# are gentoo machines more likely to be hacked?

## rajiv

while i sit here waiting for my slow powermac 6400 to finish an 'emerge -u world' i can't help but wonder if gentoo machines are more likely to be hacked if a known exploit comes out.

consider this scenario: there is a remote hole in some package. an exploit and the source code for the fix are released to everyone at the same time. binary distribution users wait for their distribution owners or someone else to compile the fix and release a binary package. they download the package and install.

however, gentoo users have to download the fix and then compile it themselves, then install. now if you're a gentoo user with a modern (read: fast) machine, you'll be patched in about the same time as a binary distribution user. but if your gentoo machine is old (read: slow) it could be a while before you have the patch installed.

so unless gentoo users are running faster machines than binary distribution users, more gentoo machines will be exploitable for a longer period of time.

thoughts?

----------

## rac

Shut down the vulnerable server process during the recompilation.

----------

## delta407

 *rac wrote:*   

> Shut down the vulnerable server process during the recompilation.

 

It's almost too simple.  :Wink: 

----------

## pjp

Also consider how quickly you usually know about the announcements and fixes.  I personally never happen to be using my computer when they come out.  I check my mail and see GLSA's.  Chances are it isn't that huge a risk.  Anyone in a server environment is likely to have a fast enough machine to do this, or another machine to compile on, then distribute.

----------

## nitro322

My view on this is that you're much more likely to NOT be hacked if you're running Gentoo.  Think about it - the entire distribution is already source based, so when a new version of a program is released (most likely as source code), you'll be ready to update almost right away.  Assuming Gentoo developers are on top of things (and they seem to be doing a great job of that), they'll have a new ebuild for the package a very short time after it's been fixed, and you can instantly upgrade.  Pre-packaged distributions such as RedHat, on the other hand, often take quite a while to be updated.  Even if the vulnerability is leaked and exploit code is made available before vendors have a chance to patch the problem, they'll still be slow to release an updated package because packaging and testing on multiple systems simply takes a lot longer than working directly with the source.  My $.02, anyway.

----------

## zerogeny

is my apple more easily hacked than a lemon?

----------

## IdBuRnS

 *zerogeny wrote:*   

> is my apple more easily hacked than a lemon?

 

lol

----------

## dioxmat

first, the binary package will usually come after the patch, so chances are you  had the patch and compiled your fixed version beforce the binary package is actually released.

anyway, most hackers know before the patch is released that there is a vulnerability... and you could take a binary package while recompiling :) (or, just like rac pointed out, shut down the process)

----------

## fmalabre

In term of package versions, Gentoo seems the most up to date I've never seen.

----------

## Nitro

I think that Gentoo would be the first Distro to give you the chance to upgrade. I've used LFS, Slack, RH, and MDK.  Gentoo never gave me a chance to try Debian or SUSE, but I figure I'm not missing anything.

There are always Gentoo developers on IRC and all well up to date with vulnerabilities as they they are probably subscribed to an array of mailing lists, so, they talk, fix the ebuild, and commit it.  At very most, you will have to wait half an hour to get an updated ebuild after it has been commited by CVS (Rsyncs mirrors update run every half an hour on the hour).  And if you need it ASP, you can grab it off gentoo.org's CVS viewer.  So, the inital solution is released faster, you could even edit the ebuild manually.  A GLSA is released later after the vulnerability has recieved attention and the developers are positive they have the bug covered.

Now, you raised an interesting argument about compiling.  As long as you are up to date as well, you can start compiling probably before the binary distro gets the RPM or whatever on the mirrors.  On even a 2 year old machine @ say about 500MHz, would take at most 30 mins to compile something big such as MySQL.

I guess I don't have solid examples, but with my envolvement with Gentoo and my understanding of the community built around it, I would say a Gentoo box could be secured much sooner then a binary.

My 2 cents.

----------

## fmalabre

I think you're absolutly right about the community around Gentoo...

This helps a lot having very recent packages.

However, this may not last forever. I already saw similar community which were first very active, and then moved on to something else (I'm thinking about Slackware).

----------

## Nitro

 *fmalabre wrote:*   

> However, this may not last forever. I already saw similar community which were first very active, and then moved on to something else (I'm thinking about Slackware).

 

Debian has a strong community now as well.  Slackware happened before I got envolved with Linux much, and I guess they lost corporate funding. Not sure, anyone prove me wrong/right?

----------

## sschlueter

 *rajiv wrote:*   

> 
> 
> so unless gentoo users are running faster machines than binary distribution users, more gentoo machines will be exploitable for a longer period of time.
> 
> thoughts?
> ...

 

It is far more complicated than that.

