[packagekit] Security issue with user defined proxies
Richard Hughes
hughsient at gmail.com
Tue Nov 17 01:17:48 PST 2009
2009/11/16 Sebastian Heinlein <glatzor at ubuntu.com>:
> The problem are passwords for the repositories and not the ones
> required for the proxy access. E.g. a repository served by apache
> which requires a simple user/password authentication to access:
> http://USER:SECRET@repository/
> The normal user is not allowed to sniff packages send by root.
So the way this works at the moment for Debian (if I understand correctly)
user installs foo
packagekit proxies to aptBackend.py
aptBackend.py looks up proxy from root-readable-config file
aptBackend.py does the install
and the complication is the user sets a proxy (for instance
http://10.0.0.1) in the session. Surely you can just prepend the
"secret" to the users defined proxy?
Richard?
More information about the PackageKit
mailing list