File: security.html

package info (click to toggle)
distcc 3.4%2Breally3.3.5-3
  • links: PTS
  • area: main
  • in suites: bullseye
  • size: 4,728 kB
  • sloc: ansic: 27,899; python: 6,459; sh: 4,434; makefile: 907; perl: 67
file content (159 lines) | stat: -rw-r--r-- 8,466 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
 
<html>
<head><title>distcc security notes</title>
    <meta name="author" content="Martin Pool">
    <meta name="keywords" content="distributed, make, build, gcc,
               parallel, network, networked, faster, free, fast, paralel, cc, c,
               C++, Objective C, ObjC, compile, compiler, compilation,
               simple, GPL, GNU, Linux, BSD, Unix, software, development,
               developer, TeamBuilder, quick, dmake, pvmake,
               transparent, easy, workstations, Solaris, IncrediBuild,
               productivity, speed, time, tool, performance, hardware,
               agents, nfs, libraries, source, headers, workload,
               buildfarm, farm, server, cluster, clustered, clustering, MOSIX, OpenMOSIX">
    <meta name="description" content="distcc is a fast, free distributed C and C++ compiler.">
    <link rel="SHORTCUT ICON" href="favicon.ico">
    <link type="text/css" rel="stylesheet" href="distcc-green.css">
    <link type="text/html" rel="top" href="index.html">
    <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head>
   <body vlink="#003300" text="#000000" link="#003300" bgcolor="#ffffff" alink="#336633"><p><table width="100%"><tr><td valign="top"><div class="navbar"><ul>
          <li><a href="index.html">distcc</a></li>
          <li><a href="http://code.google.com/p/distcc/source/browse/trunk">source</a>
          <li><a href="http://code.google.com/p/distcc/downloads/list">binaries</a></li>
          <li><a href="http://distcc.googlecode.com/svn/trunk/NEWS">news</a></li>
          <li><a href="scenarios.html">scenarios</a></li>
	  <li><a href="results.html">testimonials</a></li>
	  <li><a href="benchmark.html">benchmarks</a></li>
	  <li><a href="security.html"><b>security</b></a></li>
	  <li><a href="distcc-lca-2004.html">whitepaper</a></li>
	  <li><a href="http://distcc.googlecode.com/svn/trunk/doc/web/man/">Man pages</a></li>
	  <li><a href="faq.html">FAQ</a></li>

	  <p>
	  <li><a href="http://code.google.com/p/distcc/issues/list">report a bug</a></li>
	  <li><a href="https://lists.samba.org/mailman/listinfo/distcc">mailing list</a>
           <ul><li><a href="mailto:distcc@lists.samba.org">post</a></li>
            <li><a href="http://lists.samba.org/archive/distcc/">archive</a></li>
            <li><a href="news://news.gmane.org/gmane.comp.compilers.distcc">newsgroup</a></li></ul>
	  </li>
          <li><a href="http://freshmeat.net/projects/distcc">Freshmeat</a>
            <ul><li><a href="http://freshmeat.net/subscribe/28140">be notified</a></li></ul>
	  </li>

	  <p>
	  <li>related:</li>
	  <ul>
	      <li><a title="How to use distcc and Gentoo" href="http://www.gentoo.org/doc/en/distcc.xml">Gentoo</a></li>
	      <li><a title="Script to ease building cross-compilers and toolchains" href="http://kegel.com/crosstool/">crosstool</a></li>
	      <li><a title="Cache compiler results" href="https://ccache.dev/">ccache</a></li>
	      <li><a title="Centralized control over distcc and ccache" href="http://ccontrol.ozlabs.org/">ccontrol</a></li>
	      <li><a title="Smart job scheduler" href="http://dmucs.sourceforge.net/">dmucs</a></li>
	  </ul>
       <p><p></td>                                      
       <td valign="top">
       <div class="body">
       <h1 class="title">distcc security notes</h1>


