[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The Python Registrar

On Mon, Feb 25, 2002 at 12:55:01PM +1000, Anthony Towns wrote:
> On Sun, Feb 24, 2002 at 05:38:25PM +0100, Carel Fellinger wrote:
> > Are you sure all package names are sane?  Or could some joker distribute a
> > (non official ofcourse) python package with a name just waiting to exploit
> > this unsanitized use of its name in a script running as root?
> 
> Huh? Aren't these things only called after the package is installed (or while
> it's installing)? In which case, the joker's non-official python package has
> already had it's postinst run as root, and the joker already has complete
> control of your machine.

Yeah, that thought occured to me after posting my "fixes". 

Still... shell-script security advice to avoid standard risks is always
worth getting :-)

-- 
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------
Reply to: