| 1 |
there are many files out there that contain critical information about your |
| 2 |
system ... lets look at /etc/shadow |
| 3 |
|
| 4 |
baselayout installs this file, yet it is not listed in CONTENTS for a very |
| 5 |
good reason ... if someone were to run `quickpkg baselayout` and post the |
| 6 |
file somewhere, they could easily have done so without realizing the |
| 7 |
implications. social engineering on irc for example would be trivial to |
| 8 |
accomplish this and say hello to my little root shell. |
| 9 |
|
| 10 |
however, there are certainly cases where the admin fully knows what they're |
| 11 |
doing and they want to create a binary package of their system with these |
| 12 |
sensitive files ... so where to meet in the middle. |
| 13 |
|
| 14 |
mayhaps we need a new function to be run in src_install() to label files |
| 15 |
as "sensitive" ... so baselayout would do: |
| 16 |
esosensitive /etc/{fstab,group,passwd,shadow} |
| 17 |
and then we expand the format of CONTENTS in the vdb: |
| 18 |
priv /etc/fstab <hash> <mtime> |
| 19 |
|
| 20 |
any other potential ideas ? (pretend my idea here isnt the greatest thing |
| 21 |
since Robot Chicken) |
| 22 |
-mike |
Archives