Re: PPA security (was: Debian mirrors and MITM)
- To: W. Martin Borgert <email@example.com>
- Cc: firstname.lastname@example.org
- Subject: Re: PPA security (was: Debian mirrors and MITM)
- From: Hans-Christoph Steiner <email@example.com>
- Date: Thu, 3 Jul 2014 10:46:27 -0400
- Message-id: <9145DA3F-12D4-42FC-80A3-2B918E510E31@at.or.at>
- In-reply-to: <20140530204120.Horde.zO1CETEdnp5Glvdc16AYxw5@webmail.in-berlin.de>
- References: <1401455611.6597.123286253.5D5A44D8@webmail.messagingengine.com> <firstname.lastname@example.org> <email@example.com> <1401456637.10889.123292765.031DBFDA@webmail.messagingengine.com> <F8CB8B56-FBF3-471D-9C06-94F03F05ED63@vianet.ca> <1401457832.14998.123299485.589AA83E@webmail.messagingengine.com> <20140530141153.GB29891@mathom.us> <1401460379.27062.123315561.30584D1D@webmail.messagingengine.com> <firstname.lastname@example.org> <1401461172.30245.123322097.6B61A862@webmail.messagingengine.com> <email@example.com> <firstname.lastname@example.org> <CAKS89Grgnv6YJ2QakyDUxXRK97kA6RHwsFbH2dEXU81EBM+BZw@mail.gmail.com> <20140530204120.Horde.zO1CETEdnp5Glvdc16AYxw5@webmail.in-berlin.de>
On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote:
> Quoting Jeremie Marguerie <email@example.com>:
>> Thanks for bringing that issue! I feel the same way when I install a
>> packet from a non-official PPA.
> Unfortunately, every package can do anything: pre-inst, post-inst,
> pre-rm, post-rm run as root. If you don't trust a PPA the same way
> you trust your OS vendor (Debian, Ubuntu or whoever), install only
> in a VM or a container (not sure, whether a docker container is
> considered safe enough, but chroot is not sufficient).
> Alternatively, download the package, unpack it, remove maintainer
> script or check them carefully, check for s-bits on binaries etc.
> repack it and install. I'm probably missing more checks here.
> While it would be nice to have sth. like "less trusted sources" and
> allow their packages only certain kinds of install/de-install
> operations (i.e. no maintainer scripts) etc., it's hard to get
> right and a broken solution would put users at risk.
This could be approached another way. There could be scripts in the packaging tools that mark a package if it does not run anything in any of the scripts that does not come from the packaging tools. I think many many packages would qualify here, most packages do not touch the pre/post scripts, so the ones that are included are generated by debhelper or whatever.
Then you could see whether a package is requesting to run its own scripts as root, and make the call there. A package that does not add anything to those scripts would be pretty safe to install, at least.