[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On 11/18/2009 05:14 PM, Richard Hughes wrote:
2009/11/18 Jeff Garzik<jgarzik pobox com>:
How little social engineering + virus automation does it take to get such an
install to include a malicious 3rd party repo?

You need the root password to install from repos not signed by a key
previously imported, or if the package signature is wrong.

You forget we have botnets doing distributed cracking now.

Fedora just opened up a huge attack vector, for the users who are least equipped to understand the consequences.

And this enormous security hole of a policy change was done with next to /zero/ communication, making it likely that many admins will not even know they are vulnerable until their kids install a bunch of unwanted packages.

	Jeff





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]