On Sat, 2013-05-18 at 21:13 +0200, Natanael Copa wrote: > On Fri, 17 May 2013 12:04:01 -0400 > "Michael H. Warfield" <m...@wittsend.com> wrote: > > > On Fri, 2013-05-17 at 09:24 -0500, Serge Hallyn wrote: > > > Quoting Kaarle Ritvanen (kaarle.ritva...@datakunkku.fi): > > > > On Thu, 16 May 2013, Natanael Copa wrote: > > > > > > > > >On Wed, 15 May 2013 13:10:06 -0500 > > > > >Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > > > > > > > >>Quoting Kaarle Ritvanen (kaarle.ritva...@datakunkku.fi): > > > > >>... > > > > >>>+ wget="wget -O - $repository/x86" > > > > >>.. > > > > >>>+ $wget/apk-tools-static-$apk_version.apk | \ > > > > >>>+ tar -Oxz sbin/apk.static > $apk || return 1 > > > > >>>+ chmod u+x $apk > > ... > > > > > >>>+ $apk add -U --initdb --root $rootfs $apk_opts "$@" > > ... > > > > It's the 'wget $url | /bin/sh' that, not the apk --allow-untrusted, > > > that really bothers me. > > ... > > > As a security researcher (my day job), I have to say, now that you > > specifically pointed it out, that makes the hair on the back of my > > neck stand up. Even if we only allow a well controlled URL we're > > requesting, the thought of blindly piping the data returned into a > > shell scares the crap out of me, > > He pipes it to tar, not to a shell. > > > especially since this would presumably be running as root. > > Running unverified static binaries as root is scary yes. > > > If there was some way to download it > > to a file and verify its contents (md5, sha1, sha256 or -preferably- > > PGP signature) BEFORE sending it into a shell, that would make me > > feel a lot more comfortable. > > There is a checksum stored in the APKINDEX.tar.gz (md5 iirc) so it is > fully possible and pretty simple to implement checking the static > binary.
> I don't think it provide much value though, because both the APKINDEX > and the tarball containing the static binary comes from the same http > server so it would not protect against bad binaries on a DNS hijack for > example. (the attacker could just store the checksum for his evil static > binary). Correct. Which is why I said "preferably PGP signed". An attacker can not fake that. > -nc Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
