[packagekit] libpackagekit-gnome
David Zeuthen
david at fubar.dk
Mon Apr 14 10:09:07 PDT 2008
On Mon, 2008-04-14 at 13:43 +0100, Richard Hughes wrote:
> On Sun, 2008-04-13 at 20:25 -0400, David Zeuthen wrote:
> > then I can trivially use LD_PRELOAD to inject code
> > into /usr/bin/gpk-application
>
> What about the attached patch? It catches the common case and outputs:
>
> [hughsie at hughsie-work client]$ LD_PRELOAD=./session-privs.so ./pkcon --verbose install ./badrpm-0.1.fc9.rpm
> Command failed
> Error:
> Security check failed. LD_PRELOAD was set to ./session-privs.so
No, that won't work - there's a ton of attack vectors. My point isn't to
try and secure the PackageKit UI tools right now; that's a separate
thing. My point is simply that you don't want libpackagekit-gnome; you
want a D-Bus service instead. What do you think about that?
Thanks,
David
More information about the PackageKit
mailing list