Use Acquire::Allow{InsecureRepositories,DowngradeToInsecureRepositories}

The configuration key Acquire::AllowInsecureRepositories controls if
apt allows loading of unsigned repositories at all.

The configuration Acquire::AllowDowngradeToInsecureRepositories
controls if a signed repository can ever become unsigned. This
should really never be needed but we provide it to avoid having
to mess around in /var/lib/apt/lists if there is a use-case for
this (which I can't think of right now).

diff --git a/apt-pkg/acquire-item.cc b/apt-pkg/acquire-item.cc
index 4a684f40cf03642433b98d5973770b5a87b12034..93ba098ee90a5712aba683a66e0ac083bbb9a6f3 100644 (file)
--- a/apt-pkg/acquire-item.cc
+++ b/apt-pkg/acquire-item.cc
@@ -1629,14 +1629,27 @@ void pkgAcqMetaSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf)/*{{{*/
                                          "InRelease");
    string FinalInRelease = _config->FindDir("Dir::State::lists") + URItoFileName(InReleaseURI);
 
                                          "InRelease");
    string FinalInRelease = _config->FindDir("Dir::State::lists") + URItoFileName(InReleaseURI);
 

-   if(RealFileExists(Final) || RealFileExists(FinalInRelease))
+   if (RealFileExists(Final) || RealFileExists(FinalInRelease))

    {
    {

-      _error->Error("The repository '%s' is no longer signed.",
-                    URIDesc.c_str());
-      Rename(MetaIndexFile, MetaIndexFile+".FAILED");
-      Status = pkgAcquire::Item::StatError;
-      TransactionManager->AbortTransaction();
-      return;
+      std::string downgrade_msg;
+      strprintf(downgrade_msg, _("The repository '%s' is no longer signed."),
+                URIDesc.c_str());
+      if(_config->FindB("Acquire::AllowDowngradeToInsecureRepositories"))
+      {
+         // meh, the users wants to take risks (we still mark the packages
+         // from this repository as unauthenticated)
+         _error->Warning("%s", downgrade_msg.c_str());
+         _error->Warning(_("This is normally not allowed, but the option "
+                           "Acquire::AllowDowngradeToInsecureRepositories was "
+                           "given to override it."));
+         
+      } else {
+         _error->Error("%s", downgrade_msg.c_str());
+         Rename(MetaIndexFile, MetaIndexFile+".FAILED");
+         Status = pkgAcquire::Item::StatError;
+         TransactionManager->AbortTransaction();
+         return;
+      }

    }
 
    // this ensures that any file in the lists/ dir is removed by the
    }
 
    // this ensures that any file in the lists/ dir is removed by the


@@ -1654,7 +1667,7 @@ void pkgAcqMetaSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf)/*{{{*/
    }
 
    // only allow going further if the users explicitely wants it
    }
 
    // only allow going further if the users explicitely wants it

-   if(_config->FindB("APT::Get::AllowUnauthenticated", false) == true)
+   if(_config->FindB("Acquire::AllowInsecureRepositories") == true)

    {
       // we parse the indexes here because at this point the user wanted
       // a repository that may potentially harm him
    {
       // we parse the indexes here because at this point the user wanted
       // a repository that may potentially harm him


@@ -1663,7 +1676,7 @@ void pkgAcqMetaSig::Failed(string Message,pkgAcquire::MethodConfig *Cnf)/*{{{*/
    } 
    else 
    {
    } 
    else 
    {

-      _error->Warning("Use --allow-unauthenticated to force the update");
+      _error->Warning("Use --allow-insecure-repositories to force the update");

    }
 
    // FIXME: this is used often (e.g. in pkgAcqIndexTrans) so refactor
    }
 
    // FIXME: this is used often (e.g. in pkgAcqIndexTrans) so refactor


@@ -2123,12 +2136,12 @@ void pkgAcqMetaIndex::Failed(string Message,
    // No Release file was present, or verification failed, so fall
    // back to queueing Packages files without verification
    // only allow going further if the users explicitely wants it
    // No Release file was present, or verification failed, so fall
    // back to queueing Packages files without verification
    // only allow going further if the users explicitely wants it

-   if(_config->FindB("APT::Get::AllowUnauthenticated", false) == true)
+   if(_config->FindB("Acquire::AllowInsecureRepositories") == true)

