On Wed, Nov 18, 2009 at 11:18:28PM +0530, Rahul Sundaram wrote: > On 11/18/2009 11:19 PM, nodata wrote: > > > > > Thanks. I have changed the title to: > > "All users get to install software on a machine they do not have the > > root password to" > > .. if the packages are signed and from a signed repository. So, you left > out the important part. Explain why this is a problem in a bit more > detail. To me it looks like the F12 i386 Everything repository is not signed: $ curl -sI http://download.fedoraproject.org/pub/fedoralinux/releases/12/Everything/i386/os/repodata/repomd.xml.asc | head -n1 HTTP/1.1 404 NOT FOUND So at least one major security protection measure is not in place and attackers can create their own repositories with signed packages that have well known security flaws, e.g. a package with a bad setuid root binary, and install it, if it is not already installed in a newer version. Regards Till
Attachment:
pgpb0niZFULMl.pgp
Description: PGP signature
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
