[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RPM roadmapping



On Mon, 30 Jul 2007, Alexander Boström wrote:

mån 2007-07-30 klockan 16:51 +0300 skrev Gilboa Davara:

I second the above.
Running HTTP/FTP client as root is -not- a god idea.

Even if HTTP is being pushed to an external plugin that's built around
wget, this plug must be executed as user/guest and not as root.

Yes, the principle of least privilege does apply here.

Though, I would worry more about the fact that rpm -ivh http://...
doesn't verify any signatures. It's a good idea to:

Actually it does verify the signature if one is present, unless you turn it off explicitly. The problem is that rpm doesn't have a meaningful mechanism to *prevent* installation if unsigned and/or signed but untrusted packages are installed. Yes it's .. silly.

wget http://...
rpm -K foo.rpm
Look at the result, and then maybe:
rpm -i foo.rpm

(rpm -K && rpm -i won't do, since it'll say OK for unsigned packages,
IIRC)

Or, even:

wget http://...
yum localinstall foo.rpm

Which, in turn, might be possible to simplify?

Yum could just as well support "yum install http://..../foo.rpm"; :)

Speaking of that, yum currently accesses package header before verifying the signature, at least in the case of localinstall. I've some fuzzed rpm's here that cause rpm to segfault if signature checking is disabled as yum does... Dunno how exploitable that is in reality but there is a potential vulnerability there anyway.

	- Panu -


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]