[packagekit] libpackagekit-gnome
Richard Hughes
hughsient at gmail.com
Mon Apr 14 05:11:25 PDT 2008
On Sun, 2008-04-13 at 20:25 -0400, David Zeuthen wrote:
> E.g. there's no way to do LD_PRELOAD, no way to do LD_LIBRARY_PATH
Can't we do a getenv ("LD_PRELOAD") and fail to run _any_ of the
methods if it's set? I guess checking LD_PRELOAD and LD_LIBRARY_PATH
would raise the bar for any attacker a tiny bit, although I guess the
other attack vectors are still valid assuming you have hostile code
running in your user session. Is it worth adding in checks
for LD_LIBRARY_PATH et al.?
Of course, if I have hostile code running as user "hughsie" then I have
my entire home directory to worry about (~/.ssh/id_rsa), and all the
connected network shares that I've authenticated against. I would say
I'm pretty screwed in more ways than convincing totem to install
$random-bad-package.
Another way of doing this might be to have:
* InstallRepoSignature needs to not be able to remember a password
* InstallFile needs to return an error and fail if it tries to install a
local unsigned file - this can stay as a remember by default (see below)
* InstallFileUnsigned needs to be created to allow this file to be
installed, but not be allowed to keep the auth for the session or
system.
How about that?
Richard.
More information about the PackageKit
mailing list