Re: [cobalt-users] security risk... is this normal?

[Greg Hewitt-Long <cobaltusers@xxxxxxxxxxxxxxxxxxx>]

At 01:05 PM 3/1/2004, you wrote:

> >
> > Re-read it and comprehend... the uninstaller SCRIPTS (*.uninst)
> > generally have other commands in them APART from rpm -e.  THOSE
> > commands will be executed AS WELL and any rpm -e commends - THESE
> > have the POTENTIAL to remove files you don't want removed - IF the
> > permissions of folders and sub-folders are not as you would expect
> > them to be.
>
> Do you have any examples?

 do a grep - there are lots of them.

> Uninstaller script only remove packages installed by RPM, so it is only
> rpm -e.
> What other DANGEROUS commands do they have? mv, rm?
> You give me an example of dangerous command...
>
> > >
> > >And that's right, but there's no point in restricting access to
> > >uninstallers, cause rpm already cares about it.
> >
> > I'm not talking about the calls to RPM in the uninstaller scripts -
> > those aren't the commands that are a potential worry for me.
>
> And what do you worry about?


I made it clear - obviously you are playing dense on purpose.


> >
> > >To feel yourself happy, you may restrict rpm access, so no
> > > uninstallers won't ever try to work.
> >
> > even if I change RPM's permissions, do I have to change rm and mv as
> > well?!?!?  That will BREAK the box.
>
> Are your users able to delete system files?
> Any user is limited to his home directory, he just can't write anywhere
> else.
> Unless you have world-writeable directories somewhere, which is already
> your bad.

you're impossible.  There is a POTENTIAL if someone has messed up 
permissions.  I never said MY boxes were more susceptible to this than 
anyone elses.