Up2date and SysAdmin auth.

Scot L. Harris webid at cfl.rr.com
Mon Aug 9 20:09:33 UTC 2004 

On Mon, 2004-08-09 at 13:58, Stanley Allely wrote:

> I do already run the full firewall with SPI, I just happened to notice 
> that up2date closes the authorization before package retrieval is done, 
> I'm just not sure how early is ok. I always thought it would require sys 
> admin auth. all the way through, but it evidently does not.  I was just 
> worried about somebody outside the update system hacking in a third 
> party packet during the update process (like a rootkit), but I suppose 
> that would qualify as a "new" packet under the iptables  and get 
> stopped?  The only open port I have in the system is http for internet 
> access.  I guess it's the fact that root is open during updates, or as 
> they say "Just because your paranoid, doesn't mean someone is not out to 
> get you" especially on line with  and all the other nasty gotcha's being 
> available.  And I've had good luck with the default up2date, and having 
> watched  the yum update thread I'll go with "if it ain't broke, don't 
> fix it".
> Thanks, Stan

I will have to find some time to look at this.  

You have raised a very good question (which is actually about fedora of
all things!)

Just how secure is the update process used by fedora?  I don't think any
encryption is used for the transfer of packages, nor do I believe
certificates to validate the repository.  

So the weak points in the update process are:

1. repository compromise
2. session hijacking
3. packet injection/spoofing

Are there any others?  And what is the potential of each?  

Compromising the repositories I think is the worst case and the most
likely.  Insertion of a few specially crafted packages with harmful
payloads could cause a lot of problems for many people very quickly.

The other possible problems are IMHO less likely since someone would
have to have access to specific parts of the network in order to
accomplish them.  And the damage would probably be much less because of
that.

So can someone that knows the ins and outs of that software comment?

-- 
Scot L. Harris <webid at cfl.rr.com>

More information about the fedora-list mailing list