[TriLUG] The sad state of sysadmin in the age of containers
Igor Partola via TriLUG
trilug at trilug.org
Fri Mar 13 16:32:46 EDT 2015
I guess I'm not being clear. I am for package signing, yet I believe it
only provides limited protection. It is a good idea, but it's not nearly
enough. We agree on this point.
> dpkg can't do that out of the box. You'd have to misconfigure it.
That is incorrect. dpkg always executes pre and post install scripts and
this is on by default. As a simple example, this is how the postgres system
user is created when you install the postgresql-server package. As an
exercise, you can try to create a simple local package, then do `dpkg -i
example.dpkg`.
What I think you are talking about is that apt (not dpkg) is configured to
only download .deb files from trusted sources, and verify signatures on
them against the locally installed public keys of the Debian/Ubuntu/etc.
developers. This is the part that can be (and often is) misconfigured.
Ubuntu for example runs https://launchpad.net/ where anyone can host their
own Debian package repositories (PPA's). Ubuntu now even comes with a
command to include these in the apt configuration. This is where you can
easily abuse your system by allowing apt to download packages that have not
been fully vetted.
Igor
More information about the TriLUG
mailing list