Hi! On Sun, 2009-04-12 at 11:29:38 +0200, Holger Levsen wrote: > package: dpkg > severity: wishlist > tags: security > version: 1.14.25 > > during a discussion about how to compromise the security of a Debian system I > noticed that /var/log/dpkg.log just logs the version number of the packages > installed, thus one can inject a on-the-fly-modified .deb with the same > version number (provided the user ignores an apt authentication warning), > which does harmful things and cleans up after itself with no trace on the > machine, even if /var/log/dpkg.log is stored securily, ie with capabilities. > > Please add an option to log the sha1sum of installed binary packgaes > in /var/log/dpkg.log.
I agree with what Raphaƫl has already said, and don't see much point in adding this in the log file. I guess you could probably store the log file on a remote box exported via NFS or something similar, which would not expose the ext2 attributes, but that seems a pretty convoluted way of protecting the system, when the package will have had plenty of time to mess at will with the local system, by installing rootkits or whatever, but then I'd not expect this kind of user to ignore those apt warnings. I think a proper solution for this wish is signed binary packages, but then it will also fail if the user ignores the warnings, which I don't think we should be caring about. So we should either just close this or merge with the rest of bugs related to deb signing. regards, guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