<p>
distcc is intended to be quite secure when used according to the
documentation, but it must be properly configured.  
<p>
<b>Anyone who can connect to the distcc server port can run arbitrary
commands on that machine as the distccd user.  If you are not using
SSH, you must use the <tt>--allow</tt> rule and/or firewall
rules to limit access to port 3632.</b>  Since version 3.0, distccd now
enforces that, refusing to run if the --allow option is not specified.
<p>
Someone has written a 
<a href="http://www.metasploit.com/projects/Framework/modules/exploits/distcc_exec.pm">
program to attack unprotected servers</a>.  To prevent this attack, use
network access control or SSH (which is much slower).
<p>
Installation or use of any software caries a certain risk, which
should be assessed by the machine operator.
<p>
distcc allows remote execution of compilation jobs.  This introduces a
trust relationship between the client and server machines.  The client
completely trusts the server to compile code correctly.  A corrupt
server could introduce malicious code into the results, or attack the
client in other ways.  The server completely trusts an authorized
client.  A malicious client could execute arbitrary commands on the
server.
<p>
distcc supports a choice of two network transports: a simple TCP
protocol (normally on port 3632), and connection over SSH or a similar
secured connection.
<p>
The distccd TCP server does not run as root.  If started by root,
before accepting connections it
gives away its privileges and changes to either the <tt>distcc</tt> or
<tt>nobody</tt> user, or to a user specified by the <tt>--user</tt> option.
<p>
The distcc client may be run as root.  Compiling or doing other
unnecessary work as root is generally discouraged on Unix, but distcc
permits it because some package installations require it.
<p>
In TCP mode network transmissions are not encrypted or signed.  An
attacker with passive access to the network traffic can see the source
or object code.  An attacker with active access can modify the source
or object code, or execute arbitrary commands on the server.
<p>
The TCP server can limit clients by either checking the client
address, or listening only on particular IP interfaces.  However, in
some circumstances an attacker can spoof connections from a false
address.  If such a situation apply to your network then IP-based
access control is not sufficient.
<p>
In TCP mode there is no way to limit access by user, rather than by
host.
<p>
IPSec or IPv6 would probably also help, but nobody has reported
testing it with distcc.
<p>
In SSH mode the server is started by each user under their own account
on the server.  There is no long-lived daemon.  Connections are
authenticated and encrypted.  Every user is allowed only the
privileges that their normal account allows.
<p>
Because the server and client necessarily trust each other, there has
been no security audit of the code that runs after a connection is
established.  It is possible that a hostile server could gain control
of a client directly, as well as modifying the object code.
<p>
If the DISTCC_CMDLIST environment variable is set when invoking
distccd, distccd will only execute commands from that list.
(The RPM and Debian distributions of distcc set this variable
via the /etc/distcc/commands.allow.sh file which is sourced by
/etc/init.d/distcc).  This mechanism can be used to only allow
the execution of compilation commands rather than arbitrary
commands.  However, <b>this should not be relied on as a security
measure</b>, because gcc is not secure against
hostile input, and it might be possible for an attacker to gain
control of the gcc process through a carefully crafted input file or
command line.  You should assume that anyone able to submit jobs is
able to execute arbitrary operations under the account used by
distccd.
<p>
It has been suggested that distccd should take a simple
username/password authentication mechanism, but this would give a
false sense of security.  If you cannot trust your network, the only
sensible policy is to use SSH.
<p>
Some people have proposed that the client should check whether a
server is trustworthy by re-running compilations on a different
server.  This approach can be useful in some distributed-computing
problem spaces such as SETI@home, but not practical for distcc.
Firstly, the damage from a single compromised object file is very
high, so every single file would have to be extensively checked.
Secondly, the performance constraints are such that building every
single file two or more times would often make distribution worthless.
Thirdly there would sometimes be false alerts from minor differences
in gcc patchlevel that are not visible in normal use but that do
change the output file at a byte level.
<p>
For practical advice, see 
<a href="http://www.debian-administration.org/articles/157">this description of how to secure distcc using chroot and OpenVPN</a>.
</tr></table>
    <div class="thanks">Copyright &copy; 2002&ndash;2004, 2006 Martin Pool.
     <p>Send comments to <tt>distcc(at)lists.samba.org</tt>
</html>