[oe] HEADS UP: insane.bbclass will now detect and stop the build on wrong RPATHs.
Justin Patrin
papercrane at gmail.com
Thu Apr 26 22:16:14 UTC 2007
On 4/26/07, Graeme Gregory <dp at xora.org.uk> wrote:
>
> > A "huge gaping security hole" that requires you to download a
> > malicious ipk with malicious libraries which figures out what your
> > build path was, then installs those libraries there.
> >
> > Or you could just download a malicious ipk which overwrites the actual
> > libraries.
> >
> > I don't see what's hude or gaping about this.
> >
> Maybe you should rethink that before getting all sarcastic.
>
> /home/XXX/ hmmm, thats publically writable to users.
>
I was under the impression that /home was normally writable only by
root and the subdirs were normally only writable by the user who owns
the directory (yes, I know you can set them differently if you want).
I know I wouldn't want joe-the-user creating directory /home/justinpa
to try to confuse justinp whose home dir is /home/justinp.
> And why do malicious libraries need to come in ipk files.
>
I suppose they don't. I admit I was thinking in "Embedded" mode, which
normally means single-user to me. Still, it would have to be someone
putting files in a very specific place which should normally be only
writable by a super-user. Of course someone could use security holes
in another program to write the files, etc etc.
I'm not saying this doesn't need to be fixed, just that it seemed like
a big inconvenience for those using OE who couldn't fix the problem.
Then again it seems that someone came up with a hack at least, so....
--
Justin Patrin
More information about the Openembedded-devel
mailing list