How secure is Preupgrade? Answer: Not.

[max]

stan wrote:
> Beartooth Sciurivore wrote:
>> On Wed, 21 May 2008 00:27:17 +0200, Björn Persson wrote:
>>
>>   
> I want to thank Bjorn for doing the research on this.
>>> I went ahead and read the code. [....]
>>>
>>> I've got my answer: Preupgrade is not secure. I'll continue upgrading
>>> the way I've done it before – either with Yum or from a DVD image on a
>>> USB stick.
>>>     
>>
>>     Dumb question, probably : if you install and run preupgrade 
>> according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop 
>> after downloading boot images, is there some user-friendly thing you 
>> can do then to make it secure? Something on the order of getting into 
>> a directory and commanding, in effect, "check all signatures"?
>>
>>     Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?
>>
>>     If the latter, do we need to get rid of whatever-all 0.9.3-3 
>> downloaded? Or will we be able to just "yum update PreUpgrade" in F8 
>> and then run it again?
>>
>>   
> If you wanted to, you could verify the files yourself before they are 
> installed as you mentioned above.  Preupgrade puts them in a folder 
> /var/cache/yum/anaconda-upgrade/packages.  When it has finished 
> downloading it requires rebooting before it will start install.  So you 
> could run rpm on the files to validate that they have proper md5 sums at 
> that time.  I think it would be rpm --checksig *.rpm while in the 
> directory.
> 
I thought there might be something that could be done here but I did not 
know what. Thanks for chiming in on this.

> Because of Bjorn's research, I ran rpm -qa -V on my preupgraded Fedora 9 
> to see if the md5 sums for installed packages are valid.  There were 
> some packages with failed sums, but they were mostly configuration files 
> that didn't get updated and other non critical things.

Somewhat reassuring. I am doing the same right now.

> If anaconda uses rpm to do the upgrade, there is a blurb in the man file 
> stating that rpm automatically does the md5 check on install.  I think 
> these are signed with a Fedora specific key, so they would fail if they 
> weren't official or were tampered with.
Good to know. Makes me feel slightly better.

> 
> I'm not a security expert, so these might not answer the security 
> problem.  Definitely should be a check in preupgrade itself.
>
Yes there should be. Thanks again.
BTW everyone I am not interested in finger pointing, what is done is 
done but could this not have been handled better?


Max



-- 
On the eighth day he said "There shall be no rest for the weary."

On the ninth day he farted, and it smelled like sulphur.