RPM security (a newbie question)
Todd Zullinger
tmz at pobox.com
Wed Apr 1 23:06:48 UTC 2009
"Stanisław T. Findeisen" wrote:
> What does the process of installing new RPM package look like? There
> are some commands that such package is allowed to execute, right?
By policy, there are things that rpm scriptlets should not do. But if
you created an rpm which had a %post section containing rm -rf /, rpm
would run it AFAIK.
> Also what's the difference between "Everything" and "Fedora" dirs in
> Fedora package tree?
The Fedora dir contains just what is included on the DVD media. The
Everything dir contains all of the packages available. Everything is
a superset of Fedora.
> I wonder how easy it is to create a rootkit/trojan horse/whatever
> and get it loaded on Fedora users' computers.
You would need to create a trojan package and get it onto the mirrors,
signed by the Fedora package signing key for a particular release.
This is not an easy task, as the keys are held pretty tightly, with
very limited access (if a handful of people can sign packages, I'd be
surprised).
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
An election is coming. Universal peace is declared and the foxes have
a sincere interest in prolonging the lives of the poultry.
-- T.S. Eliot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20090401/b04ba3f2/attachment-0001.bin
More information about the users
mailing list