[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PPA security (was: Debian mirrors and MITM)

On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote:

> Quoting Jeremie Marguerie <jeremie@marguerie.org>:
>> Thanks for bringing that issue! I feel the same way when I install a
>> packet from a non-official PPA.
> Unfortunately, every package can do anything: pre-inst, post-inst,
> pre-rm, post-rm run as root. If you don't trust a PPA the same way
> you trust your OS vendor (Debian, Ubuntu or whoever), install only
> in a VM or a container (not sure, whether a docker container is
> considered safe enough, but chroot is not sufficient).
> Alternatively, download the package, unpack it, remove maintainer
> script or check them carefully, check for s-bits on binaries etc.
> repack it and install. I'm probably missing more checks here.
> While it would be nice to have sth. like "less trusted sources" and
> allow their packages only certain kinds of install/de-install
> operations (i.e. no maintainer scripts) etc., it's  hard to get
> right and a broken solution would put users at risk.

This could be approached another way.  There could be scripts in the packaging tools that mark a package if it does not run anything in any of the scripts that does not come from the packaging tools.  I think many many packages would qualify here, most packages do not touch the pre/post scripts, so the ones that are included are generated by debhelper or whatever.

Then you could see whether a package is requesting to run its own scripts as root, and make the call there.  A package that does not add anything to those scripts would be pretty safe to install, at least.


Reply to: