[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?

On Wed, Nov 18, 2009 at 11:18:28PM +0530, Rahul Sundaram wrote:
> On 11/18/2009 11:19 PM, nodata wrote:
> > 
> > Thanks. I have changed the title to:
> > "All users get to install software on a machine they do not have the
> > root password to"
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.

To me it looks like the F12 i386 Everything repository is not signed:
$ curl -sI http://download.fedoraproject.org/pub/fedoralinux/releases/12/Everything/i386/os/repodata/repomd.xml.asc | head -n1

So at least one major security protection measure is not in place and
attackers can create their own repositories with signed packages that
have well known security flaws, e.g. a package with a bad setuid root
binary, and install it, if it is not already installed in a newer


Attachment: pgpP1hPsfWL5i.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]