Re: How secure is Preupgrade? Answer: Not.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Beartooth Sciurivore wrote:
On Wed, 21 May 2008 00:27:17 +0200, Björn Persson wrote:

I want to thank Bjorn for doing the research on this.
I went ahead and read the code. [....]

I've got my answer: Preupgrade is not secure. I'll continue upgrading
the way I've done it before – either with Yum or from a DVD image on a
USB stick.

Dumb question, probably : if you install and run preupgrade according to http://fedoraproject.org/wiki/PreUpgrade, BUT let it stop after downloading boot images, is there some user-friendly thing you can do then to make it secure? Something on the order of getting into a directory and commanding, in effect, "check all signatures"?

	Or had we just better wait till PreUpgrade 1.0 comes out? Or ...?

If the latter, do we need to get rid of whatever-all 0.9.3-3 downloaded? Or will we be able to just "yum update PreUpgrade" in F8 and then run it again?

If you wanted to, you could verify the files yourself before they are installed as you mentioned above. Preupgrade puts them in a folder /var/cache/yum/anaconda-upgrade/packages. When it has finished downloading it requires rebooting before it will start install. So you could run rpm on the files to validate that they have proper md5 sums at that time. I think it would be rpm --checksig *.rpm while in the directory.

Because of Bjorn's research, I ran rpm -qa -V on my preupgraded Fedora 9 to see if the md5 sums for installed packages are valid. There were some packages with failed sums, but they were mostly configuration files that didn't get updated and other non critical things. If anaconda uses rpm to do the upgrade, there is a blurb in the man file stating that rpm automatically does the md5 check on install. I think these are signed with a Fedora specific key, so they would fail if they weren't official or were tampered with.

I'm not a security expert, so these might not answer the security problem. Definitely should be a check in preupgrade itself.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux