YUM security issues...
Matt Domsch
Matt_Domsch at dell.com
Thu Jul 31 03:57:19 UTC 2008
On Wed, Jul 30, 2008 at 08:42:44AM -0700, Justin Cappos wrote:
> You might also think about requiring the mirror's IP address to fall
> in the subnet (or else they ask for your approval). This might
> further complicate an attacker using this for evil.
The challenge here is
a) private servers often are on RFC1918 addresses, so they don't fall
inside the public-visible netblock assignments. If it's a private
server, MM doesn't even crawl it (they're likely unreachable anyhow),
relying on them to run report_mirror. This also keeps our crawl times
down to 4-6 hours, it only crawls the 50% of listed servers that are public.
b) malicious sysadmins could change their DNS entry after getting the
netblock set up by a Fedora sysadmin, so as to no longer be inside the
netblock.
I feel the window of opportunity here is small, and we're going to
make changes to make it even smaller. Users can't install unsigned
packages, the worst a malicious mirror can do is serve "stale" content
for a period of time we'll be able to control (it may be ridiculously
small, like "never" (which is easy to implement but a PITA for mirrors
that sync only once a day), or up to 1 week (I haven't worked out how
to do this cleanly, but it's nicer to users of mirrors who are good
citizens) which is clearly what I want.
--
Matt Domsch
Linux Technology Strategist, Dell Office of the CTO
linux.dell.com & www.dell.com/linux
More information about the infrastructure
mailing list