Re: better apt security with 3rd-party sites

To: Ryan Underwood <nemesis-lists@icequake.net>
Cc: debian-security@lists.debian.org
Subject: Re: better apt security with 3rd-party sites
From: Steve Kemp <steve@steve.org.uk>
Date: Mon, 12 Jan 2004 19:18:07 +0000
Message-id: <[🔎] 20040112191807.GA31832@steve.org.uk>
In-reply-to: <[🔎] 20040112165802.GC11745@dbz.icequake.net>
References: <[🔎] 20040112165802.GC11745@dbz.icequake.net>

On Mon, Jan 12, 2004 at 10:58:02AM -0600, Ryan Underwood wrote:

> I've often questioned the security of adding 3rd-party sites to my
> sources.list that are required for various non-free or other packages
> that aren't in Debian yet.  Basically, I am putting the security of my
> system at the mercy of however secure their system happens to be, by
> allowing them to run arbitrary code as root on my system.

  This is entirely correct.  Maybe if you're not using them too often
 and have the time/patience/skill the best thing to do is to download
 the sources only and rebuild the packages.

> Would it be a good idea to add a flag to an apt source somehow, that
> would be passed along to dpkg, to prevent any maintainer scripts from
> being run and prevent any executables being made setuid?  This way, the
> user would be able to pick and choose what sites he trusts, rather than
> hoping on every apt-get update/upgrade that none of his 3rd-party
> sources have been rooted recently.

  I had a similar thought before, running the install scripts as a
 dedicated user.  I soon gave up as nearly arbitary actions are
 legitimate in the post-install scripts, anything from adding a new
 user to changing file permissions.

  This makes it hard to write policies, etc.

  My solution was simply to scan for setuid/setgid files after the
 install had finished using the hooks provided and the file list in
 /var/lib/dpkg/info/$foo.list.  (It's entirely possible that a truly
 that a malicious package could modify this file before I read it of
 course).

  I had planned to update the code to scan for new listening sockets
 at the same time but I didn't get round to it.

> There is no reason that most 3rd-party packages need to run maintainer
> scripts since the packages tend not to be very complex.  Why give an
> attacker another easy vector?

  I guess the tradeoff is the ease of using a premade package vs the
 trust of an arbitary party.

> Note that I ignore trojaned binaries/libraries.  The reason is that,
> without setuid, you would have to purposefully run these as root,
> hopefully knowing the consequences for doing so; there are warnings
> everywhere that you should not run untrusted code as root.  Maintainer
> scripts, OTOH, are run with full root privileges nearly invisibly to the
> typical user and as a part of software installation.  So simply
> installing software, not even running it, from a compromised source
> could get your machine rooted.

  What about an evil script modifying an existing setuid binary?  For
 example /bin/login?

  To prevent against this type of attack you need aide/tripwire/etc.

> I'm curious if anyone else has had any ideas for taking some of the
> implicit trust out of software installation from non-Debian sources.

  My approach applies to all packe installations - as I tend to
 only use my own backports..!

Steve
--
Edinburgh System Administrator : Linux, UNIX, Windows
Looking for an interesting job : http://www.steve.org.uk/

Reply to:

Follow-Ups:
- Re: better apt security with 3rd-party sites
  - From: Ryan Underwood <nemesis-lists@icequake.net>

References:
- better apt security with 3rd-party sites
  - From: Ryan Underwood <nemesis-lists@icequake.net>

Prev by Date: better apt security with 3rd-party sites
Next by Date: Question for you
Previous by thread: better apt security with 3rd-party sites
Next by thread: Re: better apt security with 3rd-party sites
Index(es):
- Date
- Thread