[Yum] Re: yum] Security issues with include= implementation in yum.conf
R P Herrold
herrold at owlriver.com
Sat Oct 4 23:11:57 UTC 2003
On Sat, 4 Oct 2003, Matthias Saou wrote:
> > seth said:
> > My general take is that this no big deal - but there is the possibility
> > for much abuse and much flexibility. Hard call between the two of them.
>
> Exactly my thought, and I'd have to add :
> - Don't put any network includes at all, nor any includes to files users
> other than root can modify, in a default package configuration of yum.
I pretty much concur on each quoted point, as the initiator of
the RFE.
But ... a *nix environment is not to protect an admin from all
possible exploits or even stupid coding or configuration
errors -- The forged DNS scenario is trivial to implement for
a determined malicious next-hop admin -- and a proper place
for a trivial protection is the use of an external CA, and the
SSL connection. Not by it gunking up yum, trying to tell an
admin what not to do.
It is the *nix way to fashion buildingblock tools to easy
things trivial, and to make hard things more possible. I had
no intention in making the RFE for it to be used in general
unattended consumption.
Just to make more possible, really interesting futures with
yum config files. I don't consider the call hard at all. This
RFE creates a doorway to a more capable future; it is up to
admins to decide to open it.
-- Russ Herrold
More information about the Yum
mailing list