    {
       QueueIndexes(false);
    } else {
       // warn if the repository is unsinged
    {
       QueueIndexes(false);
    } else {
       // warn if the repository is unsinged

-      _error->Warning("Use --allow-unauthenticated to force the update");
+      _error->Warning("Use --allow-insecure-repositories to force the update");

    } 
 }
                                                                        /*}}}*/
    } 
 }
                                                                        /*}}}*/

diff --git a/apt-pkg/init.cc b/apt-pkg/init.cc
index 241628632ccdc24d958dc105ad04ac56b11039cf..82dff4ee8d86cee56565226a7b80466e4fe80379 100644 (file)
--- a/apt-pkg/init.cc
+++ b/apt-pkg/init.cc
@@ -88,6 +88,10 @@ bool pkgInitConfig(Configuration &Cnf)
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.orig$");
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$");
 
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.orig$");
    Cnf.Set("Dir::Ignore-Files-Silently::", "\\.distUpgrade$");
 

+   // Repository security
+   Cnf.CndSet("Acquire::AllowInsecureRepositories", false);
+   Cnf.CndSet("Acquire::AllowDowngradeToInsecureRepositories", false);
+

    // Default cdrom mount point
    Cnf.CndSet("Acquire::cdrom::mount", "/media/cdrom/");
 
    // Default cdrom mount point
    Cnf.CndSet("Acquire::cdrom::mount", "/media/cdrom/");
 

diff --git a/apt-private/private-cmndline.cc b/apt-private/private-cmndline.cc
index a4490f5b41491c5b178d9415fcb6ee768a5e1fee..079f81ee36f4d512ee198384eefa0c6303b73254 100644 (file)
--- a/apt-private/private-cmndline.cc
+++ b/apt-private/private-cmndline.cc
@@ -198,6 +198,7 @@ static bool addArgumentsAPTGet(std::vector<CommandLine::Args> &Args, char const
    addArg(0,"only-source","APT::Get::Only-Source",0);
    addArg(0,"arch-only","APT::Get::Arch-Only",0);
    addArg(0,"allow-unauthenticated","APT::Get::AllowUnauthenticated",0);
    addArg(0,"only-source","APT::Get::Only-Source",0);
    addArg(0,"arch-only","APT::Get::Arch-Only",0);
    addArg(0,"allow-unauthenticated","APT::Get::AllowUnauthenticated",0);

+   addArg(0,"allow-insecure-repositories","Acquire::AllowInsecureRepositories",0);

    addArg(0,"install-recommends","APT::Install-Recommends",CommandLine::Boolean);
    addArg(0,"install-suggests","APT::Install-Suggests",CommandLine::Boolean);
    addArg(0,"fix-policy","APT::Get::Fix-Policy-Broken",0);
    addArg(0,"install-recommends","APT::Install-Recommends",CommandLine::Boolean);
    addArg(0,"install-suggests","APT::Install-Suggests",CommandLine::Boolean);
    addArg(0,"fix-policy","APT::Get::Fix-Policy-Broken",0);

diff --git a/doc/examples/configure-index b/doc/examples/configure-index
index 2d9f829ba89392aaa95c0dac98817d3a0f70515d..2925733d7c955937453f9b78c12aad8f35e4ec64 100644 (file)
--- a/doc/examples/configure-index
+++ b/doc/examples/configure-index
@@ -34,7 +34,7 @@ APT
   {
      Host-Architecture "armel";
      Arch-Only "false";
   {
      Host-Architecture "armel";
      Arch-Only "false";

-     AllowUnauthenticated "false";
+     AllowUnauthenticated "false";        // packages from unauthenticated

      AutomaticRemove "false";       
      HideAutoRemove "false";
      Download-Only "false";
      AutomaticRemove "false";       
      HideAutoRemove "false";
      Download-Only "false";

diff --git a/test/integration/test-apt-get-source-authenticated b/test/integration/test-apt-get-source-authenticated
index d73097b5414dedf855f9e1376c5798fd8d0c9906..d833ddd8533e9fe8037f86c2789f5bad924462f2 100755 (executable)
--- a/test/integration/test-apt-get-source-authenticated
+++ b/test/integration/test-apt-get-source-authenticated
@@ -21,7 +21,7 @@ APTARCHIVE=$(readlink -f ./aptarchive)
 rm -f $APTARCHIVE/dists/unstable/*Release*
 
