[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: YUM security issues...

On Wed, Jul 30, 2008 at 08:42:44AM -0700, Justin Cappos wrote:
> You might also think about requiring the mirror's IP address to fall
> in the subnet (or else they ask for your approval).   This might
> further complicate an attacker using this for evil.

The challenge here is

a) private servers often are on RFC1918 addresses, so they don't fall
inside the public-visible netblock assignments.  If it's a private
server, MM doesn't even crawl it (they're likely unreachable anyhow),
relying on them to run report_mirror.  This also keeps our crawl times
down to 4-6 hours, it only crawls the 50% of listed servers that are public.

b) malicious sysadmins could change their DNS entry after getting the
netblock set up by a Fedora sysadmin, so as to no longer be inside the

I feel the window of opportunity here is small, and we're going to
make changes to make it even smaller.  Users can't install unsigned
packages, the worst a malicious mirror can do is serve "stale" content
for a period of time we'll be able to control (it may be ridiculously
small, like "never" (which is easy to implement but a PITA for mirrors
that sync only once a day), or up to 1 week (I haven't worked out how
to do this cleanly, but it's nicer to users of mirrors who are good
citizens) which is clearly what I want.

Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]