RPM roadmapping

Panu Matilainen pmatilai at laiskiainen.org
Mon Jul 30 18:03:48 UTC 2007

On Mon, 30 Jul 2007, Alexander Boström wrote:

> mån 2007-07-30 klockan 16:51 +0300 skrev Gilboa Davara:
>> I second the above.
>> Running HTTP/FTP client as root is -not- a god idea.
>> Even if HTTP is being pushed to an external plugin that's built around
>> wget, this plug must be executed as user/guest and not as root.
> Yes, the principle of least privilege does apply here.
> Though, I would worry more about the fact that rpm -ivh http://...
> doesn't verify any signatures. It's a good idea to:

Actually it does verify the signature if one is present, unless you turn 
it off explicitly. The problem is that rpm doesn't have a meaningful 
mechanism to *prevent* installation if unsigned and/or signed but 
untrusted packages are installed. Yes it's .. silly.

> wget http://...
> rpm -K foo.rpm
> Look at the result, and then maybe:
> rpm -i foo.rpm
> (rpm -K && rpm -i won't do, since it'll say OK for unsigned packages,
> Or, even:
> wget http://...
> yum localinstall foo.rpm
> Which, in turn, might be possible to simplify?

Yum could just as well support "yum install http://..../foo.rpm" :)

Speaking of that, yum currently accesses package header before verifying 
the signature, at least in the case of localinstall. I've some fuzzed 
rpm's here that cause rpm to segfault if signature checking is 
disabled as yum does... Dunno how exploitable that is in reality but there 
is a potential vulnerability there anyway.

 	- Panu -

More information about the fedora-devel-list mailing list