On Thu, Jun 17, 1999 at 01:49:30AM +0100, Julian Gilbey wrote:
>
> Just a brief note about the thread there: if md5sums are included in
> packages, they will *only* be included for system integrity checks.
> They serve *no* useful security purpose. Given this, the MD5 sums
> themselves should be adequate for the integrity tests.
>
> Julian
>
Which is why I was considering a different approach.
I think we all realise that md5sums stored in packages are useless for
system security - for the following reasons
1) They are stored on the same computer as the files they are 'protecting'.
If you can modify the files, you can also modify the summary to avoid
detection. Useless. You might as well use tripwire and read only media.
2) Config files are not secured - as these are modified by the sysop _after_
the md5sum is created. Again, tripwire can help here.
So, the solution - use tripwire. However there are problems with this two.
1) Tripwire is non-free (ok, we can work on this).
2) Using tripwire is a hasstle - particularily for people who are either
simple users, or people managing a large number of not-so-critical
machines. You really need to have _physical_ access to move a tripwire
database to read-only media, and the database requires updating after
every system upgrade. And I'm sure most people running unstable wouldn't
keep up with that strict regime.
What I propose is to extend the security of Debian. I do not propose an
"ultimate security solution", but simply a method to increase the security
debian offers to users. The proposal is as follows:
Each package can contain a DEBIAN/md5sums file. This is normally saved
into /var/lib/dpkg/info on the local machine. What I propose is to
instead extract this information during dinstall, and save is to a
<package>-<version>.md5sums file, to live alongside the .deb on the debian
ftp server. (Alternatively, they could be collected into 1 file, like
the package list).
A version of debsums could then be implemented to connect to the debian
server (or trusted mirror) and use these .md5sums files to verify the
majority of the files on a system. The debsums utility could also be
moved to a boot disk, to guarantee secure operation given a potentially
damaged machine.
Now, as I said, this is _not_ an ultimate solution. It does not protect
transient files (conf files, kernel images, etc) - but it will allow easy
detection of modified binaries. Of course, the security of ftp server (or
mirror) is still critical to this working - but the ftp server is likely
to be more secure, and if its hacked then were potentially stuffed anyway.
And now, before people tout "increased distribution size", on my machine
(a pretty typical machine with X, gnome, tex, development stuff, etc) there
are 342 .md5sums files
debian:~$ ls /var/lib/dpkg/info/*.md5sums | wc -l
342
If I compress these summaries, and then find the total size, I get 739k.
debian:~$ mkdir md5
debian:~$ cp /var/lib/dpkg/info/*.md5sums md5/
debian:~$ gzip md5/*
debian:~$ du -kc md5/* | tail -1
739 total
So on average, a summary for each package is 739/342 = 2K
For a distributions of 3,500 packages, this is 2*3500 = 7MB.
Let me know your thoughts,
Chris
--
----------------------------------------------------------------------
As a computer, I find your faith in technology amusing.
----------------------------------------------------------------------
Reply with subject 'request key' for PGP public key. KeyID 0xA9E087D5
Attachment:
pgpwhdRJEkL6A.pgp
Description: PGP signature