Re: Lintian clean?

To: Russ Allbery <rra@debian.org>
Cc: debian-mentors@lists.debian.org
Subject: Re: Lintian clean?
From: Roger Leigh <rleigh@codelibre.net>
Date: Mon, 4 May 2009 21:30:50 +0100
Message-id: <[🔎] 20090504203050.GH21332@codelibre.net>
In-reply-to: <[🔎] 87hc00r5jl.fsf@windlord.stanford.edu>
References: <[🔎] 200905021803.52884@proffe.kibibyte.se> <[🔎] 86ecb3c70905021032s2bc9a1ceid293b06869ea446e@mail.gmail.com> <[🔎] 200905022057.00222@proffe.kibibyte.se> <[🔎] 20090503102602.zyv9oycso4w4csoc@spnet.net> <[🔎] e13a36b30905030056j2f141ca1u5ec2a782f1550f21@mail.gmail.com> <[🔎] 20090503202507.GA2803@chistera.yi.org> <[🔎] e13a36b30905040343h7ceb35e0ud55707ec2e89ceb3@mail.gmail.com> <[🔎] 8763ggtz5y.fsf@windlord.stanford.edu> <[🔎] 49FF4AA7.8070902@debian.org> <[🔎] 87hc00r5jl.fsf@windlord.stanford.edu>

On Mon, May 04, 2009 at 01:12:30PM -0700, Russ Allbery wrote:
> Patrick Matthäi <pmatthaei@debian.org> writes:
> > Russ Allbery schrieb:
> 
> >> Given that anyone can upload packages to mentors, this seems like a
> >> fairly worrisome security risk.
> 
> > Why that? It may be implemented as the current Debian buildd network.
> > OpenSuSE is also providing such a buildd service for their users, but
> > yeah, we need more buildd servers for that (if the pkgs should be
> > realy build for every arch).
> 
> Builds are conventionally done as root under sbuild, and you can break
> out of chroots when you're root, thus enabling an attacker to upload a
> package that compromises the security of the buildd.

Agreed.  Since sbuild nowadays can use schroot for building, the root
access issue is mitigated somewhat since root is only used for installing
build-deps and such.  But the other issues you mentioned are still
potentially hazardous.  Previously you even had passwordless sudo access
from inside the chroot on some systems!

With the addition of copy-on-write chroots such as LVM snapshots and
(not released yet but nearly done) union filesystems, the attacker would
only have access to a transient filesystem which will be purged immediately
after the build.  Longer term, I'm also looking at integrating KVM
(and I guess qemu) support which would provide a complete scratch system
to avoid such issues.  But not all arches can support this, and the
attacker would still have user access to the build environment for the
duration of the build.

Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Reply to:

References:
- Re: RFS: mpview
  - From: Magnus Holmgren <holmgren@debian.org>
- Re: RFS: mpview
  - From: Dmitrijs Ledkovs <dmitrij.ledkov@gmail.com>
- Lintian clean? (was: Re: RFS: mpview)
  - From: Magnus Holmgren <holmgren@debian.org>
- Re: Lintian clean? (was: Re: RFS: mpview)
  - From: George Danchev <danchev@spnet.net>
- Re: Lintian clean? (was: Re: RFS: mpview)
  - From: Paul Wise <pabs@debian.org>
- Re: Lintian clean? (was: Re: RFS: mpview)
  - From: Adeodato Simó <dato@net.com.org.es>
- Re: Lintian clean? (was: Re: RFS: mpview)
  - From: Paul Wise <pabs@debian.org>
- Re: Lintian clean?
  - From: Russ Allbery <rra@debian.org>
- Re: Lintian clean?
  - From: Patrick Matthäi <pmatthaei@debian.org>
- Re: Lintian clean?
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Re: Lintian clean? (was: Re: RFS: mpview)
Next by Date: Re: RFS: shiki-colors
Previous by thread: Re: Lintian clean?
Next by thread: Re: Lintian clean? (was: Re: RFS: mpview)
Index(es):
- Date
- Thread