[sbopkg-discuss] Re: Package ownership
Phillip Warner
phillip.c.warner at gmail.com
Wed Feb 11 03:15:06 UTC 2009
On 2/10/09, T2F <bkirkp at gmail.com> wrote:
>
> Can someone explain to me why sbopkg insists that the package belong
> to root:root? I keep my sandbox with the rest of my data on a server
> partition where the files are owned by bill:data & permissioned 664. I
> have an hourly cron job that sees to the proper permissions. If I
> build a package & install it immediately, I have no problems, but if I
> go back later, for example to install it on my laptop, I have to
> install from the command line. installpkg has no problems with
> ownership, why should sbopkg?
> Regards,
> Bill
Not checking for root:root perms opens up a package spoofing
vunerability in sbopkg. If this doesn't bother people perhaps the
check could be allowed to be turned off with a config switch. Here is
a portion of the email I previously sent Chess that describes the
vunerability:
===========
in brief, sbopkg needs to make sure packages in $OUTPUT are owned
root:root before even offering to install. If $OUTPUT is world
writable (such as /tmp) then normal user can make a fake or malicious
package that makes sbopkg thinks it can install.
---- How to spoof SBo packages ----
simply make sure the package
name starts with the PRGNAM (the name can be longer than PRGNAM though)
has the corresponding VERSION, BUILDNUM, and TAG
this info can easily be found in the local or online repo
Now when the admin views an entry for a SlackBuild they will have the
option to install this fake package!
While this may not fool the admin who knows they did not build a
package, it might be easy to fool an admin by making a fake package
corresponding to a SBo package that IS in OUTPUT.
Simply change the ARCH, or if the admin made a custom version or tag,
then the regular name might work.
SBo package spoofing could be defeated by making sure:
1) that your $OUTPUT is a folder only root has access to
2) sbopkg enforces that packages to install have root:root ownership
============
--phillip
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "sbopkg-discuss" group.
To post to this group, send email to sbopkg-discuss at googlegroups.com
To unsubscribe from this group, send email to sbopkg-discuss+unsubscribe at googlegroups.com
For more options, visit this group at http://groups.google.com/group/sbopkg-discuss?hl=en
-~----------~----~----~----~------~----~------~--~---
More information about the sbopkg-users
mailing list