First of all, the time lag between ancouncement of the bug (and hopefully anouncement of the patch) and the availability of updated packages varies.

To monitor vulnerability reports, subscribe to the bugtraq mailinglist or read the archive at: http://online.securityfocus.com/archive/1

Summary of vulnerabilities: http://online.securityfocus.com/bid

http://www.kb.cert.org/vuls

You can now compare the vulnerabilities with the availability of patches from various "vendors": http://www.suse.de/de/security/index.html

http://rhn.redhat.com/errata/rh73-errata-security.html

http://www.mandrakelinux.com/en/security/mdk-updates.php3?dis=8.2

http://www.debian.org/security/

Usually, you can also subscribe to vendor specific security announcement mailing lists which may be a little faster than the web archives.

Of course, you can also monitor the main home pages of the software packages: http://www.openssh.org

http://openssl.org

http://www.apache.org

...

Apart from the difference in responce times, you may also notice that for some vulnerabilities, some vendors completely lack the required updated packages.

Note that most vendors have a different approach than Gentoo. While Gentoo is a "cutting edge" distro and the portage tree is constantly changing, it's easy for us to always run the newest versions of all packages, including but not limited to those that have had security vulnerabilities in the past. Other linux distros usually have a fixed set of packages for each release that are tested to interact with no problems. For stability reasons, they want to make only minimal changes to the packages when they need to be updated and therefore, they often incorporate the patch into the release-package rather than simply suppplying a new version of the package that may contain other changes besides the security fixes. An example: There were vulnerabilities found in the openssl-libraries. OpenSSL 0.9.6e fixes these problems. The Gentoo portage tree contains this version. SuSE patched an older version and the updated packages is called: openssl-0.9.6c-78.i386.rpm

On the other hand, the updated packages are usually pgp-signed, or the advisories containing the filesnames and md5 checksums are pgp-signed. The Gentoo portage system doesn't check pgp signatures.

On the other hand, even if the package is pgp-signed, you have to trust the person that created the rpm  :Smile: 

An important factor hasn't been mentioned yet: Many people, newbies in particular, don't patch their systems. This is especially dangerous when they are networking services running in the background that may lead to a remote root compromise of the machine. So I think, the right direction is: "secure by default".  In this respect, Gentoo is ultra secure because it starts with 0 services after the initial 3 instalation steps and even if services are emerged, they don't start automatically dring the boot process unless you add them using rc-update add foo default.

----------

## zentek

Yep gentoo is mostly one of the best distro.

Cutting edge ( chance to be vulnerable to old explots are quite null )

Active community and fast update 

Secure by default ( openBSD can be jalous !!! )

Ill pay 50$ to the first guys to hack a default install of gentoo remotely !!

and on top of it gentoo is easy to manage  :Smile: 

----------

## delta407

 *zentek wrote:*   

> Ill pay 50$ to the first guys to hack a default install of gentoo remotely !!

 

The "default install" doesn't set a root password, so that won't be too hard.  :Very Happy: 

----------

## fmalabre

You forgot "remote" I believe...

----------

## sschlueter

 *delta407 wrote:*   

> 
> 
> The "default install" doesn't set a root password, so that won't be too hard. 

 

It would be impossible, since there are no services running.

----------

## delta407

 *sschlueter wrote:*   

>  *delta407 wrote:*   
> 
> The "default install" doesn't set a root password, so that won't be too hard.  
> 
> It would be impossible, since there are no services running.

 

Untrue. Many things start on bootup in the default install. Granted, IIRC none of them take logon credentials, but if the user had (say) told sshd to start automatically, say goodbye to your system.  :Wink: 

----------

## kirill

Okay the sshd is running, the root passwd is empty...

```
/etc/ssh/sshd_config:

#PermitEmptyPasswords no
```

I suppose it wouldn't let you in?

and again, if you had a user added before first reboot, you should have added it to the 'wheel' -group to 'su -', which isnt so default.

So the default gentoo installs aren't THAT unsecure after all?   :Question: 

----------

## rajiv

 *sschlueter wrote:*   

> Other linux distros usually have a fixed set of packages for each release that are tested to interact with no problems. For stability reasons, they want to make only minimal changes to the packages when they need to be updated and therefore, they often incorporate the patch into the release-package rather than simply suppplying a new version of the package that may contain other changes besides the security fixes. An example: There were vulnerabilities found in the openssl-libraries. OpenSSL 0.9.6e fixes these problems. The Gentoo portage tree contains this version. SuSE patched an older version and the updated packages is called: openssl-0.9.6c-78.i386.rpm

 

RedHat's lack of rpms of openssh 3.4 (with priv sep) for 7.2 is one of the reasons i'm trying out gentoo.

i guess that shutting down the affected process while the compile is going on a slow machine is acceptable.

