On Mon, 7 Nov 2005, Nick Rout wrote:
It disturbs me that with _every_ package I install I have to
su
make install
That leaves such a vast amount of room for mischief.
you become root to install in order to write to directories where only
root can write, because the security model says if you restrict write
access to these directories then tom dick or harry cannot screw it up,
intentionally or accidentally.
How is it that Gobbo changes that? you either have a system where you
need to escalate your privileges in order to install software, or IMHO
you have a recipe for disaster.
Unfortunately GoBo doesn't fix it. I didn't say it did. I said, it is
heading in the right direction.
If you check all current packaging mechanisms whether it's rpm or dpkg or
tar.gz with "make install" there is a phase where a minimally reviewed
script has unlimited root access to your system.
If GoBo is taken to it's logical conclusion, then then packaging mechanism
would do the following....
1) Create the installation directory for the package..
/Programs/Foo/N.M/
2) Create a unique UID/GID for it, and run the installation magic
setuid to that unique ID so the _only_ directory in the whole system
that it has write access to is it's own. The only directories it has
read access to are package directories it explicitly depends on.
3) The package may request that certain "bin" directories be put on the
path, but the packaging mechanism itself should perform that task.
4) In putting a package "bin" directory on the path, the packaging
mechanism should refuse, unless given explicit permission to by the
system distributor / administrator to put that package on the
superuser path.
5) The package mechanism should identify and warn, and provide and
mechanism for resolving cases where a new command shadows an existing
command.
ie. It is eminently feasible to create a system where _only_ those
very limited packages blessed by the distribution integrator and perhaps
one or two very explicitly blessed by the administrator _ever_ get to run
with unlimited root permissions.
I would also dearly love to set permissions on packages with respect to
'net access. For example something like inkscape may legitimately access
style sheets and SVG files at a remote URL. But if it _ever_ sets itself
up as a server, it has been compromised and is acting as a back door.
If for example, procmeter ever "phones home", it has been compromised.
So I'm paranoid...but that doesn't mean they aren't out to get me....
:-))
And don't forget if you want to test you can usually install to
somewhere in your home directory and run the program from there for a
while.
This is the mechanism Gobo is extending.
John Carter Phone : (64)(3) 358 6639
Tait Electronics Fax : (64)(3) 359 4632
PO Box 1645 Christchurch Email : [EMAIL PROTECTED]
New Zealand
Carter's Clarification of Murphy's Law.
"Things only ever go right so that they may go more spectacularly wrong later."
From this principle, all of life and physics may be deduced.