 # update without authenticated InRelease file
 rm -f $APTARCHIVE/dists/unstable/*Release*
 
 # update without authenticated InRelease file

-testsuccess aptget update --allow-unauthenticated
+testsuccess aptget update --allow-insecure-repositories

 
 # this all should fail
 testfailure aptget install -y foo
 
 # this all should fail
 testfailure aptget install -y foo

diff --git a/test/integration/test-apt-get-update-unauth-warning b/test/integration/test-apt-get-update-unauth-warning
index b1c676738343fe44065a59bdb56b4b2f469893dc..510249747bddffc24109918e45856aa7b3fd0bb7 100755 (executable)
--- a/test/integration/test-apt-get-update-unauth-warning
+++ b/test/integration/test-apt-get-update-unauth-warning
@@ -23,7 +23,7 @@ testequal "Ign file: unstable InRelease
 Ign file: unstable Release
 Reading package lists...
 W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated.
 Ign file: unstable Release
 Reading package lists...
 W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated.

-W: Use --allow-unauthenticated to force the update" aptget update
+W: Use --allow-insecure-repositories to force the update" aptget update

 
 # no package foo
 testequal "Listing..." apt list foo
 
 # no package foo
 testequal "Listing..." apt list foo


@@ -32,7 +32,7 @@ testequal "Listing..." apt list foo
 testequal "Ign file: unstable InRelease
 Ign file: unstable Release
 Reading package lists...
 testequal "Ign file: unstable InRelease
 Ign file: unstable Release
 Reading package lists...

-W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-unauthenticated
+W: The data from 'file: unstable Release' is not signed. Packages from that repository can not be authenticated." aptget update --allow-insecure-repositories

 
 # ensure we can not install the package
 testequal "WARNING: The following packages cannot be authenticated!
 
 # ensure we can not install the package
 testequal "WARNING: The following packages cannot be authenticated!

diff --git a/test/integration/test-apt-update-nofallback b/test/integration/test-apt-update-nofallback
index 4e8ea99166e0dc31f569d22fc1fae7da63db8ca9..a53226e18a9cea9dd3eee09609dfa1f64ff12847 100755 (executable)
--- a/test/integration/test-apt-update-nofallback
+++ b/test/integration/test-apt-update-nofallback
@@ -78,6 +78,25 @@ test_from_release_gpg_to_unsigned()
     assert_update_is_refused_and_last_good_state_used
 }
 
     assert_update_is_refused_and_last_good_state_used
 }
 

+test_from_inrelease_to_unsigned_with_override()
+{
+    # setup archive with InRelease file
+    setupaptarchive_with_lists_clean
+    testsuccess aptget update
+
+    # simulate moving to a unsigned but otherwise valid repo
+    simulate_mitm_and_inject_evil_package
+    generatereleasefiles
+
+    # and ensure we can update to it (with enough force) 
+    testsuccess aptget update --allow-insecure-repositories \
+        -o Acquire::AllowDowngradeToInsecureRepositories=1
+    # but that the individual packages are still considered untrusted
+    testequal "WARNING: The following packages cannot be authenticated!
+  evil
+E: There are problems and -y was used without --force-yes" aptget install -qq -y evil
+}
+

 test_cve_2012_0214()
 {
     # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108
 test_cve_2012_0214()
 {
     # see https://bugs.launchpad.net/ubuntu/+source/apt/+bug/947108


@@ -205,3 +224,7 @@ test_inrelease_to_invalid_inrelease
 # ensure we revert to last good state if Release/Release.gpg does not verify
 msgmsg "test_release_gpg_to_invalid_release_release_gpg"
 test_release_gpg_to_invalid_release_release_gpg
 # ensure we revert to last good state if Release/Release.gpg does not verify
 msgmsg "test_release_gpg_to_invalid_release_release_gpg"
 test_release_gpg_to_invalid_release_release_gpg

