[packagekit] Security issue with user defined proxies
dantti85-pk at yahoo.com.br
Mon Nov 16 09:27:02 PST 2009
And the policy is...
----- Mensagem original ----
> De: Sebastian Heinlein <glatzor at ubuntu.com>
> Para: PackageKit users and developers list <packagekit at lists.freedesktop.org>
> Enviadas: Segunda-feira, 16 de Novembro de 2009 15:10:02
> Assunto: [packagekit] Security issue with user defined proxies
> Currently we allow the user to set the proxy of a transaction.
> Furthermore there isn't any separate privilege for setting the proxy.
> For apt it is possible to set a password for a repository, which can
> be hidden to the normal user by only allowing root to read the config
> file. By allowing the user to set the proxy the password gets sent to
> the user's proxy. Which is a security issue.
> Are there any other backends which support passwords?
> Possible approaches:
> - Add a separate privilege for setting the proxy
> - Add a global option to disable setting the proxy by the user
> - Ignoring proxies in the backend if the repository uses a password
Veja quais são os assuntos do momento no Yahoo! +Buscados
More information about the PackageKit