[packagekit] Security issue with user defined proxies

Sebastian Heinlein glatzor at ubuntu.com
Mon Nov 16 10:49:59 PST 2009


On Mon, Nov 16, 2009 at 05:27:34PM +0000, Richard Hughes wrote:
> 2009/11/16 Sebastian Heinlein <glatzor at ubuntu.com>:
> 
> > For apt it is possible to set a password for a repository, which can
> > be hidden to the normal user by only allowing root to read the config
> > file. By allowing the user to set the proxy the password gets sent to
> > the user's proxy. Which is a security issue.
> 
> I'm not sure I follow. The password is a http proxy password -- surely
> you could sniff this (as a user) as it goes out on the wire. Could you
> explain how you think this is a security issue in painstaking detail
> please.

The problem are passwords for the repositories and not the ones
required for the proxy access. E.g. a repository served by apache
which requires a simple user/password authentication to access:

http://USER:SECRET@repository/

If the user configures a proxy, the complete URL including the
password will be sent to the proxy server.

The normal user is not allowed to sniff packages send by root.

> > Possible approaches:
> >  - Add a separate privilege for setting the proxy
> 
> See above.

Sorry, this was a very quick shot from mine.

> >  - Ignoring proxies in the backend if the repository uses a password
> 
> I'm not sure why ignoring proxies is a good idea.

Just one of the possible ideas. Perhaps not the one to go.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.freedesktop.org/archives/packagekit/attachments/20091116/63124ec8/attachment-0004.pgp>


More information about the PackageKit mailing list