security projects thoughts

Arno Hautala arno at alum.wpi.edu
Mon Apr 18 06:27:56 PDT 2011 

On Mon, Apr 18, 2011 at 08:27, Jeff Johnson <n3npq at mac.com> wrote:
>
> You are assuming a threat vector reasoning that starts:
>        0) assume sudo is "infected" maliciosly.
>        ...
>        42) anything is possible, including other ppkgs infected and distributed.
>
> The answer there is not using an possibly infected sudo in the build system.

You may as well just say, "don't use a possibly compromised system",
or in other words, "don't use a system".
The example given isn't "assume sudo is infected", but "assume sudo
could become infected. How can that be mitigated?"

>> I've not been over the MacPorts sources in a long time, I'm just realizing how easy it would have been for any of the hackers around me during my studies to completely own any of my Mac laptops back then. Them and the bloody sysadmins.
>
> Presumably you already "own" ... "any of my Mac Laptops" ... by definition.

Ah, common mis-spelling. He meant "0wn".


> Its you trust decision: The corollary to your stated constraint "network operator should ... not be allowed to inject code"
> is either
>        TUrn off your netwwork.
> or
>        Don't use MacPorts.

Then why do we have things like SSL, GPG, and passwords in general?
They're there to enhance the security of an insecure channel and
authenticate the client and server. Of course there are still ways to
compromise the system (forge an SSL certificate, log a password,
etc.). You can't protect against everything, but you can take steps to
get better.

> Correct: MacPorts contains sudo which is built and installed *AS ROOT*
> just like every other package.

So let's say you're for some reason using the MacPorts sudo instead of
the system shipped version (maybe the system version is out of date
and insecure). You're updating your ports at a cafe and someone spoofs
the update for the sudo port. With signed portfiles and packages they
can't [1]. With the current scheme, they can spoof the portfile and
replace the package source and hash.

[1] Or at least they'd have to spoof the initial MacPorts
installation, but at least signed packages and portfiles have shut
down some exploit avenues.

-- 
arno  s  hautala    /-|   arno at alum.wpi.edu

pgp b2c9d448

More information about the macports-dev mailing list