Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux Development (http://www.linux-archive.org/archlinux-development/)
-   -   Moving repos to nymeria (http://www.linux-archive.org/archlinux-development/701148-moving-repos-nymeria.html)

Florian Pritz 09-06-2012 03:39 PM

Moving repos to nymeria
 
On 06.09.2012 17:23, Stéphane Gaudreault wrote:
> Could we run sogrep on nymeria ?

I don't really see a benefit there. You can already run it on brynhild
and sogrep needs a databases which is updated via a cron job so you
probably won't even see a difference in update latency between the two.

> Also, could you please explain why browsing the repo in a shell account
> will be disabled ? I found this very useful when moving a large number
> of packages from staging/testing to extra/core.

The idea is to reduce the possible damage an attacker can cause if he
happens to obtain a dev's/TU's ssh key. Without a shell and only a few
whitelisted commands the box should be very safe. That allows us to use
a server stored signing key for the database without having to worry
about someone using a kernel exploit and gaining access to the key.

sftp will still be available so if all you want is a file list you can
use that. You can also run "sudo syncrepo" on brynhild to force a sync
at any time and then browse there.

--
Florian Pritz

Gaetan Bisson 09-06-2012 04:46 PM

Moving repos to nymeria
 
[2012-09-06 17:39:03 +0200] Florian Pritz:
> The idea is to reduce the possible damage an attacker can cause if he
> happens to obtain a dev's/TU's ssh key. Without a shell and only a few
> whitelisted commands the box should be very safe. That allows us to use
> a server stored signing key for the database without having to worry
> about someone using a kernel exploit and gaining access to the key.

Did we abandon the idea of having packagers download the old DB, check
its signature, do changes to it, sign the new DB, and upload it back?
Because I would certainly find this much safer and trustworthy than
having a black-box server blindly signs anything it is given.

And I would also find it too bad to lose the flexibility actual non-root
Linux accounts give, such as being able to fix things ourselves when
they go wrong (like when pushing to the wrong repo).

Cheers.

--
Gaetan

Eric Bélanger 09-06-2012 05:18 PM

Moving repos to nymeria
 
On Thu, Sep 6, 2012 at 12:46 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
> [2012-09-06 17:39:03 +0200] Florian Pritz:
>> The idea is to reduce the possible damage an attacker can cause if he
>> happens to obtain a dev's/TU's ssh key. Without a shell and only a few
>> whitelisted commands the box should be very safe. That allows us to use
>> a server stored signing key for the database without having to worry
>> about someone using a kernel exploit and gaining access to the key.
>
> Did we abandon the idea of having packagers download the old DB, check
> its signature, do changes to it, sign the new DB, and upload it back?
> Because I would certainly find this much safer and trustworthy than
> having a black-box server blindly signs anything it is given.


Agree.

>
> And I would also find it too bad to lose the flexibility actual non-root
> Linux accounts give, such as being able to fix things ourselves when
> they go wrong (like when pushing to the wrong repo).

What will happen to our personal web space? And what about
/srv/ftp/other/ ? Will they move to the new server? If so, we'll need
to whitelist enough commands so we can use them without being a PITA.
Could you give us a more detailed list of the commands that will be
allowed? I'm concerned that the shell would become so crippled that
it would be practically unusable.

Eric


>
> Cheers.
>
> --
> Gaetan

Florian Pritz 09-15-2012 09:24 PM

Moving repos to nymeria
 
On 06.09.2012 19:18, Eric Bélanger wrote:
> On Thu, Sep 6, 2012 at 12:46 PM, Gaetan Bisson <bisson@archlinux.org> wrote:
>> [2012-09-06 17:39:03 +0200] Florian Pritz:
>>> The idea is to reduce the possible damage an attacker can cause if he
>>> happens to obtain a dev's/TU's ssh key. Without a shell and only a few
>>> whitelisted commands the box should be very safe. That allows us to use
>>> a server stored signing key for the database without having to worry
>>> about someone using a kernel exploit and gaining access to the key.
>>
>> Did we abandon the idea of having packagers download the old DB, check
>> its signature, do changes to it, sign the new DB, and upload it back?
>> Because I would certainly find this much safer and trustworthy than
>> having a black-box server blindly signs anything it is given.
>
>
> Agree.
>
>>
>> And I would also find it too bad to lose the flexibility actual non-root
>> Linux accounts give, such as being able to fix things ourselves when
>> they go wrong (like when pushing to the wrong repo).

Pierre said that we should support using devtools inside screen (db-move
can take quite long) and screen allows to run other commands so limiting
the shells doesn't seem possible right now.

Limiting the shell creates a trusted server which makes signing the
databases way more secure because even if we use remote signing the hash
is calculated on the server.

I understand either way and I don't care if we limit them or not so I'm
not going to argue about that.

--
Florian Pritz

Pierre Schmitz 09-15-2012 10:29 PM

Moving repos to nymeria
 
Am 15.09.2012 23:24, schrieb Florian Pritz:
> Pierre said that we should support using devtools inside screen (db-move
> can take quite long) and screen allows to run other commands so limiting
> the shells doesn't seem possible right now.

It's dbscripts actually. As packages are signed an attacker cannot
inject any code. We should isolate svn though. A shell account with
limited permissions (no direct write access to the repos or svn) should
be secure enough then.

