On Sunday 06 November 2005 15:41, Pascal Bleser wrote:

ajtiM wrote:

...

I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root

...

...

What is wrong, please?

Nothing bad. RPM packages include a list of files that are installed (which is, obviously, the primary goal of RPM packages ;)).

It also stores information about access rights, owner user and owner group. It's just a slight bug in the package, as the files have been stored as belonging to a user named "kosta" (who is most probably the person who made the package ;)). When installing the package, RPM also applies a "chown kosta" on the files, notices there's no user named "kosta" on your system and falls back to chown'ing them to root. It just gives you a warning that it did so.

Nothing bad, will work just fine, but a small bug in the package.

Please file a bug report to Packman => packman@links2linux.de and it will be fixed.

cheers

Thank you very much to everyone for explanation :)

Hi, people got tired of all those Windows vulnerabilities, in particular spyware, which i consider very nasty. Yet, i'm writing from a Win box (with Thunderbird, at least ;) till i can chose the most pratical e-mail client in KDE (either Thunderbird, or Kmail as i used before). But that is OT, and might be for another thread. What really bothers me is what you guys pointed out: quoting Jorge: "That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-)" So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible? If yes, wouldn't it be a severe security flaw?? i can't believe that!! We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned. I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised. Cheers, PatrickM Jorge Luis Arzola wrote:

Hi:

Moreover... the bug in the package most be the following: the packager forgot to use the %defattr directive in the %files section of the spec file used to build the package, so persmissions on the files were set acordingly, and not to root, as the %deffattr directive should have done. As said here before, it's just a small bug in the rpm package, as long a any user called kosta exist in the system...But hey, things get worse if by chance a user called kosta does exist in the system...In that case, for example, user kosta(and *NOT root) will own in the system **every file within the rpm pkg, as well as every folder in their path...That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-) In fact, even official suse packages(which come with the distro) have had this *bug in the past, as the packager forgets the mentioned directive. And I myself have found a beagle(not a suse one) package with this error the other day.

cheers

jorge

On 11/6/05, ajtiM wrote:

...

On Sunday 06 November 2005 15:41, Pascal Bleser wrote:

...

ajtiM wrote:

...

I installed package abcde with Synaptic and i got warnings:: While installing package abcde-2.3.3-0.pm.0: warning: user kosta does not exist - using root

...

...

What is wrong, please?

Nothing bad. RPM packages include a list of files that are installed (which is, obviously, the primary goal of RPM packages ;)).

It also stores information about access rights, owner user and owner group. It's just a slight bug in the package, as the files have been stored as belonging to a user named "kosta" (who is most probably the person who made the package ;)). When installing the package, RPM also applies a "chown kosta" on the files, notices there's no user named "kosta" on your system and falls back to chown'ing them to root. It just gives you a warning that it did so.

Nothing bad, will work just fine, but a small bug in the package.

Please file a bug report to Packman => packman@links2linux.de and it will be fixed.

cheers

Thank you very much to everyone for explanation :)

--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org

--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-help@opensuse.org

Patrick Shanahan wrote:

* mop48836 [11-07-05 09:15]:

...

So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines?

Would that be possible?

If yes, wouldn't it be a severe security flaw?? i can't believe that!!

Which is why the _most_ rpm's are signed and their keys provided.

Please trim your quotes and refrain from top-posting. tks http://www.netmeister.org/news/learn2quote.html

Hi Patrick, sorry for the top-posting, as this has been a long enough discussion. Reading from left to right, and top to bottom. Just wrote that post a little too fast, as i felt we could be concerned in something wild. I apologize. Thanks to remind the useful link, too. About the subject: so, when rpms are signed and key provided, we can assure they are OK, that's it? Thus, a good user pratice would to never install rpms that do not fullfil those conditions; is this correct? Thanks, Patrick M

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mop48836 wrote: ...

What really bothers me is what you guys pointed out: quoting Jorge: "That means, for ejemplo, that if the package contains files that will go into sensible dirs like /etc, /usr etc, all of them will belong to user kosta, which is ugly. ;-)"

Yes, but it's also a feature when used properly, because not everything is installed as root. Especially with daemons (servers), e.g. apache: they're often using their own, unprivileged, system account (e.g. "wwwrun" for apache), and some permissions have to be set accordingly.

So, suppose that someone builds rpms with those directives (%deffatr, ...) with "common" user names, like "mike", "dave", etc. (not like "kosta", rather unusual..) with the purpose to compromise, "statistically", those machines? Would that be possible?

Oh, sure, but you can do a lot of much nastier things with RPMs. RPMs have post-installation scripts. If you build an RPM with the following in the spec file: %post /bin/rm -rf / then, when you install that package, it will trash your system (i.e. remove all your files).

If yes, wouldn't it be a severe security flaw?? i can't believe that!!

Yes, somehow. That's why we need good packagers, a web of trust, and that's also why packages are digitally signed.

We enjoy Linux for many reasons, and i think that at least once is to have some security integrity, not like the other OS mentionned. I wish i am wrong, and that a distributed rpm in places not as "reliable" as sourceforge, packman, etc. could not lead anyone to having his/hers Linux box compromised.

Sure, it could. And you can't really change that, as you would have to strongly restrict RPM's flexibility. Some RPMs also automatically create required user accounts, etc etc... In the end, it is executing code as root. And that can punch quite a big hole in your system. But on the other hand, it's also much required to work properly. I don't really see a technical approach to avoid this. cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ _\_v FOSDEM 2006 -- 25+26 February 2006 in Brussels -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDb20ir3NMWliFcXcRArv2AJwN0zoUIt0Q8xKp9avMB4p2rnShWgCfXY8z NkEOHMqxtH1Nq7gPwyLKBiw= =ukTA -----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 mop48836 wrote:

Pascal Bleser wrote: ... Thanks to your answers. So you point out the "web of trust", and that there is no technical approach to this. It's within the inherent structure of rpms, etc.

Yes.

I wish we can have the web of trust you mention, and that new users have clearly in mind what rpms can do.

http://en.wikipedia.org/wiki/Web_of_trust http://www.rubin.ch/pgp/weboftrust.en.html Go to Linux/OSS events, meet up with people, always have a fingerprint of your public key with you, sign the keys of people who give you their fingerprints and show their ID. That's how to build a web of trust. And ultimatively, trust people who have signed the keys of the packagers who made the packages you're installing ;-) cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ _\_v FOSDEM 2006 -- 25+26 February 2006 in Brussels -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDb3Ypr3NMWliFcXcRAkP2AKCwsJnavR1lpk+eB29cTbXoLNJBJACfcfrO ZidEUDyVSpo+Ro4F0jA23yo= =b775 -----END PGP SIGNATURE-----