-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2008-07-14 at 11:56 -0700, John Andersen wrote:
On Mon, Jul 14, 2008 at 11:25 AM, Carlos E. R.
wrote: But what do you suggest? You cann't ask the people of SuSE to check and re-check the content of the OBS for each and every repo.
I have no idea. I just throw the question, then go back and watch you argue it ;-)
Most viruses/trojans are powerless to do anything but destroy data on the local machine unless or until they open a network connection.
The paragraphs above referred to the danger of someone perverting a repository and users installing perverted packages.
If there were to exist a test harness that could run any application and trap attempts to open any port (either to listen or to connect) and log these (perhaps asking for confirmation) it might be useful to detect these things.
This is available for XP and Vista, and works very well. Unfortunately you have no clue why its opening a port, and it doesn't tell you much other than that the application tried to listen on a port.
The test harness should also not let the tested application set the execute permission on any file. This would prevent it from making an outbound connection and downloading something nasty.
Is there anything that prevents an application from setting execute permissions is SELinux?
How much of this risk would be eliminated by using the SELinux extensions?
Apparmour can do that, and more, but you need to adjust the profile for each program it runs. Or rather services. I think you can not run bot selinux and apparmour, and suse comes with the second. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFIf+GutTMYHG2NR9URAkfxAKCLnF5IDkt1pd5yKM08Wproer1fJQCffmvr qb8e2USlPLPw9jacaIx+DAc= =AyWo -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org