IM status: More worms on the way

TalkBack 11 of 34:

Next »

« Previous

• Thread View
• Flat View

Let us review your logic, OK?

First you stated and asked:
"How do you install RPMs without being root? The only documentation I've found suggests that before installing an RPM, review all the scripts, review all the files, etc, etc but that in the end, it must ben installed as root. I tried installing an RPM as a restricted user in FC3 and ran into many roadblocks, eventually giving up. At least some MSIs can be installed in Windows without administrative permission but I've currently been unable to find a similar solution for RPMs on FC3 and SuSE."

I replied that you must have the root password as you seem to know.

Then said:
"As the administrator of my computer system, I can install an application that I'm not too sure about by logging in under a restricted account in Windows. If the installer ends up being a trojan, it can't do too much damage. The ability to install apps with "plain old user rights" is a good thing from an administrator point of view.

In the end, an installation program is nothing more than an executable that puts files on the hard drive and updates a database. I don't see why it is okay that Linux allows me to run all executables/scripts as a restricted user except installation scripts like RPMs. It seems like a perfect way of using social engineering to trick a user into running anything I want them to as root. If they are used to installing all RPMs as root, they won't mind running the FREE DANCING ELVES.rpm as root either. Once they've done that, their machine is mine. I can mess with their firewall, install back door servers, etc.

What's even more dangerous is that my default SuSE installation asks me if I want to use YaST to install .rpm links when I click on them in Konqueror. If I say yes, I must supply my root password (since you say I can't use a restricted account) and *poof*, an rpm trojan has taken over my Linux machine. I haven't gone to the command line and I haven't typed chmod +x. When Joe Sixpack starts using Linux, and standard operating procedure is to type his root password every time he installs a new .rpm, he won't blink twice just because the .rpm is called FREE DANCING ELVES.rpm."

I agreed with some of that, or if I was unclear, let me say that a Linux user could be victim to soical engineering just as a Windows user could. My perspective is one who has worked in Apple/UNIX/WIndows environments. So yes, Joe Sixbucket could be tricked in any environment assuming they know root or admin passwords and/or have equivalent privilege. However, you become a bit shrill since you seem to think this is something new or unusual, it can happen in any environment as you have discovered. Plain end users in every environment I have been privileged to be associated with have never let plain old user install much of anything. Security is granular so we can have users with different levels of privilege in any environment. It is my uinderstanding that a properly configured system in a tight Windows environment would not allow registry edits, i.e. adding or deleting applications for example, so your claim to add apps as a "plain old user" does not ring true for the experiences I have had. However, what you say does ring true for home users. See how there are 2 sides to this? Isn't it a fascinating challenge?

You then state
"Since you can easily take away the ability of restricted users to run MSIs (through security policies) but you can't easily give restricted users the ability to install RPMs, Windows does seem to be the more flexible of the two OSs in this one aspect."

I agree with you, Windows is more flexible but sometimes that flexibility comes with a less secure model of security. It is a trade off and different people of good will can disagree and both can have successful, productive systems. So we do agree I think on this point 100%. See, I am not a knee jerk anti-MS guy. I like MS SQL and have been slagged for it repeatedly. But I know how to secure it, run it and have had excellent results. I have had a fairly positive experience with XP as well. I hate Exchange with a passion, I managed some Exchange environments and found the product to a lot less than advertised. And if you peruse some of my other posts in this and other forums I think you find that I often point out that not all problems originate with MS. I get slagged for that too. Yes, I love my Linux box but I am a geek like you.

You then said in your rebuttal, which I appreciated and find it refreshing to have a good conversation on these matters:

"By asking how something is done in Linux and being dissapointed with the answer, I'm automatically a zealot? This is my biggest problem with the Linux community. Absolutely no mention of any Linux weakness is allowed or you are immediately branded a heretic. I'm not pro-MS or pro-Linux. I use both and have done so on and off for the last 10 years.

BTW, there is no known dancing elves rpm so you better do some research so you won't laughed out of the bldg.

Where did I say there was one? I didn't. I only mentioned that to drive home the point that if Linux ever gets big enough to attract a lot of computer unsavvy users, this RPM thing is a social engineering hole big enough to drive a Mac truck through (no pun intended )."

I agree that I took an unfair postion on you, we are both members of the same community. People who try hard to use systems productively no matter what the lineage. Please accept my apology.

I do not agree with what appears to be your position that requiring root for RPMs is bad. In my view, it is always best to be prompted when any piece of software is installed on a system -- be it personal or corporate. It can be inconvenient and I know many users in environments I have been in who hate it. Yes, a person could make an error so your point about social engineering is very well taken. I think that many home users do not fully appreciate how easy it is to screw up a computer. I prefer that we be prompted for app installation despite the inconvenience. Your position appears to be that there is a vulnerability to Linux during installation and that is not an unfair observation. However, the same condition is in Windows, Solaris and OSX as well. Someone could make a bad choice and leave a system open for exploit. How safe it is really for the default 1st user to be Admin or Root? How secure is it for apps to installed with little or no user intervention via web broswer? The Linix distros I have seen even warn you during install and normal operations that running in GUI as root is highly unsafe yet Windows consumer products do not. The MS,Sun and SGI certified training in systems administration I have had the pleasure of attending have always suggested that one should only run as admin/root during app installation and setup -- perhaps that has changed since 2000 but I doubt it.

I repsectfully disagree with your position and I wish you well.

Posted by: Sunny Jalolly   Posted on: 03/22/05 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Open Standards Technologies Provide the Ingredients for Delivering Security Across the Papa Gino's Enterprise Dell Papa Gino's Holdings Corporation founded by the entrepreneur operates one ... Download Now
• Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
• The Impact of Virtualization Software on Operating Environments VMware Today's use of virtualization technology allows IT professionals to ... Download Now