Este capítulo también podría ser titulado "como categotizar/ actualizar con seguridad a sus sitema Debian GNU/Linux" y este merece su propio capítulo básicamente porque no será acorde a algún otro capítulo.
A partir de hoy (diciembre 2001) Debian no proporciona paquetes firmados en cuanto a la distribución de y la publicación de woody (3.0) no integrará este artículo. Existe una solución para paquetes firmados que, según se espera, serán proporcionados en la próxima publicación.
El esquema corriente (no implementado)para firma de paquete usando apt es:
Adicional a esto, la cadena de Sums MD5 apt
es capaz de verificar
si un paquete se origina desde una publicación específica. Este es menos
flexible que firmar paquete por paquete, pero puede ser combinado con este
esquema también (véase más abajo).
La firma de un paquete ha sido discutida en Debian de vez en cuando, para mayor
información usted puede leer: http://www.debian.org/News/weekly/2001/8/ y
http://www.debian.org/News/weekly/2001/11/. http://www.debian.org/News/weekly/2001/8/
yhttp://www.debian.org/News/weekly/2000/11/
.
El esquema adicional de firmar cada uno y todos los paquetes, permite que estos sean revisados cuando no son tan referenciados por un archivo de Paquetes existentes, además, los paquetes tercera-persona donde nunca existieron Paquetes para que estos también puedan ser usados en Debian, sin embargo, no serán un esquema por defecto.
Este esquema de firma de paquetes puede ser implementado utilizando
debsig-verify
y debsigs
. Estos dos paquetes pueden
firmar y verificar firmas implantadas en el deb-itself. Debian ya tiene la
capacidad de hacer esto ahora, pero el implementar esta política y las
herramientas no será iniciado hasta después de la publicación de Woody (así
como no retrasa su ciclo de publicación).
NOTA: Normalmente /etc/dpkg/dpkg.cfg
se desmonta con
"no-debsig" como por defecto.
En caso que usted desee implementar seguridad adicional, revise que pueda usar el script inferior, proporcionado por Anthony Thown. Este script puede hacer nuevas revisiones de seguridad automáticamente, para permitir al usuario, estar seguro que el software que él/ella está bajando une el software de distribución de Debian. Esto abstiene a los ralizadores de Debian de producir daños en el sistema de alguien sin la responsabilidad proporcionada cargando el archivo principal, o espejos reflejando algo casi, pero no del todo parecido a Debian, o espejos proporcionando copias atrasadas inestables con problemas de seguridad conocidos.
Esta muestra de código renombrada como apt-release-check
, debería
ser usada de la siguiente manera:
# apt-get update # apt-release-check (...resultados...) # apt-get dist-upgrade
Primero usted necesita:
http://ftp-master.debian.org/ziyi_key_2002.asc
y las adiciona a ~/.gnupg/trustedkeys.gpg
(lo ucal es lo que
gpgv
se usa por defecto)
/etc/apt/sources.list
líneas que no utilizanla
estructura normal de distribuciones, o cambie el script de modo que este
trabaje con ellas.
#!/bin/bash # This script is copyright (c) 2001, Anthony Towns # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. rm -rf /tmp/apt-release-check mkdir /tmp/apt-release-check || exit 1 cd /tmp/apt-release-check >OK >MISSING >NOCHECK >BAD arch=`dpkg --print-installation-architecture` am_root () { [ `id -u` -eq 0 ] } get_md5sumsize () { cat "$1" | awk '/^MD5Sum:/,/^SHA1:/' | MYARG="$2" perl -ne '@f = split /\s+/; if ($f[3] eq $ENV{"MYARG"}) { print "$f[1] $f[2]\n"; exit(0); }'} checkit () { local FILE="$1" local LOOKUP="$2" Y="`get_md5sumsize Release "$LOOKUP"`" Y="`echo "$Y" | sed 's/^ *//;s/ */ /g'`" if [ ! -e "/var/lib/apt/lists/$FILE" ]; then if [ "$Y" = "" ]; then # No file, but not needed anyway echo "OK" return fi echo "$FILE" >>MISSING echo "MISSING $Y" return fi if [ "$Y" = "" ]; then echo "$FILE" >>NOCHECK echo "NOCHECK" return fi X="`md5sum < /var/lib/apt/lists/$FILE` `wc -c < /var/lib/apt/lists/$FILE`" X="`echo "$X" | sed 's/^ *//;s/ */ /g'`" if [ "$X" != "$Y" ]; then echo "$FILE" >>BAD echo "BAD" return fi echo "$FILE" >>OK echo "OK" } echo echo "Checking sources in /etc/apt/sources.list:" echo "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" echo (echo "You should take care to ensure that the distributions you're downloading" echo "are the ones you think you are downloading, and that they are as up to" echo "date as you would expect (testing and unstable should be no more than" echo "two or