Mailinglist Archive: opensuse (2803 mails)
| < Previous | Next > |
Re: [opensuse] Trojans and repository trust model [Was: A BIG "show stopper" for openSUSE at the?corporate level anyway!! ]
- From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
- Date: Fri, 18 Jul 2008 02:19:43 +0200 (CEST)
- Message-id: <alpine.LSU.1.00.0807180211320.7677@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Monday 2008-07-14 at 11:56 -0700, John Andersen wrote:
The paragraphs above referred to the danger of someone perverting a repository and users installing perverted packages.
Apparmour can do that, and more, but you need to adjust the profile for each program it runs. Or rather services. I think you can not run bot selinux and apparmour, and suse comes with the second.
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIf+GutTMYHG2NR9URAkfxAKCLnF5IDkt1pd5yKM08Wproer1fJQCffmvr
qb8e2USlPLPw9jacaIx+DAc=
=AyWo
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
Hash: SHA1
The Monday 2008-07-14 at 11:56 -0700, John Andersen wrote:
On Mon, Jul 14, 2008 at 11:25 AM, Carlos E. R. <carlos.e.r@xxxxxxxxxxxx> wrote:
But what do you suggest? You cann't ask the people of SuSE to check and
re-check the content of the OBS for each and every repo.
I have no idea. I just throw the question, then go back and watch you argue
it ;-)
Most viruses/trojans are powerless to do anything but destroy data
on the local machine unless or until they open a network connection.
The paragraphs above referred to the danger of someone perverting a repository and users installing perverted packages.
If there were to exist a test harness that could run any application and
trap attempts to open any port (either to listen or to connect) and log these
(perhaps asking for confirmation) it might be useful to detect these things.
This is available for XP and Vista, and works very well. Unfortunately you
have no clue why its opening a port, and it doesn't tell you much other than
that the application tried to listen on a port.
The test harness should also not let the tested application set the
execute permission on any file. This would prevent it from making
an outbound connection and downloading something nasty.
Is there anything that prevents an application from setting execute permissions
is SELinux?
How much of this risk would be eliminated by using the SELinux extensions?
Apparmour can do that, and more, but you need to adjust the profile for each program it runs. Or rather services. I think you can not run bot selinux and apparmour, and suse comes with the second.
- -- Cheers,
Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFIf+GutTMYHG2NR9URAkfxAKCLnF5IDkt1pd5yKM08Wproer1fJQCffmvr
qb8e2USlPLPw9jacaIx+DAc=
=AyWo
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |