[distcc] re: distcc/zeroconf security

[Dan Kegel]

Christopher Smith wrote:
> Which aspect of Zeroconf are you referring to? I'm not doing anything
> with link-local IP setup stuff (it wouldn't make sense), but can't see
> where that stuff is any more of a security risk than using DHCP.

I know DHCP is a hole, but I hadn't thought about it in this context.
I'll try to flesh out my understanding of the threat.

> The threat profile I see with mDNS is as follows: hacker gets access to
> the corporate LAN, and advertises himself as a providing a service (say
> distcc). If clients of the service do not authenticate the providers,
> then the hacker can potentially confuse clients to use their hacked
> version of the service. Now, if you are serious about the security of
> your source code, you have to be worried about IP spoofing and
> man-in-the-middle attacks, which means either you believe you can
> prevent such attacks (I'll bet against you, but you have at least
> theoretically solved the problem), or your clients should already be
> authenticating the service providers.

Right.  And the hackers in question here might even be employees who
have access to the LAN, but don't normally have access to the source code.

> Of course, all this is moot if your source is ever written to a standard
> network filesystem (say you have some NAS boxes), as a hacker could get
> access to your source (and before the nasty C preprocessor has munged
> it) simply by listening in on the traffic.

Another good hole; NFS = No File Security.

> Sure, it'd be helpful if it had something like Kerberos to control
> access to the directory, but truth be told, any hacker is going to be
> able to discover what services are available on a network anyway. All
> this is doing is making the services visible to everyone else.

I'm not worried about read access to the directory.

> A few simple security measures should allow mDNS to be quite safe on a
> corporate environment (simple things like looking for mDNS
> responses/announcements which don't match expected service
> configurations). distcc, on the otherhand, is a different matter.
> Ultimately, if distcc is properly secured, using mDNS to autodiscover
> distcc nodes shouldn't introduce security holes.

It's *advertizing* bogus distcc nodes that worries me.

> For the record, have you considered just tunnelling distcc over ssh? It
> would seem to be the trivial way to mitigate a number of distcc related
> security concerns.

Yes.  (See my post to the distcc mailing list.)
My suspicion is that it adds too much startup overhead.
Also, some distcc servers do not allow ssh logins for policy and/or technical reasons.
- Dan

-- 
My technical stuff: http://kegel.com
My politics: see http://www.misleader.org for examples of why I'm for regime change