[Solved] Opkg local unsigned package install

queifaro · May 4, 2022, 2:11pm

Hello,
seems that opkg let install a local downloaded ipk without checking the signature. Signature check seems provided only when you install/upgrade from remote site. In term of security if i've root access and sftp server running i can install quite everithings. I think that the same situation is for kernel modules.

Is my analisysy correct ? if so how to avoid the security issue ?

Thanks in advance
B/R
Fabio

jow · May 4, 2022, 2:19pm

Is my analisysy correct ?

Yes

if so how to avoid the security issue ?

Do not allow root access. Bypassing opkg imposed restrictions would be trivial (e.g. wget -O - http://example.org/package.ipk | tar -Oxzf - ./data.tar.gz | tar -C / -tz)

queifaro · May 4, 2022, 2:45pm

thanks for your prompt reply