+
+# ensure we can ovveride the downgrade error
+msgmsg "test_from_inrelease_to_unsigned"
+test_from_inrelease_to_unsigned_with_override

diff --git a/test/integration/test-apt-update-rollback b/test/integration/test-apt-update-rollback
index e37be9554f2943544dde8f9b729028ef20ae2dd7..ee8bc69264c9f3a7447151f58764bf64728fa2c5 100755 (executable)
--- a/test/integration/test-apt-update-rollback
+++ b/test/integration/test-apt-update-rollback
@@ -114,7 +114,7 @@ test_unauthenticated_to_invalid_inrelease() {
     rm $APTARCHIVE/dists/unstable/Release.gpg
     avoid_ims_hit
     
     rm $APTARCHIVE/dists/unstable/Release.gpg
     avoid_ims_hit
     

-    testsuccess aptget update -qq --allow-unauthenticated
+    testsuccess aptget update -qq --allow-insecure-repositories

     testequal "WARNING: The following packages cannot be authenticated!
   old
 E: There are problems and -y was used without --force-yes" aptget install -qq -y old
     testequal "WARNING: The following packages cannot be authenticated!
   old
 E: There are problems and -y was used without --force-yes" aptget install -qq -y old

diff --git a/test/integration/test-apt-update-unauth b/test/integration/test-apt-update-unauth
index 5db8a3c16948521be746db858fc27eddcc2c28f7..ade523ea7ce3458dd30e0735bfe7446ba701ef64 100755 (executable)
--- a/test/integration/test-apt-update-unauth
+++ b/test/integration/test-apt-update-unauth
@@ -28,7 +28,7 @@ runtest() {
     rm -f aptarchive/dists/unstable/*Release*
     # remove uncompressed version
     find aptarchive/ -name Packages | xargs rm -f
     rm -f aptarchive/dists/unstable/*Release*
     # remove uncompressed version
     find aptarchive/ -name Packages | xargs rm -f

-    aptget update -qq --allow-unauthenticated
+    aptget update -qq --allow-insecure-repositories

 
     # become authenticated
     generatereleasefiles
 
     # become authenticated
     generatereleasefiles

diff --git a/test/integration/test-bug-596498-trusted-unsigned-repo b/test/integration/test-bug-596498-trusted-unsigned-repo
index 973520a9764d0e1fb83d6967d08cabe60c9c6937..3104a70c25166d81be66f9d9005c04a03d532cea 100755 (executable)
--- a/test/integration/test-bug-596498-trusted-unsigned-repo
+++ b/test/integration/test-bug-596498-trusted-unsigned-repo
@@ -12,7 +12,7 @@ setupaptarchive
 
 aptgetupdate() {
        rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin
 
 aptgetupdate() {
        rm -rf rootdir/var/lib/apt/ rootdir/var/cache/apt/*.bin

-       aptget update -qq --allow-unauthenticated
+       aptget update -qq --allow-insecure-repositories

 }
 
 PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)"
 }
 
 PKGTEXT="$(aptget install cool --assume-no -d | head -n 7)"

diff --git a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted
index 276e10564fcfbfcc54721859dc09ac5c16ed160f..0736bb6dc598de4f07084f011edc0c83efc9ab93 100755 (executable)
--- a/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted
+++ b/test/integration/test-bug-617690-allow-unauthenticated-makes-all-untrusted
@@ -26,7 +26,7 @@ testrun() {
        rm -rf rootdir/var/lib/apt
 
        if [ "$1" = 'trusted' ]; then
        rm -rf rootdir/var/lib/apt
 
        if [ "$1" = 'trusted' ]; then

-           testsuccess aptget update
+               testsuccess aptget update

 
                testsuccess aptget download cool
                testfileexists 'cool_1.0_i386.deb'
 
                testsuccess aptget download cool
                testfileexists 'cool_1.0_i386.deb'


@@ -34,7 +34,7 @@ testrun() {
                testsuccess aptget download cool --allow-unauthenticated
                testfileexists 'cool_1.0_i386.deb'
        else
                testsuccess aptget download cool --allow-unauthenticated
                testfileexists 'cool_1.0_i386.deb'
        else

