On Mon, Jan 12, 2004 at 07:18:07PM +0000, Steve Kemp wrote: > > > Note that I ignore trojaned binaries/libraries. The reason is that, > > without setuid, you would have to purposefully run these as root, > > hopefully knowing the consequences for doing so; there are warnings > > everywhere that you should not run untrusted code as root. Maintainer > > scripts, OTOH, are run with full root privileges nearly invisibly to the > > typical user and as a part of software installation. So simply > > installing software, not even running it, from a compromised source > > could get your machine rooted. > > What about an evil script modifying an existing setuid binary? For > example /bin/login? > > To prevent against this type of attack you need aide/tripwire/etc. Hmm, along this line, what about forcing package installations to only install binary/library files somewhere else, like /usr/local, or maybe a /usr/untrusted. Or, can dpkg be given an alternate root altogether for installation? Something just makes me cringe when I see suggestions all over the web of "Debian users, just put <random wonky site> into your /etc/apt/sources.list and apt-get install foo to install this software". Sure, maybe it's ok *now*, but what about 6 months later when you've forgotten all about it and you apt-get upgrade, and the site had been trojaned in the meantime? I mean, yeah, adding another apt source is super easy and lets all the dependencies be tracked automatically, but I'm not sure if the risks are laid out clearly enough to the user. Unfortunately, this is the best method in terms of convenience; otherwise the user has to download a bunch of .debs individually, hope they are matched, and dpkg -i *.deb which is considerably less convenient. Actually, it might be better if apt-get could use a source from the command line, instead of Dir::Etc::SourceList. # apt-get --source "deb http://....." update # apt-get --source "deb http://....." install foobar-client libfoo foobard Then that suggestion could be made by non-Debian package maintainers, instead of the (IMHO dangerous) suggestion of adding something to sources.list. We could even put a little box in synaptic "Install From Non-Debian Location" in which to paste the source line and the packages to install. That way the packages are installed now because you trust the site now, and you don't have to worry about the site being trojaned behind your back when you upgrade later. I think this is the method that should be suggested to new users; experienced people who know what sites they trust should also know how to add something to their sources.list for automatic upgrade tracking. thoughts? -- Ryan Underwood, <nemesis@icequake.net>
Attachment:
signature.asc
Description: Digital signature