lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <TheMailAgent.1aaf8f712c0ad5d@211a1cc47aa284d93edfd>
Date: Tue, 19 Jul 2005 12:04:17 +0300 (IDT)
From: Alexander Klimov <alserkli@...ox.ru>
Cc: bugtraq@...urityfocus.com
Subject: Re: Installation of software, and security. . .


On Sat, 16 Jul 2005, John Richard Moser wrote:
> Windows installation has two paths:
> [...]
>
> Debian follows a slightly different model consisting of multiple steps:
> [...]
>
> The common factor in each of these methods is that third party code is
> run with privileged access before, during, or after the installation.
> This may be a problem.

There is also a great difference between what you call `third party:'
it is really `third' in Windows case (you and MS are the first and the
second), but in case of Debian most often it is not `third party code'
because it is the code prepared/checked and signed by the second party
(Debian) and so the code is trusted (you have to trust your OS
vendor).

If you get some software from somebody you can not trust then your
best bet is to run it inside some separated environment (as a separate
user, from vmware, etc.)

BTW: some package management systems do ask about executing code, for
example, the pkgadd utility warns you that some scripts must be
executed with super-user permissions.

-- 
Regards,
ASK


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