Dne 10. 12. 21 v 0:08 Davide Cavalca via devel napsal(a):
On Fri, 2021-12-03 at 22:08 +0000, Richard W.M. Jones wrote:I'm unclear about the threat model - this is an attacker who is someone able to overwrite single files (eg. /bin/ls) but cannot turn off the fs-verity system as a whole? Also if RPM can update /bin/ls then surely an attacker who can widely compromise system files must also be able to update /bin/ls in the same way?Once fs-verity is enabled for a given file (which, in the RPM case, happens at package installation time), it cannot be disabled, and the file becomes immutable. One can still rename() or unlink() it (and this is indeed how rpm is able to replace files when upgrading packages), but the actual contents cannot be altered.
Trying to debug some issue in shell/ruby/python script, will it be possible to modify such file?
Vít
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
