Hi, I've often questioned the security of adding 3rd-party sites to my sources.list that are required for various non-free or other packages that aren't in Debian yet. Basically, I am putting the security of my system at the mercy of however secure their system happens to be, by allowing them to run arbitrary code as root on my system. Would it be a good idea to add a flag to an apt source somehow, that would be passed along to dpkg, to prevent any maintainer scripts from being run and prevent any executables being made setuid? This way, the user would be able to pick and choose what sites he trusts, rather than hoping on every apt-get update/upgrade that none of his 3rd-party sources have been rooted recently. There is no reason that most 3rd-party packages need to run maintainer scripts since the packages tend not to be very complex. Why give an attacker another easy vector? Note that I ignore trojaned binaries/libraries. The reason is that, without setuid, you would have to purposefully run these as root, hopefully knowing the consequences for doing so; there are warnings everywhere that you should not run untrusted code as root. Maintainer scripts, OTOH, are run with full root privileges nearly invisibly to the typical user and as a part of software installation. So simply installing software, not even running it, from a compromised source could get your machine rooted. I'm curious if anyone else has had any ideas for taking some of the implicit trust out of software installation from non-Debian sources. thanks, -- Ryan Underwood, <nemesis@icequake.net>
Attachment:
signature.asc
Description: Digital signature