#279 closed defect (invalid)
Howto for developers spreads unclear information
Reported by: | ak120 | Owned by: | |
---|---|---|---|
Priority: | critical | Milestone: | |
Component: | rpm | Version: | 1.0 |
Severity: | low | Keywords: | RPM CONFIG.SYS security |
Cc: |
Description
Starting with: "General hint
Some rpm's might change your config.sys. So after all is installed we recommend to reboot the system."
Could it be transfered to comprehensible language at least. Does it mean that the might of rpm modifies also a read-only CONFIG.SYS file at the system boot volume? In this case it would be a major security hole.
Change History (4)
comment:1 by , 7 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 by , 7 years ago
Local Security ("Lokale Sicherheit") to my knowledge shipped only with LAN Server based products. OS/2 Warp 4 based clients don't have any "OS/2 local security package" included. Perhaps our operators missed something. But I checked twice before posting here. So where can I find information about the mapping of domain user permissions and ACLs for implementing RPM distribution?
comment:3 by , 7 years ago
Resolution: | invalid |
---|---|
Status: | closed → reopened |
Summary: | Howto for developers spreads wrong information → Howto for developers spreads unclear information |
comment:4 by , 7 years ago
Resolution: | → invalid |
---|---|
Status: | reopened → closed |
What I refer here is Security/2 (c) 2002-2005 by nickk
which is unrelated to and independent from LAN Server. I have v 0.4.5 and it works great. Please note again that this information has nothing to do with RPM and I only provide it to help you out with your completely unrelated problem as a courtesy. Please appreciate that and don't reopen tickets that are marked as invalid.
Starting with a good joke: "A major security hole is usually a laying between the chair and the keyboard".
To put it seriously, in the OS/2 world the read only attribute is not a security measure (and has never been such). It's only a flag optionally regarded by some software to prevent unexpected file modifications in user data files. RPM/YUM is not such a software and CONFIG.SYS is not a user data file.
Hint: if you want real protection, install the OS/2 local security package that blocks unauthorized file access on the kernel level. In this case, only RPM/YUM run with the administrator privileges will be able to modify CONFIG.SYS. Note though that such a configuration is not officially supported by us at the moment so no guarantee we will fix or assist with problems it might bring. Thanks for understanding.