Re: Q: Best Practices for 3rd party APT sources for security considerations?

[Paul Wise <pabs@debian.org>]

On Fri, Jan 23, 2015 at 6:42 AM, Stephen Dowdy wrote:
> SUMMARY:
>     Q: Can a registered 3rd party repo spoof critical packages (e.g.
> libc6) and have them installed on apt 'upgrade' operations?

Yes.

>     Q: What are the best ways (configuration) to help manage 3rd party
> repos to constrain their capabilities?

Setup a dpkg excludes configuration to prevent installation of cron
jobs, systemd units, init scripts and so on.

Setup some apt pinning to only allow certain packages from the
3rd-party repo. This may not work in the case of a malicious
repository, one would have to do some testing first. If that doesn't
work then you'll need new apt configuration options for this.

Implement an option in apt/dpkg to disable maintainer scripts for
repos that don't need them or shouldn't be trusted to have them.

> Is it possible for a 3rd party repository/source added in
> /etc/apt/sources.list.d/ to compromise a system by spoofing a new
> (higher) version of a critical package, such as 'libc6'?

Yes, of course. The package name does not matter btw, any untrusted
Debian package can compromise your system. Don't install untrusted
software on your systems.


Personally, right now I would do this:

Create a new reprepro-based repository with the 3rd-party repository
as an upstream that only pulls in whitelisted packages.

Verify each update to the reprepro-based repository doesn't contain
any issues you care about, modify the .deb files if so. You will need
to check the install/upgrade/remove scripts in the .deb as well as any
installed files for things like cron jobs, systemd units, init scripts
and so on.

Update your systems from the reprepro-based repository as per normal.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise