|
n0n
Guru
Joined: 13 Jun 2002
Posts: 355
|
| Posted: Thu Aug 08, 2002 4:25 pm Post subject: |
|
|
What I'd be more wary of, personally, and this is a problem with any system that downloads components automatically, is having one of the mirrors hacked or whatever, and then downloading corrupt md5s, etc, and then getting trojaned source packages. Obviously this kind of thing would also affect Debian users (apt-get), evidentally the BSDs (with their ports system), in addition to Gentoo. Granted, you'd probably have to be somewhat crafty to do it (will the user get the md5 and the source package from the same server?), but I suppose it could theoretically be done.
As to the actual question at hand, I doubt that would come in to play much. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
