Guarding against evil software installation scripts?
At the moment my system has 876 packages installed. They were all
installed by root. Each package gets a chance to run an arbitrary
shell script as root, so it seems to me that there must have been much
more than 876 opportunities for my system to get utterly destroyed by
absolute strangers. So far, none of them decided to do me in. It's
surprising it all works so well.
This leads to some questions:
1. Have there been problems with people submitting malicious packages,
or packages that were so buggy they might have well been malicious?
If so, what happened?
2. Are there any ideas about how to tighten this up a bit? Here are
some vague ideas:
2a. I can vaguely imagine something where many packages run their
installation scripts under a user id unique to that package, so the
installation script is therefore unable to arbitrarily destroy
everything.
2b. It might be possible to do it with only one special user id for
package installs, where a root process chowns everything owned by
the package after the install script is complete, and chowns it
back before an uninstall script runs. You'd need a separate
database that lists which files got chowned so you'll know to chown
them back later.
2c. Perhaps something like XFS access lists could be used (if everyone
were running XFS) or SELinux or LIDS (where did the .deb for LIDS go,
by the way?) I have no experience with any of these, so this may be
nonsense.
I don't see a clear path to doing this the "right" way, where chaos is
prevented by something more substantial than a social convention.
I have to admit that the social convention is working very well at the
moment, though.
--
Tim Freeman
tim@fungible.com
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: