[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU mirror going away

On Thu, Dec 11, 2003 at 06:23:33PM +0000, mike808@users.sourceforge.net wrote:
> While I'm sure you're a smart guy, Steve, you really ought to give
> them credit for not making a rash decision on this. Perhaps they have
> very good reasons for doing so. Perhaps you should consider those
> reasons before making your determination of betting the farm on your
> own rsync and security abilities.
[details of a security hole I'm well aware of deleted]

Honestly, I don't care if the decision is "rash" or not (even if it
pretty obviously is).  The recent security hole (which was one of only
a very small handful of remotely-exploitable rsync holes) was patched
within a day of being discovered.  And besides, it wasn't a major
concern on properly-configured servers.

> > * While this heap overflow vulnerability could not be used by itself to 
> >   obtain root access on a rsync server, it could be used in combination 
> >   with the recently announced brk vulnerability in the Linux kernel to 
> >   produce a full remote compromise.

And that brk vulnerability is hardly the fault of rsync.

> > * The server that was compromised was using a non-default rsyncd.conf
> >   option "use chroot = no". The use of this option made the attack on
> >   the compromised server considerably easier. A successful attack is
> >   almost certainly still possible without this option, but it would be
> >   much more difficult.

And nobody in their right mind would use "use chroot = no".

> While I'm also sure you're quite good at maintaining the security of your
> systems, I'd have to say that, just perhaps, that you consider that there are
> some pretty smart folks at GNU, Debian, Gentoo, SuSE, Mandrake, and several
> other distros that have serious security and resource concerns over rsync.

And yet everyone else still uses rsync as their primary mechanism for

> Perhaps you should not dismiss their decision so readily based only on your
> religious zeal over rsync.

It has nothing to do with "religious zeal".  It has everything to do
with the amount of work that rsync saves for all concerned.  Right now
I'm running something like 18 mirrors.  Before rsync, using one of the
random ftp-mirroring script, I had twice as much work when I was only
mirroring a half-dozen (at most) sites.

> I'm just saying your policy of "I only mirror with rsync" may be
> impacted by several high-profile sites you mirror taking down their
> rsync servers due to these security concerns, thus diminishing the
> value of your mirrors (i.e. fewer of them), irregardless of the merits
> of the bandwidth savings of using rsync.

Taking down their rsync service is stupid.  If they are worried about
the security of their rsync/ftp server, they should put it on a server
that is push-mirrored from a box behind a firewall, limit connections
to hosts that have applied to be mirrors, etc.

You should note that I have gone to considerable personal expense to
move my *mirror* server to its own dedicated box recently, largely due
to security concerns.

> BTW, just out of curiosity, what portion of your bandwidth usage is
> just mirror updates?

Who knows?  Probably not that much though.  After being up for almost
exactly one week, the mirror server hasn't received all that much...

    RX bytes:914058647 (871.7 Mb)  TX bytes:3234472962 (3084.6 Mb)

And that's refreshing 231GB (at the moment) of data multiple times per

> Oh, and you *CAN* mirror GNU with rsync from rsync://mirror.mcs.anl.gov/gnu/

IF that site is still current, I HIGHLY doubt it would be a good site
to mirror from if rsync is disabled on ftp.gnu.org.

Besides, I don't like to mirror from intermediate sites, since that
doubles the number of systems I have to trust.

> Maybe you'll reconsider? Although, if your point was partially to drop 
> mirroring GNU due to lack of interest, then maybe we can fill up that 
> recently freed up disk space and finally get that SuSE mirror from ANL as 
> well? :=)

I won't mirror from ANL, but I might mirror from SuSE directly.  I've
sent email to them to try to get rsync access.  (I don't think this is
the first time, but maybe it is.)

I also may be turning the Mozilla mirror back on...  The fallout from
them moving their servers appears to have settled, so I might be able
to rsync reliably again.  (Plus with Firebird, Thunderbird, etc.
getting interesting, there are reasons for the mirror again.)

steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.