[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Local users get to play root?



On Wed, Nov 18, 2009 at 11:18:28PM +0530, Rahul Sundaram wrote:
> On 11/18/2009 11:19 PM, nodata wrote:
> 
> > 
> > Thanks. I have changed the title to:
> > "All users get to install software on a machine they do not have the
> > root password to"
> 
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.

To me it looks like the F12 i386 Everything repository is not signed:
$ curl -sI http://download.fedoraproject.org/pub/fedoralinux/releases/12/Everything/i386/os/repodata/repomd.xml.asc | head -n1
HTTP/1.1 404 NOT FOUND

So at least one major security protection measure is not in place and
attackers can create their own repositories with signed packages that
have well known security flaws, e.g. a package with a bad setuid root
binary, and install it, if it is not already installed in a newer
version.

Regards
Till

Attachment: pgpP1hPsfWL5i.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]