Thread: [BETA] prepatch a system-wide patching system (alternative to patchmanager)
View Single Post
jakibaki is offline jakibaki
2018-03-12 , 21:52
Posts: 120 | Thanked: 843 times | Joined on Jul 2015 @ Berlin, Germany
#13
Originally Posted by Amboss View Post
I think I know where you're heading.

Patchmanager modifies files which I can check afterwards to be in place and doing what its was meant for. Checking can happen even in an environment like recovery shell.

Prepatch is injected in file system calls. You say yourself "be sure turn of this patch or that" to actually copy the correct file. So if you want to be sure, a patch does not contain malicious parts, you have to check that either before installing or has to happen in recovery shell were the prepatch is not loaded. Otherwise you can't be sure while prepatch is active. Because if someone wants to add malicious code, he just needs to also cover any file requests regarding his files with something innocent using the same architecture.
I see your point and it's a very valid concern but isn't that the case with essentially everything you install from an untrused source?

Any rpm you install could also setup a rootkit on your device while it's installing which makes sure that you can't notice it unless you're in recovery even without prepatch.

I don't see any way to prevent rpms from doing evil things (as they're being installed with a tool that I don't have any control over) but that's the same way with the original patchmanager.

If I ever add something like the pm2-webstore I'll make sure that users have to explicitly enable the patches after installing them so that they can check out the content but for now I don't see the point in creating something that would be trivial to bypass in the rpm postininstall script.
Last edited by jakibaki; 2018-03-12 at 23:26.
 

The Following 11 Users Say Thank You to jakibaki For This Useful Post: