[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: System integrity...



On Thu, Jun 17, 1999 at 01:49:30AM +0100, Julian Gilbey wrote:
> 
> Just a brief note about the thread there: if md5sums are included in
> packages, they will *only* be included for system integrity checks.
> They serve *no* useful security purpose.  Given this, the MD5 sums
> themselves should be adequate for the integrity tests.
> 
>    Julian
> 

Which is why I was considering a different approach.

I think we all realise that md5sums stored in packages are useless for
system security - for the following reasons

1) They are stored on the same computer as the files they are 'protecting'.
   If you can modify the files, you can also modify the summary to avoid
	detection.  Useless.  You might as well use tripwire and read only media.

2) Config files are not secured - as these are modified by the sysop _after_
   the md5sum is created.  Again, tripwire can help here.


So, the solution - use tripwire.  However there are problems with this two.

1) Tripwire is non-free (ok, we can work on this).

2) Using tripwire is a hasstle - particularily for people who are either
   simple users, or people managing a large number of not-so-critical
	machines.  You really need to have _physical_ access to move a tripwire
	database to read-only media, and the database requires updating after
	every system upgrade.  And I'm sure most people running unstable wouldn't
	keep up with that strict regime.



What I propose is to extend the security of Debian.  I do not propose an
"ultimate security solution", but simply a method to increase the security
debian offers to users.  The proposal is as follows:


  Each package can contain a DEBIAN/md5sums file.  This is normally saved
  into /var/lib/dpkg/info on the local machine.  What I propose is to
  instead extract this information during dinstall, and save is to a
  <package>-<version>.md5sums file, to live alongside the .deb on the debian
  ftp server.  (Alternatively, they could be collected into 1 file, like
  the package list).

  A version of debsums could then be implemented to connect to the debian
  server (or trusted mirror) and use these .md5sums files to verify the
  majority of the files on a system.  The debsums utility could also be
  moved to a boot disk, to guarantee secure operation given a potentially
  damaged machine.

Now, as I said, this is _not_ an ultimate solution.  It does not protect
transient files (conf files, kernel images, etc) - but it will allow easy
detection of modified binaries.  Of course, the security of ftp server (or
mirror) is still critical to this working - but the ftp server is likely
to be more secure, and if its hacked then were potentially stuffed anyway.

And now, before people tout "increased distribution size", on my machine
(a pretty typical machine with X, gnome, tex, development stuff, etc) there
are 342 .md5sums files

	debian:~$ ls /var/lib/dpkg/info/*.md5sums | wc -l
	    342

If I compress these summaries, and then find the total size, I get 739k.

	debian:~$ mkdir md5
	debian:~$ cp /var/lib/dpkg/info/*.md5sums md5/
	debian:~$ gzip md5/*
	debian:~$ du -kc md5/* | tail -1
	739       total

So on average, a summary for each package is 739/342 = 2K

For a distributions of 3,500 packages, this is 2*3500 = 7MB. 


Let me know your thoughts,


Chris


-- 
----------------------------------------------------------------------
       As a computer, I find your faith in technology amusing.
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key.  KeyID 0xA9E087D5

Attachment: pgp5ObWzi8qY4.pgp
Description: PGP signature


Reply to: