tag 523745 - security thanks On Sun, 12 Apr 2009, Holger Levsen wrote: > during a discussion about how to compromise the security of a Debian system I > noticed that /var/log/dpkg.log just logs the version number of the packages > installed, thus one can inject a on-the-fly-modified .deb with the same > version number (provided the user ignores an apt authentication warning), > which does harmful things and cleans up after itself with no trace on the > machine, even if /var/log/dpkg.log is stored securily, ie with capabilities.
How can you tag this security while saying "provided that the user doesn't care of the security". dpkg is not the tool that handles the trust on the package retrieved… And if the package is doing nasty things, it can also edit /var/log/dpkg.log. Remember that maintainer scripts run with root rights! You mention "capabilities" but that's theory since dpkg has no support for running maintainer scripts with different capilities than dpkg itself. So you're asking for a feature that depend on a non-existing feature… So this option doesn't increase the security very much. Implementing can still be useful but not really for any serious/trustable security audit. Cheers, -- Raphaël Hertzog Contribuez à Debian et gagnez un cahier de l'admin Debian Lenny : http://www.ouaza.com/wp/2009/03/02/contribuer-a-debian-gagner-un-livre/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
