Mailinglist Archive: zypp-devel (116 mails)
| < Previous | Next > |
Re: [zypp-devel] [PROPOSAL] url variables
- From: Martin Vidner <mvidner@xxxxxxx>
- Date: Mon, 11 Jun 2007 17:01:11 +0200
- Message-id: <20070611150111.GA23869@xxxxxxxxxxxxxxxx>
On Mon, Jun 11, 2007 at 04:46:50PM +0200, Stanislav Višňovský wrote:
> Dňa Po 11. Jún 2007 16:31 Duncan Mac-Vicar Prett napísal:
> > - url variables "plugins": -> provide the basc ones built-in (arch,
> > releasever, etc)
> > -> in zypp.conf
> > [url-variables]
> > foo=/somescript.sh
> >
> > or by convention (just drop a script in /etc/zypp/urlvars/foo )
>
> I expect the location to be root-writeable only ;-) This might be a big
> security hole if done improperly.
Yes, remember that with yast2-metapackage-handler.rpm and related
browser enablement, the user can cause much processing of untrusted
data before being asked for confirmation.
We should explicitly drop root privileges for the variable plugins,
plus watch out for a DoS.
--
Martin Vidner, YaST developer
http://en.opensuse.org/User:Mvidner
Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
> Dňa Po 11. Jún 2007 16:31 Duncan Mac-Vicar Prett napísal:
> > - url variables "plugins": -> provide the basc ones built-in (arch,
> > releasever, etc)
> > -> in zypp.conf
> > [url-variables]
> > foo=/somescript.sh
> >
> > or by convention (just drop a script in /etc/zypp/urlvars/foo )
>
> I expect the location to be root-writeable only ;-) This might be a big
> security hole if done improperly.
Yes, remember that with yast2-metapackage-handler.rpm and related
browser enablement, the user can cause much processing of untrusted
data before being asked for confirmation.
We should explicitly drop root privileges for the variable plugins,
plus watch out for a DoS.
--
Martin Vidner, YaST developer
http://en.opensuse.org/User:Mvidner
Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
--
To unsubscribe, e-mail: zypp-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: zypp-devel+help@xxxxxxxxxxxx
| < Previous | Next > |