On Mon, 2014-03-03 at 10:43 +0100, Miroslav Suchý wrote: > Hi, > I'm developer of Copr build system. As you may know I inherited original code from Seth. > He set the design and processes that all rpm handling is done only on builders, which is VM which are terminated after > each build. > Seth was very afraid to parse rpm files directly on server as he said there is potential security risk. He never > specified which risk. Or how much theoretical this was. > And of course I can no longer ask him. > > Now I'm getting some feature request, which would imply to parse rpm files. So dear lazy list - I have question for you: > > Imagine you are attacker. You can submit to target server (Copr) whatever src.rpm you want. That srpm will be build in > VM, which will be then terminated. But you know that the server will use queries using python-rpm on final binary rpm files. > > How much you are confident that attacker can (not) exploit rpm, python-rpm to do something evil? Even theoretically. > And with or without Selinux. > What is the benefit of those feature requests? I would be afraid of an injection type attack with allowing python to execute scripts involving user supplied data, such as in an RPM. I suspect the risk is extremely low but "trust no one" means you have to assume anyone could be potentially trying to attack, and the last thing you want is that server being compromised given what it does. Unless the feature requests are critical to the successful operation of the server, I would not parse the rpm files on the server. It's execution of a script on un-trusted data that may not be easy to sanitize first. Just my opinion. _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list