[packagekit] Security issue with user defined proxies
glatzor at ubuntu.com
Mon Nov 16 09:10:02 PST 2009
Currently we allow the user to set the proxy of a transaction.
Furthermore there isn't any separate privilege for setting the proxy.
For apt it is possible to set a password for a repository, which can
be hidden to the normal user by only allowing root to read the config
file. By allowing the user to set the proxy the password gets sent to
the user's proxy. Which is a security issue.
Are there any other backends which support passwords?
- Add a separate privilege for setting the proxy
- Add a global option to disable setting the proxy by the user
- Ignoring proxies in the backend if the repository uses a password
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: Digital signature
More information about the PackageKit