Local users get to play root?
Till Maas
opensource at till.name
Thu Nov 19 09:23:53 UTC 2009
On Wed, Nov 18, 2009 at 11:18:28PM +0530, Rahul Sundaram wrote:
> On 11/18/2009 11:19 PM, nodata wrote:
>
> >
> > Thanks. I have changed the title to:
> > "All users get to install software on a machine they do not have the
> > root password to"
>
> .. if the packages are signed and from a signed repository. So, you left
> out the important part. Explain why this is a problem in a bit more
> detail.
To me it looks like the F12 i386 Everything repository is not signed:
$ curl -sI http://download.fedoraproject.org/pub/fedoralinux/releases/12/Everything/i386/os/repodata/repomd.xml.asc | head -n1
HTTP/1.1 404 NOT FOUND
So at least one major security protection measure is not in place and
attackers can create their own repositories with signed packages that
have well known security flaws, e.g. a package with a bad setuid root
binary, and install it, if it is not already installed in a newer
version.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091119/430a5ee7/attachment.sig>
More information about the fedora-devel-list
mailing list