[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RPM security (a newbie question)

"Stanisław T. Findeisen" wrote:
> What does the process of installing new RPM package look like? There
> are some commands that such package is allowed to execute, right?

By policy, there are things that rpm scriptlets should not do.  But if
you created an rpm which had a %post section containing rm -rf /, rpm
would run it AFAIK.

> Also what's the difference between "Everything" and "Fedora" dirs in
> Fedora package tree?

The Fedora dir contains just what is included on the DVD media.  The
Everything dir contains all of the packages available.  Everything is
a superset of Fedora.

> I wonder how easy it is to create a rootkit/trojan horse/whatever
> and get it loaded on Fedora users' computers.

You would need to create a trojan package and get it onto the mirrors,
signed by the Fedora package signing key for a particular release.
This is not an easy task, as the keys are held pretty tightly, with
very limited access (if a handful of people can sign packages, I'd be

Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
An election is coming. Universal peace is declared and the foxes have
a sincere interest in prolonging the lives of the poultry.
    -- T.S. Eliot

Attachment: pgp2utjfFYZtq.pgp
Description: PGP signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]