On 9/27/05, Luca Dionisi <[EMAIL PROTECTED]> wrote: > Let's say you are about to install a package. Actually it is > a malicious package... but you don't know this. > If the install script (when you run it as a privileged user) > puts a bootscript in /etc/rc.d/... and you don't realize that, > at the next boot the malicious commands could be launched > with superuser privileges. And you know nothing about it.
Yep, what is the security benefit when the malicious package can already install executables to the standard PATH? What I (used to) do is to allow the packages to install scripts into /etc/rc.d/init.d but not allow them to create any symlinks. The symlinks would be created by the "install" user only. -- Tushar Teredesai mailto:[EMAIL PROTECTED] http://www.linuxfromscratch.org/~tushar/ -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
