[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]
- Subject: Re: [cobalt-security] Know your PKGs [was: Unofficial PHP 4.1.2 PKG available]
- From: Matthew Nuzum <cobalt@xxxxxxxxxxxxx>
- Date: 05 Mar 2002 10:50:24 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
These are all very good points. The heart of the matter, as with any
security issue, is trust. Don't download and run programs you don't
trust. Doing so is a sure fire way to get intimate knowledge of the
Cobalt OS Restore CD process.
Thanks for the added feedback.
Matt Nuzum
On Mon, 2002-03-04 at 23:38, Zeffie wrote:
Just thought I would jump in here and mention a few things....
> The pkg specification allows a way to embed this "spyware" into a PKG
> file. Many packages don't use this, but if you don't check, how would
> you know?
as pointed out by others already, it is not spyware..
> So how do you a check? Well, the easiest way is to just re-name it from
> filename.pkg to filename.tgz. Pkg files are just tarballs, with a
> different extension.
you shouldn't have to rename it...
> Note that there will probably be some RPMs, TGZ files and, more
> importantly, some shell scripts that handle the details of installing
> and uninstalling.
a package shouldn't have a tgz, tar.gz, Z, or anything else but rpm's and
maybe some patch files. If it does, it's a sign of poor work.
> These shell scripts are generally pretty simple and can be understood by
> most sys-admins, even if you don't write shell scripts.
when reviewing a pkg you should review all scripts and patches.
> Need more info about what's in a PKG file?
> These two RPM commands will give you a lot more detail:
> rpm -qip RPMFILE.rpm
> - this will list all of the rpm details, similar to what you might see
> visiting rpmfind.net
> rpm -qlp RPMFILE.rpm
> - this will list all of the files that are inside of an RPM, including
> the installation paths for these files.
The package format allows for scripts to be run as root.
Rpms can contain scripts that run as root.
As many of you know, several of the rpms I have made for the cobalt products
automaticly "notify" or "e-mail" root@localhost with instructions and or
details about the rpm. You should be aware that it is very easy to "e-mail"
any file on the server anywhere, or anything else you might want to do.
Like opening a backdoor, etc..
ok well thats bad huh :( well let me continue.
let's say you take some source code from somebody instead of getting it from
the source and checking it. well it's possible to edit the source code so
when compiled it (ls for example) sends out a file of choice or even opens a
back door or both!
So what do you do.....
be very careful about where you get your pkg files.
be very carefull where you get your rpms.
build what you need, when you need it, as your own rpm or find someone you
can trust to do it.
Zeffie
http://www.zeffie.com/
"Don't take candy or rpms from strangers"
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security