peterw;340088 Wrote: > Fourth, this is a security can of worms, especially since Logitech isn't > signing their packages. You're placing your users one little MITM hack > away from subverting their systems (esp. since packages can include > scripts that run as root).
Security novice that I am, could you 'splain some things to me? Under my old scheme (updates via cron) my update script ran as root...correct? And presumably, only root had write access to the the update script..yes? So, my system(s) were presumably as secure as the update repos and packages therein. Yes? With the plugin, if the appropriate privileges are set on the script (root: all, squeezecenter: read & execute) then, as long as root hasn't been compromised, the script hasn't been compromised...yes? And in the case where the script makes use of an update manager (yum, apt) and a pre-configured, trusted repo, doesn't that make the whole process as secure from a MITM attack as performing an update manually by typing the separate commands in a console? In the case where a package manager is used (rpm, dpkg) in the script and it's the plugin that has downloaded the rpm or deb and the packages aren't signed, then, yes, I think I can see the potential for a MITM vulnerability. I mean, for a MITM attack to be successful, the MITM would have to feed my plugin http content other than that at the real slimdevices nightlies page such that my plugin parsed out a download URL to "foreign" package. (I suppose that's one obvious security enhancement to my code: make sure the download URL is actually at slimdevices.com.) Presumably, yum and apt don't share this vulnerability. Or do they? Are yum & apt just as vulnerable to MITM attacks when the packages in the repos aren't signed? -- gharris999 ------------------------------------------------------------------------ gharris999's Profile: http://forums.slimdevices.com/member.php?userid=115 View this thread: http://forums.slimdevices.com/showthread.php?t=52547 _______________________________________________ unix mailing list [email protected] http://lists.slimdevices.com/lists/listinfo/unix
