[packagekit] Security issue with user defined proxies
Daniel Nicoletti
dantti85-pk at yahoo.com.br
Mon Nov 16 09:27:02 PST 2009
And the policy is...
org.freedesktop.packagekit.system-network-proxy-configure
:D
Daniel.
----- Mensagem original ----
> De: Sebastian Heinlein <glatzor at ubuntu.com>
> Para: PackageKit users and developers list <packagekit at lists.freedesktop.org>
> Enviadas: Segunda-feira, 16 de Novembro de 2009 15:10:02
> Assunto: [packagekit] Security issue with user defined proxies
>
> Hello,
>
> Currently we allow the user to set the proxy of a transaction.
> Furthermore there isn't any separate privilege for setting the proxy.
>
> For apt it is possible to set a password for a repository, which can
> be hidden to the normal user by only allowing root to read the config
> file. By allowing the user to set the proxy the password gets sent to
> the user's proxy. Which is a security issue.
>
> Are there any other backends which support passwords?
>
> Possible approaches:
>
> - Add a separate privilege for setting the proxy
>
> - Add a global option to disable setting the proxy by the user
>
> - Ignoring proxies in the backend if the repository uses a password
>
> Cheers,
>
> Sebastian
____________________________________________________________________________________
Veja quais são os assuntos do momento no Yahoo! +Buscados
http://br.maisbuscados.yahoo.com
More information about the PackageKit
mailing list