On Thu, Jun 17, 1999 at 01:49:30AM +0100, Julian Gilbey wrote: > > Just a brief note about the thread there: if md5sums are included in > packages, they will *only* be included for system integrity checks. > They serve *no* useful security purpose. Given this, the MD5 sums > themselves should be adequate for the integrity tests. > > Julian > Which is why I was considering a different approach. I think we all realise that md5sums stored in packages are useless for system security - for the following reasons 1) They are stored on the same computer as the files they are 'protecting'. If you can modify the files, you can also modify the summary to avoid detection. Useless. You might as well use tripwire and read only media. 2) Config files are not secured - as these are modified by the sysop _after_ the md5sum is created. Again, tripwire can help here. So, the solution - use tripwire. However there are problems with this two. 1) Tripwire is non-free (ok, we can work on this). 2) Using tripwire is a hasstle - particularily for people who are either simple users, or people managing a large number of not-so-critical machines. You really need to have _physical_ access to move a tripwire database to read-only media, and the database requires updating after every system upgrade. And I'm sure most people running unstable wouldn't keep up with that strict regime. What I propose is to extend the security of Debian. I do not propose an "ultimate security solution", but simply a method to increase the security debian offers to users. The proposal is as follows: Each package can contain a DEBIAN/md5sums file. This is normally saved into /var/lib/dpkg/info on the local machine. What I propose is to instead extract this information during dinstall, and save is to a <package>-<version>.md5sums file, to live alongside the .deb on the debian ftp server. (Alternatively, they could be collected into 1 file, like the package list). A version of debsums could then be implemented to connect to the debian server (or trusted mirror) and use these .md5sums files to verify the majority of the files on a system. The debsums utility could also be moved to a boot disk, to guarantee secure operation given a potentially damaged machine. Now, as I said, this is _not_ an ultimate solution. It does not protect transient files (conf files, kernel images, etc) - but it will allow easy detection of modified binaries. Of course, the security of ftp server (or mirror) is still critical to this working - but the ftp server is likely to be more secure, and if its hacked then were potentially stuffed anyway. And now, before people tout "increased distribution size", on my machine (a pretty typical machine with X, gnome, tex, development stuff, etc) there are 342 .md5sums files debian:~$ ls /var/lib/dpkg/info/*.md5sums | wc -l 342 If I compress these summaries, and then find the total size, I get 739k. debian:~$ mkdir md5 debian:~$ cp /var/lib/dpkg/info/*.md5sums md5/ debian:~$ gzip md5/* debian:~$ du -kc md5/* | tail -1 739 total So on average, a summary for each package is 739/342 = 2K For a distributions of 3,500 packages, this is 2*3500 = 7MB. Let me know your thoughts, Chris -- ---------------------------------------------------------------------- As a computer, I find your faith in technology amusing. ---------------------------------------------------------------------- Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
Attachment:
pgpwhdRJEkL6A.pgp
Description: PGP signature