RPM roadmapping
Panu Matilainen
pmatilai at laiskiainen.org
Mon Jul 30 18:03:48 UTC 2007
On Mon, 30 Jul 2007, Alexander Boström wrote:
> mån 2007-07-30 klockan 16:51 +0300 skrev Gilboa Davara:
>
>> I second the above.
>> Running HTTP/FTP client as root is -not- a god idea.
>>
>> Even if HTTP is being pushed to an external plugin that's built around
>> wget, this plug must be executed as user/guest and not as root.
>
> Yes, the principle of least privilege does apply here.
>
> Though, I would worry more about the fact that rpm -ivh http://...
> doesn't verify any signatures. It's a good idea to:
Actually it does verify the signature if one is present, unless you turn
it off explicitly. The problem is that rpm doesn't have a meaningful
mechanism to *prevent* installation if unsigned and/or signed but
untrusted packages are installed. Yes it's .. silly.
> wget http://...
> rpm -K foo.rpm
> Look at the result, and then maybe:
> rpm -i foo.rpm
>
> (rpm -K && rpm -i won't do, since it'll say OK for unsigned packages,
> IIRC)
>
> Or, even:
>
> wget http://...
> yum localinstall foo.rpm
>
> Which, in turn, might be possible to simplify?
Yum could just as well support "yum install http://..../foo.rpm" :)
Speaking of that, yum currently accesses package header before verifying
the signature, at least in the case of localinstall. I've some fuzzed
rpm's here that cause rpm to segfault if signature checking is
disabled as yum does... Dunno how exploitable that is in reality but there
is a potential vulnerability there anyway.
- Panu -
More information about the fedora-devel-list
mailing list