Hacker News new | past | comments | ask | show | jobs | submit login

it does not matter, you can add a new commit (or modify an old one anyway since it'll work fine - but lets say you notice it, so we add a commit) you make the commit look legit and all, its going to be pretty difficult to say where its coming from and which has been tampered with, since, of course, linus himself will have it when he pulls it.

and that's not just linux.git, but also the ton of other .git's in there, which linus will pull from and will not read every line of.

The caveat here is as real as it can get. usually when it looks "slightly complex" people overlook the security aspect "no one is going to do such an attack"

then the attack happens, often unnoticed, because the attackers aren't lazy if there's a hole they use it.




Somebody might not notice a malicious commit when they pull the tree, but the maintainer will definitely notice the next time he pushes to that tree. Having a push rejected because it's not a fast-forward gets your attention every time.


But what value does adding an arbitrary unconnected commit have to an attacker? The only sane goal would be sneaking exploit code into a "released" version that will be shipped.

In order to do that, you need to somehow get Linus to merge it successfully. And that doesn't work per git's design.

If all you want is to have "exploitable" commit IDs in the kernel git, you don't need to do anything sneaky at all! They're already there, being historical bugs that have since been fixed.


They gained root access. So some one could do

sudo su - linus

cd /path/to/linux-2.6.git

modify/exploit code and git commit

I for example do a daily git pull - I will get the the tainted code and not notice it at all.

NO?


But that's just HEAD. No offense, but so what? Clearly anyone (sane) running off of a development branch isn't doing so on a security sensitive system. It's an exploit, but only of development systems and a tiny handful of hacker's personal boxes. The value there to an attacker is very low.

What you can't do is inject code that ends up in 3.1-rc5, because before that gets tagged Linus (and a lot of other people) would have to do a merge that would fail inexplicably.

But to be clear: yes, with access to the repository you can (for a brief moment until it's noticed) inject exploit code that will be picked up by anyone building and running an untagged branch HEAD.


Ubuntu does daily kernel builds and many people run that kernel - to see if some bug has been fixed, to get support for their newer hardware etc. Lots of reasons perfectly sane people can end up testing a daily build.


The code would not be signed by Linus; you do not know his private key.

If I as a developer then pull and verify signatures, I would note that commit was unsigned and expect the commit to be compromised.


But you cannot sign commits in git, only tags, right?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: