Security concerns with mirrormanager
dax at gurulabs.com
Wed May 23 20:57:25 UTC 2007
On Tue, 2007-05-22 at 22:45 -0500, Matt Domsch wrote:
> On Tue, May 22, 2007 at 05:58:03PM -0600, Dax Kelson wrote:
> > I mentioned on the list a few months back a technique for having YUM
> > automatically use a local mirror without any configuration changes on
> > the clients. A few people sent me emails asking for more details, so I
> > was goaded/spurred into implementing it and have now documented the
> > procedure in a new GURU GUIDE.
> Dax, very cool. Thanks for posting this.
> One thing I added to mirrormanager was the ability for a mirror
> host to specify the set of IP netblocks that should use the local
> mirror. When a yum client hits the mirrorlist CGI, such as:
> it looks up the client IP address in mirrormanager's database. If one
> or more of the hosts in that database claim that IP address as "local"
> to them, the CGI returns just those hosts.
> In mirrormanager, you can have private mirror sites and private mirror
> hosts, so they never appear on the public list of servers, but the
> mirrorlist CGI can still handle them. The drawback is that
> mirrormanager can't crawl private mirror sites (generally). So, you
> have to use mirrormanager's report_mirror script, which runs on your
> private mirror, to tell the mirrormanager database what content you
> have. With this little bit of setup, you can get much the same
> benefit as your setup provides.
Matt, mirrormanager is very cool!
For YUM to automatically find a mirror I believe the cleanest and best
solution is have it be done within Yum itself. Possibly with a WPAD-like
or DNS SRV technique. It should be on default.
The idea of the main mirrorlist CGI having a database of local IPs and
mirrors is actually a solution that I ran through mentally awhile back
and came to the conclusion that security concerns and technical
limitations made it unworkable.
When you attach your computer to a network there is some level of
implicit trust in the local network (and whoever manages it). But this
is a two party relationship and doesn't involve a third party who is a
random stranger on the internet.
The main security concern I have with the DB of local IPs, is what is to
prevent someone from listing my IP network as local to their mirror?
This could be accidental via a netmask typo, or with a more sinister
intent (cross your fingers that your users pay attention to gpg messages
IMHO, this should not be possible. If mirrormanager intends to maintain
a DB of local IPs for a mirror, then the ownership/control of the IP
range *must* be strongly authenticated. It should be done securely, or
not at all.
Different people have different security requirements, but I believe
that some people will be in for a shock and react poorly/predictably
when they find out that their IP netblocks (or any portion thereof)
could be redirected.
The technical limitation of the DB of local IPs is that it doesn't work
for organizations who run their mirrors on a RFC1918 IP and use NAT to
get out to the internet. This scenario is very common.
More information about the fedora-devel-list