[packagekit] Security issue with user defined proxies

Richard Hughes hughsient at gmail.com
Tue Nov 17 01:17:48 PST 2009

2009/11/16 Sebastian Heinlein <glatzor at ubuntu.com>:
> The problem are passwords for the repositories and not the ones
> required for the proxy access. E.g. a repository served by apache
> which requires a simple user/password authentication to access:
> http://USER:SECRET@repository/
> The normal user is not allowed to sniff packages send by root.

So the way this works at the moment for Debian (if I understand correctly)

user installs foo
packagekit proxies to aptBackend.py
aptBackend.py looks up proxy from root-readable-config file
aptBackend.py does the install

and the complication is the user sets a proxy (for instance in the session. Surely you can just prepend the
"secret" to the users defined proxy?


More information about the PackageKit mailing list