Re: PPA security (was: Debian mirrors and MITM)
On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote: Quoting Jeremie Marguerie jere...@marguerie.org: Thanks for bringing that issue! I feel the same way when I install a packet from a non-official PPA. Unfortunately, every package can do anything: pre-inst, post-inst, pre-rm, post-rm run as root. If you don't trust a PPA the same way you trust your OS vendor (Debian, Ubuntu or whoever), install only in a VM or a container (not sure, whether a docker container is considered safe enough, but chroot is not sufficient). Alternatively, download the package, unpack it, remove maintainer script or check them carefully, check for s-bits on binaries etc. repack it and install. I'm probably missing more checks here. While it would be nice to have sth. like less trusted sources and allow their packages only certain kinds of install/de-install operations (i.e. no maintainer scripts) etc., it's hard to get right and a broken solution would put users at risk. This could be approached another way. There could be scripts in the packaging tools that mark a package if it does not run anything in any of the scripts that does not come from the packaging tools. I think many many packages would qualify here, most packages do not touch the pre/post scripts, so the ones that are included are generated by debhelper or whatever. Then you could see whether a package is requesting to run its own scripts as root, and make the call there. A package that does not add anything to those scripts would be pretty safe to install, at least. .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9145da3f-12d4-42fc-80a3-2b918e510...@at.or.at
Re: PPA security (was: Debian mirrors and MITM)
Hans-Christoph Steiner wrote: This could be approached another way. There could be scripts in the packaging tools that mark a package if it does not run anything in any of the scripts that does not come from the packaging tools. I think many many packages would qualify here, most packages do not touch the pre/post scripts, so the ones that are included are generated by debhelper or whatever. Then you could see whether a package is requesting to run its own scripts as root, and make the call there. A package that does not add anything to those scripts would be pretty safe to install, at least. There is a lot of code that is run by maintainer scripts that currently has no reason to worry about the security of its inputs, which are provided by files in the package. For this to work, it would all need to be made secure. Retroactively adding such a security requirment is a good way to end up playing security wack-a-mole for many years thereafter. -- see shy jo signature.asc Description: Digital signature
PPA security (was: Debian mirrors and MITM)
Quoting Jeremie Marguerie jere...@marguerie.org: Thanks for bringing that issue! I feel the same way when I install a packet from a non-official PPA. Unfortunately, every package can do anything: pre-inst, post-inst, pre-rm, post-rm run as root. If you don't trust a PPA the same way you trust your OS vendor (Debian, Ubuntu or whoever), install only in a VM or a container (not sure, whether a docker container is considered safe enough, but chroot is not sufficient). Alternatively, download the package, unpack it, remove maintainer script or check them carefully, check for s-bits on binaries etc. repack it and install. I'm probably missing more checks here. While it would be nice to have sth. like less trusted sources and allow their packages only certain kinds of install/de-install operations (i.e. no maintainer scripts) etc., it's hard to get right and a broken solution would put users at risk. Cheers -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140530204120.horde.zo1cetednp5glvdc16ay...@webmail.in-berlin.de
Re: PPA security (was: Debian mirrors and MITM)
On Sat, May 31, 2014 at 2:41 AM, W. Martin Borgert wrote: in a VM or a container (not sure, whether a docker container is considered safe enough, but chroot is not sufficient). One of the Debian Linux kernel package maintainers doesn't consider containers to be secure enough to rely solely on them as a sandbox mechanism. https://lists.debian.org/1398428907.7767.184.ca...@deadeye.wl.decadent.org.uk -- bye, pabs http://wiki.debian.org/PaulWise -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caktje6hbjvmihodbqlwdfk9icovb3k1rtvcfxwk+vvyqkz5...@mail.gmail.com
Re: how to help with security in debian
Am 12:14 2003-06-01 +1000 hat Aníbal Monsalve Salazar geschrieben: A month ago or so, Martin Schulze sent a message about his guidelines to help with security in debian. It included a URL at infodrom.org. Could someone please send me the message and the URL? Attachment Converted: c:\tamay\m_debian\attach\howtohel ## Get the Power of Debian/GNU-Linux ## Why not using http://lists.debian.org/ and the search engine ??? Michelle -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: how to help with security in debian
