Changeset 2868
- Timestamp:
- Jan 9, 2010, 12:36:45 PM (15 years ago)
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/packages/invirt-dev/README.invirtibuilder
r2858 r2868 290 290 way is deemed useful by the developers. 291 291 292 Security 293 ======== 294 295 As noted above, our intent was for a single instance of the 296 Invirtibuilder to be used for both our trusted production environment 297 and our untrusted development environment. In order to be trusted for 298 the production environment, the Invirtibuilder needs to run in the 299 production environment as well. However, it would be disasterous if 300 access to the development environment allowed a developer to insert 301 malicious packages into the production apt repository. 302 303 In terms of policy, we enforce this distinction using the remctl ACL 304 mechanism described in `The Build Queue`_. But is that mechanism on 305 its own actually secure? 306 307 Only mostly, it turns out. 308 309 While actual package builds run unprivileged (with the help of the 310 fakeroot_ tool), packages can declare arbitrary build dependencies 311 that must be installed for the package build to run. Packages' 312 maintainer scripts (post-install, pre-install, pre-removal, and 313 post-removal scripts) run as root. This means that by uploading a 314 malicious package that another package build-depends on, then 315 triggering a build of the second package, it is possible to gain root 316 privileges. Since breaking out of the build chroot as root is trivial 317 [#], it is theoretically possible for developers with any level of 318 access to the APT repositories to root the build server. 319 320 One minor protection from this problem is the Invirtibuilder's 321 reporting mechanism. A single independent malicious build can't 322 compromise the build server on its own. Even if a second build 323 compromises the build server, the first build will have already been 324 reported through the hook mechanism described in `Build Failures`_. We 325 encourage users of the Invirtibuilder to include hooks that send 326 notifications of builds over e-mail or some other mechanism such that 327 there are off-site records. The server will still be compromised, but 328 there will be an audit trail. 329 330 Such a vulnerability will always be a concern so long as builds are 331 isolated using chroots. It is possible to protect against this sort of 332 attack by strengthening the chroot mechanism (e.g. with grsecurity_) 333 or by using a more isolated build mechanism 334 (e.g. qemubuilder_). However, we decided that the security risk didn't 335 justify the additional implementation effort or runtime overhead. 336 292 337 .. _config-package-dev: http://debathena.mit.edu/config-packages 338 .. _fakeroot: http://fakeroot.alioth.debian.org/ 293 339 .. _git-buildpackage: https://honk.sigxcpu.org/piki/projects/git-buildpackage/ 340 .. _grsecurity: http://www.grsecurity.net/ 294 341 .. _Invirt: http://invirt.mit.edu 342 .. _qemubuilder: http://wiki.debian.org/qemubuilder 295 343 .. _remctl: http://www.eyrie.org/~eagle/software/remctl/ 296 344 .. _SIPB: http://sipb.mit.edu … … 306 354 create new tags for builds on pockets with 307 355 ``allow_backtracking`` set to ``True`` either. 356 .. [#] http://kerneltrap.org/Linux/Abusing_chroot
Note: See TracChangeset
for help on using the changeset viewer.