Re: PPA security (was: Debian mirrors and MITM)

To: W. Martin Borgert <debacle@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: PPA security (was: Debian mirrors and MITM)
From: Hans-Christoph Steiner <hans@at.or.at>
Date: Thu, 3 Jul 2014 10:46:27 -0400
Message-id: <[🔎] 9145DA3F-12D4-42FC-80A3-2B918E510E31@at.or.at>
In-reply-to: <20140530204120.Horde.zO1CETEdnp5Glvdc16AYxw5@webmail.in-berlin.de>
References: <1401455611.6597.123286253.5D5A44D8@webmail.messagingengine.com> <90ebee24-e7fd-11e3-89ae-00163eeb5320@msgid.mathom.us> <f2a5e71e-e7fd-11e3-bb9d-00163eeb5320@msgid.mathom.us> <1401456637.10889.123292765.031DBFDA@webmail.messagingengine.com> <F8CB8B56-FBF3-471D-9C06-94F03F05ED63@vianet.ca> <1401457832.14998.123299485.589AA83E@webmail.messagingengine.com> <20140530141153.GB29891@mathom.us> <1401460379.27062.123315561.30584D1D@webmail.messagingengine.com> <d07185d6-e807-11e3-8a0e-00163eeb5320@msgid.mathom.us> <1401461172.30245.123322097.6B61A862@webmail.messagingengine.com> <90cece00-e809-11e3-b232-00163eeb5320@msgid.mathom.us> <1401469422.15642.33.camel@voyager.local> <CAKS89Grgnv6YJ2QakyDUxXRK97kA6RHwsFbH2dEXU81EBM+BZw@mail.gmail.com> <20140530204120.Horde.zO1CETEdnp5Glvdc16AYxw5@webmail.in-berlin.de>

On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote:

> Quoting Jeremie Marguerie <jeremie@marguerie.org>:
>> Thanks for bringing that issue! I feel the same way when I install a
>> packet from a non-official PPA.
> 
> Unfortunately, every package can do anything: pre-inst, post-inst,
> pre-rm, post-rm run as root. If you don't trust a PPA the same way
> you trust your OS vendor (Debian, Ubuntu or whoever), install only
> in a VM or a container (not sure, whether a docker container is
> considered safe enough, but chroot is not sufficient).
> 
> Alternatively, download the package, unpack it, remove maintainer
> script or check them carefully, check for s-bits on binaries etc.
> repack it and install. I'm probably missing more checks here.
> 
> While it would be nice to have sth. like "less trusted sources" and
> allow their packages only certain kinds of install/de-install
> operations (i.e. no maintainer scripts) etc., it's  hard to get
> right and a broken solution would put users at risk.

This could be approached another way.  There could be scripts in the packaging tools that mark a package if it does not run anything in any of the scripts that does not come from the packaging tools.  I think many many packages would qualify here, most packages do not touch the pre/post scripts, so the ones that are included are generated by debhelper or whatever.

Then you could see whether a package is requesting to run its own scripts as root, and make the call there.  A package that does not add anything to those scripts would be pretty safe to install, at least.

.hc

Reply to:

Follow-Ups:
- Re: PPA security (was: Debian mirrors and MITM)
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: Re: [SECURITY] [DSA 2968-1] gnupg2 security update
Next by Date: Re: Debian mirrors and MITM
Previous by thread: Re: [SECURITY] [DSA 2968-1] gnupg2 security update
Next by thread: Re: PPA security (was: Debian mirrors and MITM)
Index(es):
- Date
- Thread