[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: proposed release goal: DEBIAN/md5sums for all packages

Javier Fernández-Sanguino Peña <jfs@computer.org> writes:

> On Fri, Aug 24, 2007 at 03:16:28PM +0200, Goswin von Brederlow wrote:
>> I fail to see any reason to HAVE a md5sums file.
>
> It looks like you have not read all the thread, other's have made some
> good points as to why it's good. Just in case I'm going to voice my opinion
> here again and see if I can convicen you (and other's listening) :)

Which nearly all can be satisfied by generating the md5sum on install.

>> The md5sum file in / var/lib/dpkg/info/ (or wherever you put it on the
>> users system) is not protected and therefore useless as a security
>> device. Fetching a md5sum file you can trust means fetching (at least
>> partially) the deb and then you can just compare the files one by one.
>
> "Useless sercurity device" is an overstatemente here. One of security's
> fundamental corner stones is 'integrity'. 
>
> System integrity can be lost due to:
>
> - a person without a malicious intent accidentally or on purpose changes the
>   system, e.g. a novice admin that modified a script at /usr/bin installed by
>   a package or redirected his stderr to a file he shouldn't have after
>   mistyping a command.

Covered by generated md5sum files.
   
> - uncontrolled accidents or disasters, e.g. hard disk / memory corruption
>   in a system which makes it incorrectly write to disk a binary unpackaged
>   from a package.

Memory corruption between unpacking the files and md5suming them could
cause bad binaries with bad matching md5sums to be written with
generated md5sum fields. But bad memory will have tons of effects and
cause failures when matching md5sums too. Md5sums in debs aren't a
memory tester so I don't quite care. Other corruptions won't affect
md5sum generation on install so they are covered there too.

> - somebody with malicious intent, e.g. an unautorised user that elevates
>   privileges and installs a trojan

A malicious attacker would modify the md5sum files too making them
useless as detection method. Unless he/she is stupid.

> I do agree that the last case is probably only handled well with a signed
> hash database in a read only media (the Debian Security Manual gives some
> examples) but the two others can be served quite well just by including
> md5sum files in packages. 
>
> So, md5sums *do* serve a security purpose even if they are not able to
> stop a determined cracker from violating the system's integrity in a way we
> cannot detect it.

Signed they would truely help.

And they should also contain checksums for the other files in
control.tar.gz. An intelligent hacker would just modify the pre/postrm
script of a package to open some backdoor the next time the package is
updated.

Also a md5sum service online would be usefull for this
too. E.g. packages.d.o could have a link to the md5sum file for each
package so you could fetch them on a clean machine and then compare
the files on the filesystem. Those md5sum files could be generated.
This time not during the users install time but during DAK install
time.

MfG
        Goswin
Reply to: