Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
Basically my question is relation to every package manager. I'm interested to know that in package manager like apt-get,rpm etc., is there any network security while downloading any file, if yes what kind of it is and is it really required in os like linux
There are security measures, yes, obviously.
All packages in a repository are signed on the server side by a key in an asymmetric manner. That signature is checked by the client (your system) when downloading / installing packages. Only if it can be verified the package is accepted, otherwise an error is thrown. You certainly have seen that already a few times, for example when a repository got updated right whilst you download. Happens. But it is secure in that aspect.
You can very easily verify that yourself: setup your own repository (there are tutorials for that), import the key. Then replace a package stored there by some other file on file system level. Now try to install that file. You will see that it gets rejected because it cannot be verified.
The question whether that really is required is pretty strange. Why would one not want to secure that process? That would leave you vulnerable like the process of installing software on MS-Windows based systems!
Related
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I'm about to hand out my root server password to a company for them to fix an issue that I have with mydns.
I'm sure they are all above board (and I will change the root password after they have finished) but I just want to be sure.
I know (well I think) I can login after them and execute history to see what they did, but I know if they are dishonest, they can just clear the history. I'm worried in case a rogue employee does something malicious or installs keylogging software (which has happened when my mate let another company manage his VPS).
So is there anything I can do? Does the history command backup somewhere? Can I install a keylogger to verify the commands they execute are not malicious?
Any ideas welcome. Ideally I appreciate I shouldn't give out my root password if I don't trust them. But I am in a very difficult situation and have no choice.
Since you are giving them root access, there is nothing you can do from within the machine that they could not subvert with a rootkit.
Your only way to be sure would be to mount the filesystem in another machine and compare the changes made to the files by comparing with a previously made snapshot/backup.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I am trying to install jre on gentoo
I use:
emerge virtual/jre
My problem is that this does not work
Resolving ftp.gentoo.mesh-solutions.com... 213.203.218.123
Connecting to ftp.gentoo.mesh-solutions.com|213.203.218.123|:21... failed: Connection timed out.
Retrying.
--14:37:13-- ftp://ftp.gentoo.mesh-solutions.com/gentoo/distfiles/portage-utils-0.1.29.tar.bz2
(try: 2) => `/usr/portage/distfiles/portage-utils-0.1.29.tar.bz2'
Connecting to ftp.gentoo.mesh-solutions.com|213.203.218.123|:21...
Infact the server tries to get some packets from ftp.gentoo.mesh-solutions, but this site seems to be down.
Any other alternative for gentoo ?
Go ahead and download the package manually and put in /usr/portage/distfiles. Then re-emerge, portage will skill the download step and the install should continue as normal.
That said, usually portage will not be dependent on a single mirror site - it will check several mirrors. To ensure there isn't an issue on your side, run emerge --sync again and look through /etc/make.conf to see if you have the proper settings for retries/number of mirrors/etc.
It's not that unusual for java packages to have requirements to manually download the distfiles due to license issues, but this would normally be stated via emerge -pv and emerge would print a message and exit when run.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
We are developing a website which is required some software to install for first time like flash player for youtube...
but the question is without asking the user can we install it?
i found this some where but link ., but i dont want to ask the permission from user/OS. By calling the website only software should install if it is not installed on the perticular machine....
Is it possible?
This is not a good question, i know but we want to develop an inhouse website, the website will not go to live for remote users. if any security settings we need to change in our systems we are ready to do.......
No. It's not possible. Browsers are meant to run in sandboxes to prevent remote execution of arbitrary code. So you will need to ask the user for permissions.
If you are on java world you can use JavaWebStart. Otherwise, you could run a FLASH SCRIPT to provide the extra functionality you need for your WebSite. But since you didn't provide extra information on your issue, it's difficult to give you proper recommendations.
Do you mean installing it as in launching the install without the user having to click a "INSTALL" button or do you mean install the software without the user noticing you've done anything at all.
The second is not possible for security reasons.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I'm developing a game with online mode, but it's opensource (SourceForge) and anyone can download the code, hack any checks and play against the official server with a hacked client.
I've been thinking about EXE file md5 checking, but anyone can calculate the genuine md5sum and send it to the server, bypassing that runtime check.
Is there any method to assure that the client is not modified? I know I must use server side checks because everything can be hacked. Other option is not committing some little part of the code and release EXE files compiled only in my computer, having all the files, but that goes against SourceForge rules I think.
As you stated, you need to check everything on the server.
Regardless of whether you release source code (remember Reflector!), you must never trust the client for anything (including its own integrity).
Note, however, that (ideally) you don't need to make cheating impossible; you just need to make it harder to accomplish a task by cheating than it is to accomplish that task legitimately.
Rational people will not cheat to accomplish something if they can do it more easily without cheating.
However, some people will cheat for the challenge of the hack, even if it's harder than doing it normally.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
Right now, we're using PGP command line 9.0. Does anybody know if GnuPG will work? It'd be a lot cheaper.
EDIT:
Theoretically, GnuPG/PGP/McAfee eBusiness Server should be able to interoperate. In practice, you pretty much just have to test to see. We did not make GnuPG work with McAfee eBusiness Server.
I've never used McAfee eBusiness Server specifically, but the entire point of GnuPG was to provide Free Software that implemented the OpenPGP spec. Unless McAfee is for some hideously obnoxious reason mandating specific ciphers, there shouldn't be a problem.
Note that if some components are going to be checking a key with PGP, and some with GnuPG, you may want to doublecheck the interoperability FAQ question for GnuPG, as you may, in fact, have to limit your cipher and compression algorithms or signature versions. That FAQ is discussing a much older version of PGP, so it may actually no longer be an issue.