[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?





On Wed, 18 Nov 2009, James Antill wrote:


1. Does "install" of obsoleting packages come under the same auth. (if
so I can now arbitrarily upgrade certain packages).

2. Does "install" of installonly come under the same auth. (if so I can
now stop kernel upgrades).

+1

4. Are there any attacks against packages with "default on" services?
(Note that you can almost certainly wait until there is an attack, and
then install the insecure service).

And if we have default on services then I think we should take a good LOOOOOOOOOONG look at them.

7. And the most obvious one ... how hard is it to get a bad package into
one of the repos. that the machine has enabled.

+many

-sv


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]