----------

## rac

 *rajiv wrote:*   

> i guess that shutting down the affected process while the compile is going on a slow machine is acceptable.

 

Another option, especially useful if you have a giant farm of suddenly vulnerable machines, is to temporarily firewall affected ports while you address the situation.

----------

## dioxmat

 *sschlueter wrote:*   

> 
> 
> On the other hand, the updated packages are usually pgp-signed, or the advisories containing the filesnames and md5 checksums are pgp-signed. The Gentoo portage system doesn't check pgp signatures.
> 
> On the other hand, even if the package is pgp-signed, you have to trust the person that created the rpm :-)
> ...

 

Im raising another issue that is probably offtopic for this thread, but never mind.

Gentoo only does md5 checks. I dont think this is enough. since gentoo developers check the packages they include in the portage tree, they are able to make gpg/pgp signatures for those packages. I think gentoo needs that. there are lots of mirrors, lots of packages, the fact that there is no signature check is quite dangerous. Look at irssi (gentoo not affected since it was the .tar.gz and not the .tar.bz2 which was backdoored), openssl, bitchx, etc, etc. of course signing wont change the fact that some packages may contain backdoors in the original version, but at least if someone hacks a mirror, or something like that, we will be safe.

----------

## sschlueter

 *delta407 wrote:*   

>  *sschlueter wrote:*    *delta407 wrote:*   
> 
> The "default install" doesn't set a root password, so that won't be too hard.  
> 
> It would be impossible, since there are no services running. 
> ...

 

I was refering to inet listening sockets. As far as I remember, there were none after the default install, not even sshd.

----------

## Nitro

 *dioxmat wrote:*   

>  *sschlueter wrote:*   
> 
> On the other hand, the updated packages are usually pgp-signed, or the advisories containing the filesnames and md5 checksums are pgp-signed. The Gentoo portage system doesn't check pgp signatures.
> 
> On the other hand, even if the package is pgp-signed, you have to trust the person that created the rpm 
> ...

 

This exact topic is being discussed on the mailing-lists.  Check out http://lists.gentoo.org/pipermail/gentoo-dev/2002-August/014063.html

----------

## n0n

What I'd be more wary of, personally, and this is a problem with any system that downloads components automatically, is having one of the mirrors hacked or whatever, and then downloading corrupt md5s, etc, and then getting trojaned source packages.  Obviously this kind of thing would also affect Debian users (apt-get), evidentally the BSDs (with their ports system), in addition to Gentoo.  Granted, you'd probably have to be somewhat crafty to do it (will the user get the md5 and the source package from the same server?), but I suppose it could theoretically be done.

As to the actual question at hand, I doubt that would come in to play much.

----------

## fmalabre

I understand we need mirrors to handle the traffic.

Now, could we have one main trusted source for md5 only, no mirrors, and all the packages on mirrors.

Then, you download your package, and you download the valid md5 from the trusted server, if they match, you keep going, otherwise the mirror has probably been changed.

Does my statement seem valid?

----------

## Cid Highwind

That's a good start, but it still leaves us open to a DNS-hijacking or a man-in-the-middle attack.  A 133t h4x0r who managed to compromise a DNS server could set up a fake gentoo-md5sum server and pass bad checksums to anyone using that DNS.  

I think it would be better to have the developers use GPG to sign ebuilds.  That would require an attacker to get a gentoo core developer's private key to contaminate the portage tree.  Hopefully they would be smart enough to keep the keys on a floppy disk, and not have it mounted unless they are signing something.  :Very Happy: 

----------

## fmalabre

Well, do you ever check who signed the package?

Personnaly I don't, if it comes from Bob or from Jim, it's the same thing for me.

I could not be sure this is a trusted guy...

----------

## Roderik

i personally think this is kinda a moot point.

in my opinion there are 3 kinds of people running linux

the professionals, who use linux as server for critical functions, these people will (and again i only speak of what i see in my environment) shy from using gentoo as distro. They'll stick to debian of red hat. Both distro's have security and stability as a topmost priority and have a "good" and long standing reputation.

the active linux home user, like most of the users that try gentoo. They choose gentoo due to the bleeding edge, completly optimised system. The "difficulty" of installing gentoo raises the bar of skill one must have to even get started. These users will be able to keep apprized of security flaws and won't (for the most part) lose money or vital information if some hacker should decide to hack your home computer, wich is according to me a low risk since no self respecting hacker will lower himself to attack a normal internet/linux user, unless offcourse you pissed him off  :Very Happy:  That leaves the script kiddies as "hacker group" and the tools to scan/use the vunerabilities are slower than the release of new ebuilds by gentoo

finally there's the n00b linux user group,  people with little or no experience who stumble into gentoo and get it running. They for sure won't  be running critical things and can only learn for a good hacking.

so imho there's really no need for added signing of packages except that we might feel a little more secure about ourselves.

