From owner-freebsd-security Mon Jul 9 16:21:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from a.mx.clublinux.org (h216-170-019-162.adsl.navix.net [216.170.19.162]) by hub.freebsd.org (Postfix) with SMTP id 4F13B37B401 for ; Mon, 9 Jul 2001 16:21:27 -0700 (PDT) (envelope-from steve@clublinux.org) Received: (qmail 7302 invoked from network); 9 Jul 2001 22:20:01 -0000 Received: from unknown (HELO clublinux.org) (192.168.33.33) by mail.internal with SMTP; 9 Jul 2001 22:20:01 -0000 Message-ID: <3B4A3DA8.B04EFC27@clublinux.org> Date: Mon, 09 Jul 2001 18:26:32 -0500 From: steve X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.6 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: cvsup and security References: <3B492672.55E0ADC8@clublinux.org> <20010708221140.A35469@xor.obsecurity.org> <20010708223447.F307@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, > > We do know how to do this? What trusted location would these MD5 > checksums come from? If someone has slipped in malicious code on a > cvsupd server, it is relatively easy to change the MD5 sums provided > by that server to match. Or is the idea that you get files from a > random mirror, but get MD5 checksums from a different location? For those that are paranoid about security (like me), perhaps the ports.tar.gz file could be signed so I can download the tar ball and verify it with a signature file (e.g. ports.tar.gz.sign). This still wouldn't allow you to verify when updating via CVSup, but at least I could verify that my ports directory skeleton is legit through alternative means. The same thing could be done with the system source code (src-all.tar.gz and src-all.tar.gz.sign). One of the FreeBSD people could be responsible for the private/public key and creating the signature files. > > I'd also like to point out that the ports are checking something > different with the MD5 sum. Since you got the MD5 hashes for the ports > from an cvsupd server, you already are trusting cvsup (unless you are > using old ones from a CD). Sorry, I should have been more clear about that. I'm am using the original /usr/ports and /usr/src skeletons from the CD and I want to update those skeletons in a secure manner so that I can safely install the latest and greatest (both ports and system software). > All the MD5 hashes on ports prove is that > the tarball you download is the same one the maintainer downloaded > when he built the port skeleton. That does NOT mean that the > maintainer audited the code, checked the code, or did not insert > malicious code himself. If there was a way to make the md5sums in the ports/src skeletons trustworthy, (e.g. signing files, or using the one from the CD) they could be used to verify the authenticity of a port/system program that is being installed. I would personally like a way to verify that the kernel source updates I've downloaded aren't trojaned in some way if I'm going to be updating my kernel with them. > When an MD5 check fails, the most common > reason is that a developer modified the code without changing the > version number, not that code was tampered with. This may be true, but I like to know for sure ;-) What do you think? Steve P.S. I apologize if I'm using FreeBSD terminology (e.g. ports/src skeleton) incorrectly as I'm new to FreeBSD. > -- > Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message