Subject: | |
From: | |
Reply To: | |
Date: | Mon, 21 May 2007 18:15:19 +0100 |
Content-Type: | TEXT/PLAIN |
Parts/Attachments: |
|
|
On Thu, 17 May 2007, Keith Lofstrom wrote:
> I run ancient old tripwire nightly on my machines. Yesterday, on my
> SL4.4 laptop, I noticed that it had found changes to "vipw" and other
> security related tools. A little concerned, I downloaded the latest
> version of chkrootkit and ran it, finding no problems. I looked at
> the yum logs, and found a yum upgrade of util-linux from sl-errata;
> the header file shows that vipw and the rest had been updated.
>
> False alarm, I am probably safe, assuming no outbreak of evil at SL or
> TUV (=The Upstream Vendor in North Carolina, for those wondering).
I should have commented that turning on gpgcheck in each of the repos you
have enabled for updates will ensure that someone can't just get you to
run arbitrary code if they break into the SL servers (or whichever mirror
you use). Instead they would also need for force one of the sl people to
sign the didgy package as well...
Of course that will only work if you have imported the GPG keys for the
people/sites you trust, or does yum do that automatically (I see there is
a gpgkey entry for each repo listing the keys one expects to find used
there).
I'm now puzzling over why the default seems to be to ship with all the
yum.repos.d/ entries having gpgcheck=0 surely the extra work of doing a
sig-check isn't so great is it?
-- Jon
|
|
|