How secure is Preupgrade? Answer: Not.
stan
goedigi89__e at cox.net
Wed May 21 22:14:27 UTC 2008
Beartooth Sciurivore wrote:
> On Wed, 21 May 2008 00:27:17 +0200, Björn Persson wrote:
>
>
I want to thank Bjorn for doing the research on this.
>> I went ahead and read the code. [....]
>>
>> I've got my answer: Preupgrade is not secure. I'll continue upgrading
>> the way I've done it before – either with Yum or from a DVD image on a
>> USB stick.
>>
>
> Dumb question, probably : if you install and run preupgrade
> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
> after downloading boot images, is there some user-friendly thing you can
> do then to make it secure? Something on the order of getting into a
> directory and commanding, in effect, "check all signatures"?
>
> Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
>
> If the latter, do we need to get rid of whatever-all 0.9.3-3
> downloaded? Or will we be able to just "yum update PreUpgrade" in F8 and
> then run it again?
>
>
If you wanted to, you could verify the files yourself before they are
installed as you mentioned above. Preupgrade puts them in a folder
/var/cache/yum/anaconda-upgrade/packages. When it has finished
downloading it requires rebooting before it will start install. So you
could run rpm on the files to validate that they have proper md5 sums at
that time. I think it would be rpm --checksig *.rpm while in the
directory.
Because of Bjorn's research, I ran rpm -qa -V on my preupgraded Fedora 9
to see if the md5 sums for installed packages are valid. There were
some packages with failed sums, but they were mostly configuration files
that didn't get updated and other non critical things.
If anaconda uses rpm to do the upgrade, there is a blurb in the man file
stating that rpm automatically does the md5 check on install. I think
these are signed with a Fedora specific key, so they would fail if they
weren't official or were tampered with.
I'm not a security expert, so these might not answer the security
problem. Definitely should be a check in preupgrade itself.
More information about the fedora-list
mailing list