On 09/ 8/10 01:14 PM, Bart Smaalders wrote:
On 09/02/10 22:54, Darren Reed wrote:
In thinking about some of the internals of pkg as outlined
in this CR...
https://defect.opensolaris.org/bz/show_bug.cgi?id=16972
... I started to wonder what that does for our ability to detect
malicious change. A malicious change would be when a hacker
modifies the CTF and not the elfhash, resulting in different code
being run but "pkg verify" reporting the same.
Ok, so if a hacker is smart enough to do this then they can
probably also hack the local database in /var/pkg with which
the elfhash for a binary is compared.
But if the repository from whence the install is made is on another
host or otherwise secure, would it be possible to have "pkg verify"
use that as an authorative source, potentially putting the source
of the real hash out of arm's reach?
Or is that already the behaviour?
(the man page isn't clear about which data source is used for the
baseline comparison data.)
<back from Burning Man; catching up on old pkg-discuss mail>
As per usual, if a system is thought to be compromised by a
malicious attacker, no part of the system can be used to
verify its own integrity.
Right now we use the data on the system; we need to work on increasing
the ease of re-verifying all installed package manifests from an
alternate BE; this would be a good RFE.
Wouldn't booting to an alternate BE and using -R be sufficient?
(Keeping in mind that we now have package signing.)
Or put differently, what particular RFE did you have in mind or can you
expound on the above?
-Shawn
_______________________________________________
pkg-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/pkg-discuss
