Local users get to play root?
Jeff Garzik
jgarzik at pobox.com
Wed Nov 18 22:18:26 UTC 2009
On 11/18/2009 05:14 PM, Richard Hughes wrote:
> 2009/11/18 Jeff Garzik<jgarzik at pobox.com>:
>> How little social engineering + virus automation does it take to get such an
>> install to include a malicious 3rd party repo?
>
> You need the root password to install from repos not signed by a key
> previously imported, or if the package signature is wrong.
You forget we have botnets doing distributed cracking now.
Fedora just opened up a huge attack vector, for the users who are least
equipped to understand the consequences.
And this enormous security hole of a policy change was done with next to
/zero/ communication, making it likely that many admins will not even
know they are vulnerable until their kids install a bunch of unwanted
packages.
Jeff
More information about the devel
mailing list