[packagekit] libpackagekit-gnome

[Richard Hughes]

On Sun, 2008-04-13 at 20:25 -0400, David Zeuthen wrote:
> E.g. there's no way to do LD_PRELOAD, no way to do LD_LIBRARY_PATH

Can't we do a getenv ("LD_PRELOAD") and fail to run _any_ of the
methods if it's set? I guess checking LD_PRELOAD and LD_LIBRARY_PATH
would raise the bar for any attacker a tiny bit, although I guess the
other attack vectors are still valid assuming you have hostile code
running in your user session. Is it worth adding in checks
for LD_LIBRARY_PATH et al.?

Of course, if I have hostile code running as user "hughsie" then I have
my entire home directory to worry about (~/.ssh/id_rsa), and all the
connected network shares that I've authenticated against. I would say
I'm pretty screwed in more ways than convincing totem to install
$random-bad-package.

Another way of doing this might be to have:

* InstallRepoSignature needs to not be able to remember a password
* InstallFile needs to return an error and fail if it tries to install a
local unsigned file - this can stay as a remember by default (see below)
* InstallFileUnsigned needs to be created to allow this file to be
installed, but not be allowed to keep the auth for the session or
system.

How about that?

Richard.