Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [opensuse] Re: warnings
- From: mop48836 <mop48836@xxxxxxxxxxxxxxx>
- Date: Mon, 07 Nov 2005 14:05:58 +0000
- Message-id: <436F5F46.3050309@xxxxxxxxxxxxxxx>
Hi,
people got tired of all those Windows vulnerabilities, in particular spyware, which i consider very nasty.
Yet, i'm writing from a Win box (with Thunderbird, at least ;) till i can chose the most pratical e-mail client in KDE (either Thunderbird, or Kmail as i used before). But that is OT, and might be for another thread.
What really bothers me is what you guys pointed out:
quoting Jorge:
"That means, for ejemplo, that if the package contains
files that will go into sensible dirs like /etc, /usr etc, all of them
will belong to user kosta, which is ugly. ;-)"
So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc.
(not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines?
Would that be possible?
If yes, wouldn't it be a severe security flaw?? i can't believe that!!
We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned.
I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised.
Cheers,
PatrickM
Jorge Luis Arzola wrote:
people got tired of all those Windows vulnerabilities, in particular spyware, which i consider very nasty.
Yet, i'm writing from a Win box (with Thunderbird, at least ;) till i can chose the most pratical e-mail client in KDE (either Thunderbird, or Kmail as i used before). But that is OT, and might be for another thread.
What really bothers me is what you guys pointed out:
quoting Jorge:
"That means, for ejemplo, that if the package contains
files that will go into sensible dirs like /etc, /usr etc, all of them
will belong to user kosta, which is ugly. ;-)"
So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc.
(not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines?
Would that be possible?
If yes, wouldn't it be a severe security flaw?? i can't believe that!!
We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned.
I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised.
Cheers,
PatrickM
Jorge Luis Arzola wrote:
Hi:
Moreover... the bug in the package most be the following: the packager
forgot to use the %defattr directive in the %files section of the spec
file used to build the package, so persmissions on the files were set
acordingly, and not to root, as the %deffattr directive should have
done. As said here before, it's just a small bug in the rpm package,
as long a any user called kosta exist in the system...But hey, things
get worse if by chance a user called kosta does exist in the
system...In that case, for example, user kosta(and *NOT root) will own
in the system **every file within the rpm pkg, as well as every folder
in their path...That means, for ejemplo, that if the package contains
files that will go into sensible dirs like /etc, /usr etc, all of them
will belong to user kosta, which is ugly. ;-)
In fact, even official suse packages(which come with the distro) have
had this *bug in the past, as the packager forgets the mentioned
directive. And I myself have found a beagle(not a suse one) package
with this error the other day.
cheers
jorge
On 11/6/05, ajtiM <ajtim@xxxxxxxxx> wrote:
On Sunday 06 November 2005 15:41, Pascal Bleser wrote:
ajtiM wrote:Thank you very much to everyone for explanation :)
I installed package abcde with Synaptic and i got warnings::...
While installing package abcde-2.3.3-0.pm.0:
warning: user kosta does not exist - using root
What is wrong, please?Nothing bad.
RPM packages include a list of files that are installed (which is,
obviously, the primary goal of RPM packages ;)).
It also stores information about access rights, owner user and owner
group. It's just a slight bug in the package, as the files have been
stored as belonging to a user named "kosta" (who is most probably the
person who made the package ;)). When installing the package, RPM also
applies a "chown kosta" on the files, notices there's no user named
"kosta" on your system and falls back to chown'ing them to root.
It just gives you a warning that it did so.
Nothing bad, will work just fine, but a small bug in the package.
Please file a bug report to Packman => packman@xxxxxxxxxxxxxx
and it will be fixed.
cheers
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-help@xxxxxxxxxxxx
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-help@xxxxxxxxxxxx
| < Previous | Next > |