three days out of date, stable-updates no more than a few weeks" echo "or a month)." ) | fmt echo cat /etc/apt/sources.list | sed 's/^ *//' | grep '^[^#]' | while read ty url dist comps; do if [ "${url%%:*}" = "http" -o "${url%%:*}" = "ftp" ]; then baseurl="${url#*://}" else continue fi echo "Source: ${ty} ${url} ${dist} ${comps}" rm -f Release Release.gpg wget -q -O Release "${url}/dists/${dist}/Release" if ! grep -q '^' Release; then echo " * NO TOP-LEVEL Release FILE" else origline=`sed -n 's/^Origin: *//p' Release | head -1` lablline=`sed -n 's/^Label: *//p' Release | head -1` suitline=`sed -n 's/^Suite: *//p' Release | head -1` codeline=`sed -n 's/^Codename: *//p' Release | head -1` dateline=`grep "^Date:" Release | head -1` dscrline=`grep "^Description:" Release | head -1` echo " o Origin: $origline/$lablline" echo " o Suite: $suitline/$codeline" echo " o $dateline" echo " o $dscrline" if [ "${dist%%/*}" != "$suitline" -a "${dist%%/*}" != "$codeline" ]; then echo " * WARNING: asked for $dist, got $suitline/$codeline" fi wget -q -O Release.gpg "${url}/dists/${dist}/Release.gpg" sigline="`gpgv --status-fd 3 Release.gpg Release 3>&1 >/dev/null 2>&1 | sed -n "s/^\[GNUPG:\] GOODSIG [0-9A-Fa-f]* //p"`" if [ "$sigline" ]; then echo " o Signed by: $sigline" else echo " * NO VALID SIGNATURE" >Release fi fi okaycomps="" for comp in $comps; do if [ "$ty" = "deb" ]; then X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Release" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Release") Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/binary-${arch}/Packages" | sed 's,//*,_,g'`" "${comp}/binary-${arch}/Packages") if [ "$X $Y" = "OK OK" ]; then okaycomps="$okaycomps $comp" else echo " * PROBLEMS WITH $comp ($X, $Y)" fi elif [ "$ty" = "deb-src" ]; then X=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Release" | sed 's,//*,_,g'`" "${comp}/source/Release") Y=$(checkit "`echo "${baseurl}/dists/${dist}/${comp}/source/Sources" | sed 's,//*,_,g'`" "${comp}/source/Sources") if [ "$X $Y" = "OK OK" ]; then okaycomps="$okaycomps $comp" else echo " * PROBLEMS WITH component $comp ($X, $Y)" fi fi done [ "$okaycomps" = "" ] || echo " o Okay:$okaycomps" echo done echo "Results" echo "~~~~~~~" echo allokay=true cd /tmp/apt-release-check diff <(cat BAD MISSING NOCHECK OK | sort) <(cd /var/lib/apt/lists && find . -type f -maxdepth 1 | sed 's,^\./,,g' | grep '_' | sort) | sed -n 's/^> //p' >UNVALIDATEDcd /tmp/apt-release-check if grep -q ^ UNVALIDATED; then allokay=false (echo "The following files in /var/lib/apt/lists have not been validated." echo "This could turn out to be a harmless indication that this script" echo "is buggy or out of date, or it could let trojaned packages get onto" echo "your system." ) | fmt echo sed 's/^/ /' < UNVALIDATED echo fi if grep -q ^ BAD; then allokay=false (echo "The contents of the following files in /var/lib/apt/lists does not" echo "match what was expected. This may mean these sources are out of date," echo "that the archive is having problems, or that someone is actively" echo "using your mirror to distribute trojans." if am_root; then echo "The files have been renamed to have the extension .FAILED and" echo "will be ignored by apt." cat BAD | while read a; do mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED done fi) | fmt echo sed 's/^/ /' < BAD echo fi if grep -q ^ MISSING; then allokay=false (echo "The following files from /var/lib/apt/lists were missing. This" echo "may cause you to miss out on updates to some vulnerable packages." ) | fmt echo sed 's/^/ /' < MISSING echo fi if grep -q ^ NOCHECK; then allokay=false (echo "The contents of the following files in /var/lib/apt/lists could not" echo "be validated due to the lack of a signed Release file, or the lack" echo "of an appropriate entry in a signed Release file. This probably" echo "means that the maintainers of these sources are slack, but may mean" echo "these sources are being actively used to distribute trojans." if am_root; then echo "The files have been renamed to have the extension .FAILED and" echo "will be ignored by apt." cat NOCHECK | while read a; do mv /var/lib/apt/lists/$a /var/lib/apt/lists/${a}.FAILED done fi) | fmt echo sed 's/^/ /' < NOCHECK echo fi if $allokay; then echo 'Everything seems okay!' echo fi rm -rf /tmp/apt-release-check
Manual de Seguridad de Debian
Version: 2.4 (revisión de traducción 3), Fri, 03 Dec 2004 23:31:56 +0000jfs@debian.org