-           testsuccess aptget update --allow-unauthenticated
+                testsuccess aptget update --allow-insecure-repositories

 
                testfailure aptget download cool
                testfilemissing 'cool_1.0_i386.deb'
 
                testfailure aptget download cool
                testfilemissing 'cool_1.0_i386.deb'

diff --git a/test/integration/test-bug-717891-abolute-uris-for-proxies b/test/integration/test-bug-717891-abolute-uris-for-proxies
index a8947b5e275ec79b72ff7ba05e05bbe0aa4a21e9..54a61668633ab46dbe14af9944b84a66bffb052b 100755 (executable)
--- a/test/integration/test-bug-717891-abolute-uris-for-proxies
+++ b/test/integration/test-bug-717891-abolute-uris-for-proxies
@@ -12,7 +12,7 @@ setupaptarchive
 changetowebserver --request-absolute='uri'
 
 msgtest 'Check that absolute paths are' 'not accepted'
 changetowebserver --request-absolute='uri'
 
 msgtest 'Check that absolute paths are' 'not accepted'

-testfailure --nomsg aptget update --allow-unauthenticated
+testfailure --nomsg aptget update --allow-insecure-repositories

 
 echo 'Acquire::http::Proxy "http://localhost:8080";' > rootdir/etc/apt/apt.conf.d/99proxy
 
 
 echo 'Acquire::http::Proxy "http://localhost:8080";' > rootdir/etc/apt/apt.conf.d/99proxy
 

diff --git a/test/integration/test-bug-738785-switch-protocol b/test/integration/test-bug-738785-switch-protocol
index 4ff044515f906fe58086545bf472e2d26bcbb67b..f81bba4b9f6993b85f86fe944b5661b19b473479 100755 (executable)
--- a/test/integration/test-bug-738785-switch-protocol
+++ b/test/integration/test-bug-738785-switch-protocol
@@ -60,4 +60,4 @@ mv rootdir/${COPYMETHODS}.bak rootdir/${COPYMETHODS}
 # check that downgrades from https to http are not allowed
 webserverconfig 'aptwebserver::support::http' 'true'
 sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/*
 # check that downgrades from https to http are not allowed
 webserverconfig 'aptwebserver::support::http' 'true'
 sed -i -e 's#:8080/redirectme#:4433/downgrademe#' -e 's# http:# https:#' rootdir/etc/apt/sources.list.d/*

-testfailure aptget update --allow-unauthenticated
+testfailure aptget update --allow-insecure-repositories

diff --git a/test/integration/test-hashsum-verification b/test/integration/test-hashsum-verification
index 2db2bab0f44fc9db173570ad52e111b0818e2b2e..5f88110b3f13cdc2f55c53460be57dcf301d5272 100755 (executable)
--- a/test/integration/test-hashsum-verification
+++ b/test/integration/test-hashsum-verification
@@ -70,7 +70,7 @@ runtest() {
         rm -rf rootdir/var/lib/apt/lists
         rm aptarchive/InRelease aptarchive/Release.gpg
         msgtest 'unsigned apt-get update gets the expected hashsum mismatch'
         rm -rf rootdir/var/lib/apt/lists
         rm aptarchive/InRelease aptarchive/Release.gpg
         msgtest 'unsigned apt-get update gets the expected hashsum mismatch'

-       aptget update --allow-unauthenticated >output.log 2>&1 || true
+       aptget update --allow-insecure-repositories >output.log 2>&1 || true

         if grep -q "Hash Sum mismatch" output.log; then
             msgpass
         else
         if grep -q "Hash Sum mismatch" output.log; then
             msgpass
         else

diff --git a/test/integration/test-policy-pinning b/test/integration/test-policy-pinning
index 2281d7a1d259a1c9edf62bc4a3ef6fbee5c3c3e4..c08a2f103d3fd611b696b6b28f625b971f224c51 100755 (executable)
--- a/test/integration/test-policy-pinning
+++ b/test/integration/test-policy-pinning
@@ -28,7 +28,7 @@ Pinned packages:" aptcache policy $*
 aptgetupdate() {
        # just to be sure that no old files are used
        rm -rf rootdir/var/lib/apt
 aptgetupdate() {
        # just to be sure that no old files are used
        rm -rf rootdir/var/lib/apt

-       if aptget update  --allow-unauthenticated -qq 2>&1 | grep '^E: '; then
+       if aptget update  --allow-insecure-repositories -qq 2>&1 | grep '^E: '; then

                msgwarn 'apt-get update failed with an error'
        fi
 }
                msgwarn 'apt-get update failed with an error'
        fi
 }