Local users get to play root?
Till Maas
opensource at till.name
Thu Nov 19 10:29:46 UTC 2009
On Thu, Nov 19, 2009 at 04:36:27AM -0500, Ricky Zhou wrote:
> On 2009-11-19 10:23:53 AM, Till Maas wrote:
> > So at least one major security protection measure is not in place and
> > attackers can create their own repositories with signed packages that
> > have well known security flaws, e.g. a package with a bad setuid root
> > binary, and install it, if it is not already installed in a newer
> > version.
> I might be wrong on this, but wouldn't the attacker need to trick
> yum/packagekit into using the malicious repo first? I didn't think that
> was allowed for non-root users.
Yes packagekit must be tricked into using the malicious repo, but this
is not something that needs to be done on the system, but can also be
done by an MITM attack on the network traffic or compromising DNS.
> Note that even if the repomd.xml files were signed, it'd be easy for an
> attacker to just take an old one with a valid signature and host a repo
> with outdated packages. I thought metalink
> (https://mirrors.fedoraproject.org/metalink?repo=updates-released-f12&arch=x86_64)
> over https was supposed to address the problem of outdated repos though.
It seems that at least the information provided in the metalink is
enough to perform proper verification and deny outdated repositories,
since there are timestamps and secure hashes provided for the repomd.xml
file. But there might be still a problem with third party repositories,
if they do not use metalink. And if the metalink information is not used
in a secure way by yum.
Regards
Till
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20091119/2117fa7c/attachment.sig>
More information about the fedora-devel-list
mailing list