Re: Why most run Microsoft, not RedHat

Zoltan Boszormenyi wrote:

It's all a matter of programmer-vs.-programmer wars to show who is in
control.

My questions above weren't about war. Again, different POVs.
I tried to give some examples of ease of use vs manual control.

It's about *who* is in control. The *how* is a matter of programming. Is it your machine or the package manager's? What happens when the package manager is compromised?

A1. you have package manager because you want easy installation
and you don't want to wait while the stuff compiles

And after this is in place you add something that theoretically
only you are supposed to be able to control.

A3. because it's easier to have everything have the proper permissions,
let rpm handle it.

and

A2. the packager may consider a file to be so essential that he wants it
immutable. but the upgrade of the package must also work without
manual override, i.e. without clearing immutable flag first.

Ahh, but then that thing you just added to give yourself an extra layer of control doesn't work any more.

You can compare it to the person who thought that the passwd program should only talk directly to a tty and that programs should not be able to use it. That lasted a few months - until another programmer wanted his program to be able to change passwords and wrote 'expect' to do it. A big waste of both people's time...

Agreed, that's unfortunate.

But your POV in the question above is wrong.
The point is to take advantage of something
where available.

Beg your pardon? The point of adding the immutable bit was so the file couldn't be changed by ordinary means. It is, again, a waste of both parties efforts as soon as someone adds the programming to bypass its attempt at control.

But you already have it - you can use chattr from shell scripts or manually.
But chattr works only as root and you can only run rpm -[iU] as root
successfully anyway.
Hm. You can use chattr in pre and post scriptlets in rpm today. :-)
But rpmv won't tell you whether the fs-special flags were set
by rpm or by someone else.

Yes, just like the passwd/expect example. If there is a possible way to circumvent your special-exception case, there wasn't much sense it adding it in the first place - it just makes everything harder without serving its original purpose.

I can certainly remember if I set this flag myself (e.g. have it documented)
or ask the collegues. If no one authorized has set it (like it was in the case of
the intrusion) then I would expect that rpm were able to replace
a package with --force, even if some files have the immutable flag set.
(Or similar in case of other FSes than ext2/3/4.)

Back to the programmer-vs.-programmer. If rpm does this, the rootkits will just supply a modified rpm program that only pretends to do it but doesn't really replace the trojan files.

--
Les Mikesell
lesmikesell@xxxxxxxxx

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Relevant Pages

  • [opensuse] a second GNOME damage after update
    ... Surprisingly this package is displayed as to be not installed although gnome-control-center and gnome-settings-daemon always worked until yesterday. ... Unfortunately YaST rejects the installation of this package because it ... Even if a new package requires a second version of an already installed package rpm should ensure that these two versions can coexist. ... I am desperately looking for a way to install "control center2". ...
    (SuSE)
  • Re: [opensuse] a second GNOME damage after update
    ... The package was renamed in 11.0. ... Unfortunately YaST rejects the installation of this package because it ... package rpm should ensure that these two versions can coexist. ... I am desperately looking for a way to install "control center2". ...
    (SuSE)
  • Re: Why most run Microsoft, not RedHat
    ... although rpm complained that it cannot replace ... What's the point of setting the immutable flag on a binary, ... file that might - and eventually will - be replaced if you upgrade its package? ... But chattr works only as root and you can only run rpm -as root ...
    (Fedora)
  • Re: Alsa Mixer Madness
    ... on my DVD and install that over the bad update version which is Volume ... Control 2.16.1 and so I looked and found the package ... You want to play with the RPM that I ...
    (Fedora)
  • [PATCH 1/2] kbuil: add deb-pkg target
    ... # To prepare kbuild for more kernel packaging formats move all packaging ... # In top-level Makefile introduce generic support for all package ... Included the old rpm target for backward ... # and builddeb scripts. ...
    (Linux-Kernel)