How secure is Preupgrade? Answer: Not.
max
maximilianbianco at gmail.com
Wed May 21 22:46:30 UTC 2008
stan wrote:
> Beartooth Sciurivore wrote:
>> On Wed, 21 May 2008 00:27:17 +0200, Björn Persson wrote:
>>
>>
> I want to thank Bjorn for doing the research on this.
>>> I went ahead and read the code. [....]
>>>
>>> I've got my answer: Preupgrade is not secure. I'll continue upgrading
>>> the way I've done it before – either with Yum or from a DVD image on a
>>> USB stick.
>>>
>>
>> Dumb question, probably : if you install and run preupgrade
>> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop
>> after downloading boot images, is there some user-friendly thing you
>> can do then to make it secure? Something on the order of getting into
>> a directory and commanding, in effect, "check all signatures"?
>>
>> Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
>>
>> If the latter, do we need to get rid of whatever-all 0.9.3-3
>> downloaded? Or will we be able to just "yum update PreUpgrade" in F8
>> and then run it again?
>>
>>
> If you wanted to, you could verify the files yourself before they are
> installed as you mentioned above. Preupgrade puts them in a folder
> /var/cache/yum/anaconda-upgrade/packages. When it has finished
> downloading it requires rebooting before it will start install. So you
> could run rpm on the files to validate that they have proper md5 sums at
> that time. I think it would be rpm --checksig *.rpm while in the
> directory.
>
I thought there might be something that could be done here but I did not
know what. Thanks for chiming in on this.
> Because of Bjorn's research, I ran rpm -qa -V on my preupgraded Fedora 9
> to see if the md5 sums for installed packages are valid. There were
> some packages with failed sums, but they were mostly configuration files
> that didn't get updated and other non critical things.
Somewhat reassuring. I am doing the same right now.
> If anaconda uses rpm to do the upgrade, there is a blurb in the man file
> stating that rpm automatically does the md5 check on install. I think
> these are signed with a Fedora specific key, so they would fail if they
> weren't official or were tampered with.
Good to know. Makes me feel slightly better.
>
> I'm not a security expert, so these might not answer the security
> problem. Definitely should be a check in preupgrade itself.
>
Yes there should be. Thanks again.
BTW everyone I am not interested in finger pointing, what is done is
done but could this not have been handled better?
Max
--
On the eighth day he said "There shall be no rest for the weary."
On the ninth day he farted, and it smelled like sulphur.
More information about the fedora-list
mailing list