Maybe one day we will reimplement the whole process; but this wont be
done anytime soon.

> Limiting the shell creates a trusted server which makes signing the
> databases way more secure because even if we use remote signing the hash
> is calculated on the server.

We do not sign databases anyway atm. And imho we shouldn't do it until
it's possible to tell pacman to trust certain keys only for the
database. Then the worst case would be a replay attack which we would
detect. Using our packager keys to sign something that is calculated on
the server is a bad idea. The server cannot be trusted and our setup
should be based on that fact.

But this might go off-topic. Right now we don't sign databases and we
don't have a finished concept for this. So I'd say keep this in mind but
let us not limit by this.

Back to the actual topic: the community repo should be moved from
sigurd as we are running out of disk space. It is also benifitial to
have the dev and tu repos on the same server. Therefor an easy solution
would be:

* have shell accounts for every dev and tu
* maybe review our group setup
* package files and svn files cannot be accessed by these accounts. Use
some sudo and dedicated user magic here so that only dbscripts can write
packages and the svn repo can only be access via an svn client.

We can ave a more advanced setup later.

Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Gaetan Bisson 09-16-2012 05:59 AM

Moving repos to nymeria
 
[2012-09-15 23:24:57 +0200] Florian Pritz:
> >> Did we abandon the idea of having packagers download the old DB, check
> >> its signature, do changes to it, sign the new DB, and upload it back?
> >> Because I would certainly find this much safer and trustworthy than
> >> having a black-box server blindly signs anything it is given.
>
> Limiting the shell creates a trusted server which makes signing the
> databases way more secure because even if we use remote signing the hash
> is calculated on the server.

Do we really need remote signing for the DB, given that each of us
already downloads the DB when upgrading, most likely several times a
day? I do not think downloading it a couple more times when pushing
packages will change much. Then I see no need to trust the server: I
download the current DB and its signature, check it (it's by Florian P,
and of course I trust him), apply my changes, sign and upload back.

--
Gaetan

Allan McRae 09-16-2012 06:05 AM

Moving repos to nymeria
 
On 16/09/12 15:59, Gaetan Bisson wrote:
> (it's by Florian P,
> and of course I trust him)

Where there goes the point of failure right there!

Remember there is also the files.db which is ~10x the size. I guess we
should sign that too?

Allan

Jan Steffens 09-16-2012 06:34 AM

Moving repos to nymeria
 
On Sun, Sep 16, 2012 at 7:59 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
> Do we really need remote signing for the DB, given that each of us
> already downloads the DB when upgrading, most likely several times a
> day? I do not think downloading it a couple more times when pushing
> packages will change much. Then I see no need to trust the server: I
> download the current DB and its signature, check it (it's by Florian P,
> and of course I trust him), apply my changes, sign and upload back.

I want avoid anything that requires me to upload the DB from my computer.
Reason: http://www.speedtest.net/result/2173792066.png
That would be over 7MB I would have to download and upload for every
operation on the [extra] repo.

Pierre Schmitz 09-16-2012 07:47 AM

Moving repos to nymeria
 
Am 16.09.2012 08:34, schrieb Jan Steffens:
> On Sun, Sep 16, 2012 at 7:59 AM, Gaetan Bisson <bisson@archlinux.org> wrote:
>> Do we really need remote signing for the DB, given that each of us
>> already downloads the DB when upgrading, most likely several times a
>> day? I do not think downloading it a couple more times when pushing
>> packages will change much. Then I see no need to trust the server: I
>> download the current DB and its signature, check it (it's by Florian P,
>> and of course I trust him), apply my changes, sign and upload back.
>
> I want avoid anything that requires me to upload the DB from my computer.
> Reason: http://www.speedtest.net/result/2173792066.png
> That would be over 7MB I would have to download and upload for every
> operation on the [extra] repo.

Exactly, this is not an option. Also remember that we need to lock the
db during that time so nobody else can modify it. Transactions are also
way harder to handle; what if the upload fails etc.. Si imho both,
remote signing and re-uploading the db files are a no go.

Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Tom Gundersen 09-16-2012 09:21 AM

Moving repos to nymeria
 
> Am 16.09.2012 08:34, schrieb Jan Steffens:
>> I want avoid anything that requires me to upload the DB from my computer.

[...]

>> That would be over 7MB I would have to download and upload

Would we really need to sign the full 7MB database? Could we not come
up with something more minimal to sign that would still be sufficient?
Alternatively, we need to get Jan a better connection :)

On Sun, Sep 16, 2012 at 9:47 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
> Exactly, this is not an option. Also remember that we need to lock the
> db during that time so nobody else can modify it. Transactions are also
> way harder to handle; what if the upload fails etc...

We don't need to lock the database for the duration of the
download/sign/upload. We could simply:

* check the timestamp of the old database
* download the database
* check the old signature
* update the database and sign the new version
* upload the database
* lock the database on the server
* check if the timestamp has changed
* if yes, release the lock and start from scratch
* if no, overwrite it with your new version and release the lock

This means that you might need to retry once or twice if more than one
person is updating the database, so it does not scale that well.
However, we are not that many people and we don't update the database
that often, so the chance of actually getting a conflict is low (and
the additional cost is not that high either).

-t


All times are GMT. The time now is 05:04 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.