Hodgins Family wrote: > Are net installs (let's say for a Desktop environment) totally without > vulnerability risks? > > When, during an installation, do/should people think about > security/vulnerability issues of the software they are installing? Well, let's see.. to perform a network install, you download a netinst iso from the web. This is an excellent opportunity for an attacker to feed you a compromised image that will be running as root on your computer. You can avoid this risk by checking the MD5SUMS file in the same directory as the iso, and using the MD5SUMS.sign file to check that the MD5SUMS file isn't compromised too. Assuming that you have some way of running gpg, and some way of trusting the person who signed the image. Also assuming that the image you're downloading is a released version of the installer; daily builds arn't signed. Shortly after the installer boots up, it's connected to the network[4]. At this point it's vulnerable to anything that any linux kernel on the network is vulnerable to. If there's a remote exploit in the linux kernel, an attacker could compromise your installer as it's running. Suitable remote exploits are fairly rare, and the installer is probably not an ideal target to compromise, since it's not very similar to a standard linux distribution[3]. The only network services that the installer uses are dns and http, with the http being done by busybox wget and by apt. Any remote exploits in those programs could also be used to exploit the installer. All data received via http is required to be signed with gpg keys built into the installer[2]. While this does mean that remote exploits in gnupg[0] could also be used to exploit the installer, it cuts off most potential for the packages that are downloaded to be compromised. No additional services are started during the installation process[1]. Once the installation is complete and it boots into the installed system, whatever services are started by the tasks you selected are running, and any security issues with those have to be considered. -- see shy jo [0] Eg: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6235 [1] Unless you tell the installer to open a ssh network console. [2] Only true for the etch installer; the current stable version of the installer does not use gpg signatures. [3] Ie, it's running from a ramdisk, and is going to reboot in N minutes into the installed system.. [4] Suppose I should mention that it uses dhclient, for completeness.
Attachment:
signature.asc
Description: Digital signature