HASHER(7) ALT Linux HASHER(7)
NAME
hasher - modern safe package building technology
SYNOPSIS
hsh [options] <path-to-workdir> <package>...
RATIONALE
Long ago, when instrumental OS distributions made by few developers
were small enough to be placed on a single CD with sources, there was
no real package building technology. Developers built their packages
in the host system created by installing the whole OS distribution.
Nowadays instrumental OS distributions are made by dozens of develop
ers. They are too large to be installed wholly. As a result, tradi
tional package building scheme in the host system no longer fits the
requirements: it is insecure, unsafe and awkward.
REQUIREMENTS
Modern package building technology should:
1. not lower the host system security;
2. protect itself from attacks installed by packages;
3. protect package builds from attacks installed by other packages;
4. ensure reliability of build results;
5. provide reasonable performance.
ARCHITECTURE
The hasher architecture is based on triple-user model: caller user (C)
and two unprivileged pseudousers; the first one (R) emulates root in
the generated build environment, the second one (U) emulates a regular
user who builds software.
Switching between caller user and helper users is handled by a special
privileged program hasher-priv(8). It is written with extreme caution
to defend from attacks installed by unprivileged users. This helper is
also used to purge processes left after pseudousers, to create device
files, and to control resources allocated for unprivileged processes to
defend from DoS-attacks.
In general, the way of source package in hasher during the build
process looks as follows:
1. Generate aptbox.
User C generates environment (aptbox) for apt.
2. Remove build environment probably left by previous builds.
The removal is done sequentially: inside build chroot by user U,
inside build chroot by user R and finally outside chroot by user
C.
3. Generate new build chroot framework.
User C generates the framework, which consists of helper direc
tories and statically linked helper programs: ash(1), find(1)
and cpio(1). Basic device files are also created at this point
by means of hasher-priv(8). These devices are necessary for
build environment and are secure for the host system.
4. Generate basic install environment.
This environment contains everything necessary for regular pack
age installs. User C using apt utilities determines set of
packages requires to generate install environment. User R using
static helper programs unpacks these packages.
5. Generate basic build environment.
This environment contains tools required for every package
build. User C using apt utilities determines set of packages,
user R installs them.
6. Generate build environment for this particular package.
User U fetches package build dependencies, user C using apt
utilities determines set of packages to install, and user R
installs them.
7. Build the package.
User U executes the build.
These schemes are designed to eliminate attacks of the type U->R, U->C,
R->C, and all attacks targeted to root.
In order to increase performance essential when building a lot of pack
ages, hasher does caching of the basic build environment. It allows to
skip steps 4 and 5.
AUTHOR
Written by Dmitry V. Levin <ldv@altlinux.org>
REPORTING BUGS
Report bugs to http://bugs.altlinux.ru/
COPYRIGHT
Copyright 2003-2007 Dmitry V. Levin <ldv@altlinux.org>
This is free software; see the source for copying conditions. There is
NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.
SEE ALSO
hsh(1), hasher-priv.conf(5), hasher-priv(8), hasher-useradd(8),
/usr/share/doc/hasher-1.3.26/QUICKSTART.
hasher 1.3.26 January 2007 HASHER(7)