Offcourse if gentoo would ever rise as a recognised server distro for the first group, there have to be some changes

first they have to split the distro in a cutting edge version and a stable one (cfr debian). You can't expect a buisness critical server to to upgrade every few days cause someone found another bug in the ebuild.

secondly, if there should be an update in some package there has to be detailed and complete documentation as to why there is one and what is changed

signing of the packages is also necessary but only if there is a recognised and limited group of people who can sign,  that would mean that while the cutting edge is maintained by whoever finds it in his hart to help (everybody could be an evil hacker placing some backdoor in the packages), the stable version has to be maintained by only a few. 

i thought i had some other points but they escape me at the moment  :Smile:  if i remember i'll be back  :Very Happy: 

----------

## rac

 *fmalabre wrote:*   

> Well, do you ever check who signed the package?
> 
> Personnaly I don't, if it comes from Bob or from Jim, it's the same thing for me.
> 
> I could not be sure this is a trusted guy...

 

I'm not sure I fully understand what you're saying, but the point of the web of trust is that you don't have to know Bob or Jim - you just have to know and trust the Gentoo Developer Uber-key, which presumably will be used to sign all the copies of the developer public keys in the Gentoo keyring.  GPG will then distinguish between keys signed by the trusted Gentoo Developer key, and those that aren't.

----------

## fmalabre

Ok, got it.

I thought some packages were made by people other than gentoo developers.

If there is only one trusted Gentoo Devloppers key, that would work.

Now, you suppose the ebuild script will check the pgp key, so we're back to the original problem, what about the third man you can change the content of the script?

Unless everybody starts to check the key for every installed package, but that seems difficult to do...

About Gentoo on the server side, I think Gentoo is ambitious enough to reach it once it will have an history (maybe in one year...)

----------

## rac

 *fmalabre wrote:*   

> I thought some packages were made by people other than gentoo developers.
> 
> If there is only one trusted Gentoo Devloppers key, that would work.

 

Just to clarify, everybody that submits ebuilds would be required to have a registered public key, and somebody in the Gentoo Developers web of trust has to sign their key in the official keyring.  If that isn't possible, whoever actually commits your ebuild and takes responsibility for it can sign it.  It is not the case that everybody signing ebuilds has to sign them with the uber-key.

 *Quote:*   

> Now, you suppose the ebuild script will check the pgp key, so we're back to the original problem, what about the third man you can change the content of the script?

 

If by "the script" you mean the ebuild, if the ebuilds themselves are digitally signed, they cannot be tampered with without causing the signature to fail verification.  Presumably portage would be modified to check these signatures, much like it verifies md5sums of downloaded sources now, so there shouldn't be any additional burden on users.

----------

## fmalabre

Ok, thanks for the explanation.

----------

## Messiah

 *Roderik wrote:*   

> 
> 
> in my opinion there are 3 kinds of people running linux
> 
> the professionals, who use linux as server for critical functions, these people will (and again i only speak of what i see in my environment) shy from using gentoo as distro. They'll stick to debian of red hat. Both distro's have security and stability as a topmost priority and have a "good" and long standing reputation.
> ...

 

I myself can count me as a linux professional, because I set up servers using linux, and I live from the money we make from our customers who are using our linux servers. I hope I do fit in this profile you just drawed. And I do not agree with you. We want to provide our customers a lot of flexibility, but we always want to be up-to-date with our software. Not only to have a system that is full with cutting-edge software, but also for security reasons.

We have used (and are still using) Red Hat and Mandrake Linux on our servers. Our last server is Gentoo, and I have to say that I am so glad to try Gentoo out on our servers. This has a lot of reasons:

- Our customers do have the possibility to use the newest software available

- The maintenance (especially software-updates) are simplier than any other distro I ever used

- I have learned a lot more about security

- I can say that momentarily our Gentoo box is the most secure server we are running

My last point could also indicate that my knowledge of the other distros is far less than Gentoo, but I am running Red Hat since 5.0 and Mandrake since 7.0. And Gentoo is for me just 3 months.

So I do care about security in Gentoo.

PS I could be alone in this one but hey, I think everyone does feel better with a system that's more secure than yesterday  :Wink: 

PS2 form now on all our servers will be Gentoo, I even set up a test server just to test some things before implementing on production-servers

----------

