Hacker News new | ask | show | jobs
by drdexebtjl 4 hours ago
This sounds like a prime new vector for malware, ironically.
2 comments
scott_w 3 hours ago
My understanding is probably not: the hooks are configured locally, not by other packages automatically, so you’d install and setup the pre-install hooks yourself to check the packages before install/update.

Can it be exploited? Yes, anything can. But that’s not a reason to not do this if the overall result is better.

link
self_awareness 3 hours ago
And how a malware can use this if it's configured globally in a root:root owned config file?
link
drdexebtjl 2 hours ago
Not all package managers require root.

But yeah, maybe through an exploit with a narrow reach. Once in, the malware can veto security updates and escalate to full control.

link
self_awareness 2 hours ago
With root, malware can reach out to UEFI anyway, and can do whatever it likes.
link