[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does Debian need to enforce a better Security policy for packages?



On Tue, Oct 23, 2001 at 01:17:14AM +0200, Javier Fernández-Sanguino Peña wrote:
> 
> 	So, is it possible to limit those scripts or am I just thinking on
> trying to put a fence around the desert? (not really sure if that's the
> appropiate expression BTW :P

even without  maintainer scripts there are plenty of ways to do evil
in a trojan.deb (or trojan.tgz, or trojan.rpm...)

simply including an /etc/passwd with backdoor accounts comes to mind.
since /etc/passwd belongs to no package dpkg won't complain. (i don't
think so anyway.. i haven't tested this)

of course that particular example would be noticed since the existing
accounts would be gone.. but you get the idea.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpJocth8bThj.pgp
Description: PGP signature


Reply to: