On 03/31/10 11:19 AM, Rainer Orth wrote:
...
15417 pkg.depotd lacks access control
http://defect.opensolaris.org/bz/show_bug.cgi?id=15417
As soon as pkg.depotd is started, anyone can publish packages to it,
thus also updating and highjacking existing ones.
...
The second case is even worse, in my opinion. As soon as you start a
local repository, it will by default be read-write to anyone who can
access the repo at all. This obviously opens the door to all sorts of
break-ins, like publishing updated packages which include either trojan
setuid root binaries, or SMF services and method scripts which can do
about anything on the clients of the repo. This issue has been known
for at least two years (Bug 689), but nothing has been done about this
so far. You can start pkg.depotd with --readonly, but then nobody can
publish except directly into the repo via the filesystem; the necessary
procedure to do so isn't properly documented.
There are several things I'd like to point out:
* The application/pkg/server service is disabled by default, an
administrator has to enable it explicitly; that suggests that
they've read the documentation and are aware and intend that
publication access is enabled. Changing the default for readonly
is fine, although again, this doesn't resolve the administrator
of their responsibilities.
* Like any service that an administrator might enable, it is important
for them to properly configure the service to fit their needs. Yes,
documentation is always helpful, no one has denied that. I had
already mentioned we had several RFEs open to expand the existing
documentation or add new documentation.
* Existing packages cannot be modified; period; the depot server does
not provide any functionality to do so. Yes, you could possibly
publish new packages, but there's no way to modify any existing
ones.
* When package signing is implemented, even if you could somehow
publish a new package to a repository, clients would reject it
since it wasn't properly signed.
Lots of changes have been planned for some time to address your
concerns, as Danek mentioned, and contributions or escalations to help
implement them are quite welcome.
Cheers,
-Shawn
_______________________________________________
caiman-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/caiman-discuss
