Re: Guarding against evil software installation scripts?

To: Tim Freeman <tim@fungible.com>
Cc: debian-security@lists.debian.org
Subject: Re: Guarding against evil software installation scripts?
From: Anne Carasik <gator@cacr.caltech.edu>
Date: Thu, 18 Apr 2002 14:06:46 -0700
Message-id: <[🔎] 20020418210646.GA24339@cacr.caltech.edu>
In-reply-to: <[🔎] 20020418050533.4867E7FDB@lobus.fungible.com>
References: <[🔎] 20020418050533.4867E7FDB@lobus.fungible.com>

Dude, and I thought I'm paraniod :)

Even I trust the debian sources in /etc/apt/sources.list,
not without the PGP key or MD5 of course.

Just make sure the digital signature and/or MD5 checksum
comes from a trusted source. 

Unless, of course, you want to write your own code. :)

-Anne

On Wed, Apr 17, 2002 at 09:52:24PM -0700, Tim Freeman wrote:
> At the moment my system has 876 packages installed.  They were all
> installed by root.  Each package gets a chance to run an arbitrary
> shell script as root, so it seems to me that there must have been much
> more than 876 opportunities for my system to get utterly destroyed by
> absolute strangers.  So far, none of them decided to do me in.  It's
> surprising it all works so well.
> 
> This leads to some questions:
> 
> 1. Have there been problems with people submitting malicious packages,
>    or packages that were so buggy they might have well been malicious?
>    If so, what happened?
> 
> 2. Are there any ideas about how to tighten this up a bit?  Here are
>    some vague ideas:
> 
> 2a. I can vaguely imagine something where many packages run their
>    installation scripts under a user id unique to that package, so the
>    installation script is therefore unable to arbitrarily destroy
>    everything.  
> 
> 2b. It might be possible to do it with only one special user id for
>    package installs, where a root process chowns everything owned by
>    the package after the install script is complete, and chowns it
>    back before an uninstall script runs.  You'd need a separate
>    database that lists which files got chowned so you'll know to chown
>    them back later.
> 
> 2c. Perhaps something like XFS access lists could be used (if everyone
>    were running XFS) or SELinux or LIDS (where did the .deb for LIDS go,
>    by the way?)  I have no experience with any of these, so this may be
>    nonsense. 
> 
> I don't see a clear path to doing this the "right" way, where chaos is
> prevented by something more substantial than a social convention.  
> 
> I have to admit that the social convention is working very well at the
> moment, though.
> 
> -- 
> Tim Freeman       
> tim@fungible.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 

-- 

              .-"".__."``".   Anne Carasik, System Administrator
 .-.--. _...' (/)   (/)   ``'   gator@cacr.caltech.edu 
(O/ O) \-'      ` -="""=.    ',  Center for Advanced Computing Research    
~`~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Attachment: pgp5gSUBIs1zG.pgp
Description: PGP signature

Reply to:

References:
- Guarding against evil software installation scripts?
  - From: tim@fungible.com (Tim Freeman)

Prev by Date: Re: Allow root to telnet
Next by Date: Re: Allow root to telnet
Previous by thread: Guarding against evil software installation scripts?
Next by thread: RE: Guarding against evil software installation scripts?
Index(es):
- Date
- Thread