[maemo-users] [maemo-users] Re: Bricked a third time

From: James Sparenberg james at linuxrebel.org
Date: Wed Feb 14 04:01:32 EET 2007
On Tuesday 13 February 2007 07:56:13 Aniello Del Sorbo wrote:
> Frantisek Dufka wrote:
> > Aniello Del Sorbo wrote:
> >> I mean, if my apps need to be called as "helloworld" and it looks at a
> >> conf file called "helloword.conf", why I have to copy the executable
> >> in /usr/bin and the conf file in /etc while I can just copy it to
> >> /usr/local/bin (owned or writable by 'user) and the conf file in
> >> /usr/local/etc  ? (just to give an example) and add /usr/local/bin to
> >> the path?
> >
> > Yes it was similar except /usr/local was /var/lib/install. And it was
> > done in such way that no package could ever put file outside of
> > /var/lib/install (the only way that gives you some additional security
> > you probably want).
> >
> > So you had 2 classes of packages (system ones in / and user ones in
> > /var/lib/install) which made system more complex and prevented you from
> > making 'system' packages i.e. ones which modifes or extends the system
> > in interesting way.
> >
> > Frantisek
> I do not want that either.
> I am not saying we should run dpkg in a chrooted enviromnent.
> I am only saying we should run it with the -x (I think) option that
> points to something like /usr/local where user can write. In this case
> there would be no need to gain root privileges unless the .deb is a
> system package (and the system could ask for a password, a la Mac OS X).
> As it is now, and as I understand it, every .deb can brick my device if
> it has been built from a malicious user.

couple of sides,  to write to /usr/local requires root privileges on debian 
systems.  As for the brick part.  If I'm malicious I can brick it either way 
just by doing oh ...  

touch /usr/local/bin/file
yes > /usr/local/bin/file

That alone would eventually fill up the single partition and wack the box...


> --
> anidel
> _______________________________________________
> maemo-users mailing list
> maemo-users at maemo.org
> https://maemo.org/mailman/listinfo/maemo-users

More information about the maemo-users mailing list