See: http://distcc.samba.org/security.html The fix: emerge sync emerge --update --pretend >=sys-devel/distcc-2.14 emerge --update >=sys-devel/distcc-2.14 etc-update Edit /etc/conf.d/distccd and specify for your network --allow and/or --listen Restart distccd Hope that is sufficient! This is my first security thingymabob.
This is a huge security hole, and I think a GLSA should be sent.
Also, can we change /etc/conf.d/distccd to include the below option be default? DISTCCD_OPTS="--allow 192.168.1.0/24" Users have a habit of just taking the default config and the above line should make their installs more secure. If they need to open up distccd beyond a local network, the above option should also make it obvious as to what setting they need to tweak to securely allow for that.
re: comment 2 It's hard to miss my comments in the conf file. If the users can't take the time to read the documentation then no number of GLSAs will make them RTFM or secure their network.
Lisa, since the first version of the 2.16-r1 ebuild contained a wrong "PATCHLEVEL" and thus didn't pick up the new config, you should maybe make this -r2 now. There actually have been people using -r1 before that change.
<< It's hard to miss my comments in the conf file. >> Heh, actually I missed them because 2.16 and under is using the 2.11.1p patchlevel. But yeah, the 2.17 comments should be fine. I don't know what the policies are on at what point a GLSA is sent out, but since the 2.16 and under builds don't have any comments on using --allow I'm sure there are a decent number of Gentoo users running distccd completely open. There's been one user in the forums who was hacked due to this already. Some sort of announcement or warning might be helpful for others.
I'll bump 2.16 to -r2... re comment 5: all of the distcc ebuilds are on 2.17 patchlevel.
2.16 bumped to -r2
is it possible for a ebuild "beep" warning message to READ the config file. I know one should do it etc... but some people don't because it just works (tm). I tried the metasploit framework 2.2 and I can execute system commands as distcc user -- way to easy
I agree the default configuration should be closed, forcing people to update and read the comments. However, the behaviour is by design. This bug summary ("remote network vulnerability") is false : there is no vulnerability here, that's the way distcc works. And the docs make it quite clear. I don't think we should issue a GLSA about this, otherwise we should also issue one for SSHD telling people not to forget to set root passwords... Security: please comment.
I agree with Koon... don't think there should be a GLSA and I would change the default behaviour so that the installation is save by default and will have to be changed to work. A warning should probably also appear in the distcc guide at http://www.gentoo.org/doc/en/distcc.xml
Contradicting my message above, I think that the ewarn's are sufficient enough and we don't need a GLSA for this.
Closed without GLSA
*** Bug 66424 has been marked as a duplicate of this bug. ***