On Sun, Jun 01, 2003 at 12:14 +1000, Aníbal Monsalve Salazar wrote: A month ago or so, Martin Schulze sent a message about his guidelines to help with security in debian. It was Martin Michlmayr who posted the message: http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200305/msg5.html And he referenced a message from Martin Schulze: http://lists.debian.org/debian-security/2001/debian-security-200109/msg00225.html This last message was about looking for a Debian Security Secretary. However, it contains guidelines about how to help with security in debian. It included a URL at infodrom.org. http://www.infodrom.ffis.de/Linux/security/ The URL wasn't at infodrom.org, as you can see. However, the above URL doesn't take me anywhere because the domain name does not exist. I've found the following URL at infodrom.org and it's the one I was looking for: http://www.infodrom.org/Linux/security/ Could someone please send me the message and the URL? Thanks to Tomasz Papszun and David Karlin for their messages. Aníbal pgp0.pgp Description: PGP signature
Re: how to help with security in debian
Am 12:14 2003-06-01 +1000 hat Aníbal Monsalve Salazar geschrieben: A month ago or so, Martin Schulze sent a message about his guidelines to help with security in debian. It included a URL at infodrom.org. Could someone please send me the message and the URL? Attachment Converted: c:\tamay\m_debian\attach\howtohel ## Get the Power of Debian/GNU-Linux ## Why not using http://lists.debian.org/ and the search engine ??? Michelle
Re: how to help with security in debian
On Sun, Jun 01, 2003 at 12:14 +1000, Aníbal Monsalve Salazar wrote: A month ago or so, Martin Schulze sent a message about his guidelines to help with security in debian. It was Martin Michlmayr who posted the message: http://lists.debian.org/debian-devel-announce/2003/debian-devel-announce-200305/msg5.html And he referenced a message from Martin Schulze: http://lists.debian.org/debian-security/2001/debian-security-200109/msg00225.html This last message was about looking for a Debian Security Secretary. However, it contains guidelines about how to help with security in debian. It included a URL at infodrom.org. http://www.infodrom.ffis.de/Linux/security/ The URL wasn't at infodrom.org, as you can see. However, the above URL doesn't take me anywhere because the domain name does not exist. I've found the following URL at infodrom.org and it's the one I was looking for: http://www.infodrom.org/Linux/security/ Could someone please send me the message and the URL? Thanks to Tomasz Papszun and David Karlin for their messages. Aníbal pgpzeuSGeBwKz.pgp Description: PGP signature
how to help with security in debian
A month ago or so, Martin Schulze sent a message about his guidelines to help with security in debian. It included a URL at infodrom.org. Could someone please send me the message and the URL? pgp0.pgp Description: PGP signature
how to help with security in debian
A month ago or so, Martin Schulze sent a message about his guidelines to help with security in debian. It included a URL at infodrom.org. Could someone please send me the message and the URL? pgphaVdBqoFc7.pgp Description: PGP signature
Security on debian
Can any one point me to the best books, how-to's, articles, scripts, etc. on hardening debian and making it really secure, but still easy to use? I was looking on the debian site and I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it. -Scott Henson -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security on debian
Scott Henson wrote:http Can any one point me to the best books, how-to's, articles, scripts, etc. on hardening debian and making it really secure, but still easy to use? I was looking on the debian site and I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it. -Scott Henson A few good tips on this site: http://wwwcmc.pharm.uu.nl/gillies/debian/ A few more security tips: http://tinyplanet.ca/pubs/debian/html/c206.html This is a good security site, I think some guy on this lists manages it. http://www.linux-sec.net/ This is the link that I have for the Securing Debian HOW-TO, it appears to be down too http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.htm You can also download an exaple Debian IPtables script from: http://www.debiandiary.f2s.com/files/iptables.sh Stef -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security on debian
[EMAIL PROTECTED] writes: I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it. The link I know is: http://www.debian.org/doc/manuals/securing-debian-howto/ and it is working perfectly! As Nicole just said, look in the Accepted languages preferences of your browser, and set [en] (NOT [en-US]!) if it is not present. Matteo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Security on debian
