Re: third-party packages adding apt sources

To: debian-project@lists.debian.org
Subject: Re: third-party packages adding apt sources
From: Paul Wise <pabs@debian.org>
Date: Sun, 22 May 2016 09:44:26 +0800
Message-id: <[🔎] CAKTje6G0qmDh6+chgS1q4uSFeSAfnmJd0juR18e4DaLtH+qmaA@mail.gmail.com>
In-reply-to: <[🔎] 20160521123219.GA9429@angband.pl>
References: <[🔎] 573DD944.3010208@pocock.pro> <[🔎] CAKTje6Fh0196zgfYzgakOi56mWEGgj82ib1xmVdjNGF1mznR3Q@mail.gmail.com> <[🔎] 20160521123219.GA9429@angband.pl>

On Sat, May 21, 2016 at 8:32 PM, Adam Borowski wrote:

> This looks wrong to me: a vast majority of machines these days have a single
> user, thus pwning root gives you little additional gain.

Getting further into a system (user -> root -> GRUB -> MBR -> boot
firmware -> peripheral firmware) gives a successful attack much more
persistence. This is why the TLAs go as deep as they can.

> So, for running untrusted code you should execute it solely in a special
> environment of some kind.  And if you're not executing those binaries
> directly, what's the point in putting them into the standard paths?

No idea what anarcat's thoughts were but I can think of two reasons:

Prevents those binaries from being modified by the binaries themselves
or other programs run by the user.

Makes integration with the rest of the system easier.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

References:
- third-party packages adding apt sources
  - From: Daniel Pocock <daniel@pocock.pro>
- Re: third-party packages adding apt sources
  - From: Paul Wise <pabs@debian.org>
- Re: third-party packages adding apt sources
  - From: Adam Borowski <kilobyte@angband.pl>

Prev by Date: Upcoming stable point release (8.5)
Next by Date: Re: third-party packages adding apt sources
Previous by thread: Re: third-party packages adding apt sources
Next by thread: question precise
Index(es):
- Date
- Thread