[CentOS] yum/RPM and Trust on First Use
Ned Slider
ned at unixmail.co.uk
Sun Dec 20 12:26:14 UTC 2015
On 20/12/15 10:28, Gordon Messmer wrote:
> On 12/19/2015 09:49 AM, Alice Wonder wrote:
>>
>> With third party repositories the key and configuration file is often
>> distributed separately. That's the potential attack vector for trojan
>> keys.
>
> Examples?
>
> All of the notable repositories that I'm aware of publish an
> x-release.rpm that installs their key and yum repo file. But if your
> concern is that users might manually install a repo file and public key,
> then I don't see how modifying yum would change that. The attacker would
> probably include a key that contains an address they control and
> validates properly against it.
>
> In other words, I think the solution to the problem is simply to make
> sure that the repositories publish their "release" rpm over https and
> that documentation reflects the secure URL. I notice now that EPEL
> links directly to the https URL for their release rpm, but their FAQ
> still provides a command-line example for installation using an http URL.
>
> The FAQ should be updated. That method is a potential security problem
> because it doesn't use https and doesn't check the package signature.
> But the solution is simply to replace http with https in the FAQ. yum
> isn't used to install the release package, and I think the solution is
> to make sure that malicious release packages don't get installed, not to
> try to behave well on a system where an attacker already installed
> malicious data.
>
Unless I'm mistaken RPM in el5 does not support the https protocol.
More information about the CentOS
mailing list