Hiya On Sun, Sep 30, 2001 at 12:17:00AM -0600, Stefan Srdic wrote: This is the link that I have for the Securing Debian HOW-TO, it appears to be down too http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.htm First it does not seem down (to me at least), second you should change .htm to .html and third this document is completely obsoleted as Javier Fernandez has incorporated it into an official Debian Document Project Paper on www.debian.org/doc, which should be used as reference. :) MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED]7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Security on debian
Can any one point me to the best books, how-to's, articles, scripts, etc. on hardening debian and making it really secure, but still easy to use? I was looking on the debian site and I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it. -Scott Henson
Re: Security on debian
Scott Henson wrote:http Can any one point me to the best books, how-to's, articles, scripts, etc. on hardening debian and making it really secure, but still easy to use? I was looking on the debian site and I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it. -Scott Henson A few good tips on this site: http://wwwcmc.pharm.uu.nl/gillies/debian/ A few more security tips: http://tinyplanet.ca/pubs/debian/html/c206.html This is a good security site, I think some guy on this lists manages it. http://www.linux-sec.net/ This is the link that I have for the Securing Debian HOW-TO, it appears to be down too http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.htm You can also download an exaple Debian IPtables script from: http://www.debiandiary.f2s.com/files/iptables.sh Stef
Re: Security on debian
debian-security@lists.debian.org writes: I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it. The link I know is: http://www.debian.org/doc/manuals/securing-debian-howto/ and it is working perfectly! As Nicole just said, look in the Accepted languages preferences of your browser, and set [en] (NOT [en-US]!) if it is not present. Matteo
Re: Security on debian
Hiya On Sun, Sep 30, 2001 at 12:17:00AM -0600, Stefan Srdic wrote: This is the link that I have for the Securing Debian HOW-TO, it appears to be down too http://joker.rhwd.de/doc/Securing-Debian-HOWTO/Securing-Debian-HOWTO.htm First it does not seem down (to me at least), second you should change .htm to .html and third this document is completely obsoleted as Javier Fernandez has incorporated it into an official Debian Document Project Paper on www.debian.org/doc, which should be used as reference. :) MfG/Regards, Alexander -- Alexander Reelsen http://joker.rhwd.de [EMAIL PROTECTED] GnuPG: pub 1024D/F0D7313C sub 2048g/6AA2EDDB [EMAIL PROTECTED]7D44 F4E3 1993 FDDF 552E 7C88 EE9C CBD1 F0D7 313C Securing Debian:http://joker.rhwd.de/doc/Securing-Debian-HOWTO
Re: Security on debian
hi ya scoot.. hoping you mean really secure as good enough for protecting against most script kiddies ... you can dig thru all those hundreds of urls... fun reading if you have the time ... debian security howto http://www.debian.org/doc/manuals/securing-debian-howto/ ( url seemed slow to me too...gave up after 10 sec of waiting ) simplified hardening - turn off daemons you dont need/use ( printer, samba, etc - turn off services yu dont need/use ( telnet, ftp, ppp, etc - file system changes ( look for setuid bits, do you need it? passwd files, special accounts dont need bash shells - backup of your important data - audit your sytem - ( nmap, nessus, etc - tighten your kernel ( do you need modules try to protect against buffer overflow - lots to do... ( endless list of stuff... ) have fun alvin http://www.Linux-Sec.net/Harden -- more detailed hardening stuff to do(later) On Sun, 30 Sep 2001, Scott Henson wrote: Can any one point me to the best books, how-to's, articles, scripts, etc. on hardening debian and making it really secure, but still easy to use? I was looking on the debian site and I saw a security how-to, but for some reason it would not let me access it. It said i didnt have permision to view it.
Re: Security on debian
In article [EMAIL PROTECTED] [EMAIL PROTECTED] writes: debian security howto http://www.debian.org/doc/manuals/securing-debian-howto/ ( url seemed slow to me too...gave up after 10 sec of waiting ) www.debian.org was/is having problems -- I wound up getting the document off of www.uk.debian.org. I'll have comments on the document in a while, it obviously is still under contstruction. -- Blars Blarson [EMAIL PROTECTED] http://www.blars.org/blars.html Text is a way we cheat time. -- Patrick Nielsen Hayden