security: distcc video

Anything that pertains to Portage

Moderator: Moderators

Post Reply
ewiget
Simple Hen
Posts: 97
Joined: Sat Oct 14, 2006 4:00
Location: Maysville KY, USA
Contact:

security: distcc video

Post by ewiget » Sat Feb 02, 2008 18:08

I am not sure if this belongs in portage or networking or somewhere else (move if it is not appropriate here). However, I know many gentoo / sabayon users like to use distcc due to the quicker package compile times.

I am not going to disclose the details of "while I was recently out of town needing a wireless network connection" experience that prompted me to write this article :)

Anyways, I was reading the distcc docs at http://www.gentoo.org/doc/en/distcc.xml after I returned from being out of town to try to determine why a person would have distcc running on a wireless network that didn't even require a wep key. I noticed there was no RED LIGHT warnings about distcc security, and even if you follow the gentoo docs and use a host allow and listen address, you are setting yourself up for a compromised system sooner or later because the connecting host ip can always be spoofed (faked) to match your rules.

So, to help people understand how distcc is not as good as it may seem when you follow the guides, I made an article with a video to demonstrate a remote shell via distcc (this is a known bug that has been out for a while and even mentioned in the distcc security article - http://distcc.samba.org/security.html ):
The article with background info and a video walk through: http://www.maysville-linux-users-group. ... d-0-0.html
Another article with much better video than the youtube video in above article: http://www.edwiget.name/content/view/280/27/

And a much better way of securing distcc is covered here and can be modified to work with gentoo/sabayon systems: http://www.debian-administration.org/articles/157

rand.a
Growing Hen
Posts: 163
Joined: Fri Mar 23, 2007 20:08
Location: Shelton, WA
Contact:

Re: security: distcc video

Post by rand.a » Sun Feb 03, 2008 4:54

Good information, but it seems to assume a poor network security setup, which is a problem in itself. Any smart admin is going to isolate their wireless network, severely limit its access and apply multiple security layers. Distcc over 802.11g is quite slow, so i don't see why any admin would allow wireless access to a distcc service, it might be feasible over 802.11n, but its not very common yet.

I do agree though, it is a very good idea to jail any possible daemon that allows remote access to limit any access an exploit might allow. Exploits will always exist, its up to the admin to limit the damage that can be done.

ewiget
Simple Hen
Posts: 97
Joined: Sat Oct 14, 2006 4:00
Location: Maysville KY, USA
Contact:

Re: security: distcc video

Post by ewiget » Sun Feb 03, 2008 17:30

I started to leave the wireless part out because it also applies to wired networks too (i just used the wireless as an example because that situation is what got me started to begin with)

A more appropriate wording maybe should have been "if you have distcc listening on any device and not running in a chroot jail....then this can happen"

Post Reply