tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Rename and signed packages



Hi all,
when dealing with signed packages there's one problem we don't deal with
right now. What happens if Eve renames binary packages on the server?
She might trick Alice into running "pkg_add perl" and it really installs
"broken_suid_root-1.23", if she also has a shell account on Alice's
machine, she now has root permissions. For pkg_install-renovation I have
the infrastructure to deal with it, the question is what should be done.

(1) If a package is installed as dependency or via PKG_PATH, check that
the file name matches the package name (+ suffix).

(2) If a package is installed as dependency or via PKG_PATH, check that
the package name matches the pattern used to find it.

(3) Always do the check of (1) or (2) unless a full path is given on the
command line.

Joerg


Home | Main Index | Thread Index | Old Index