Re: freshmeat editorial about package management security issues
On Fri, 5 May 2000, jeff covey wrote:
> We're interested in presenting an editorial on freshmeat about
> security issues related to package management systems, and were hoping
> you would have the time to answer a few questions. If you don't have
> time or if there's someone who would be better able to answer, please
> let me know.
You might want to hear from Wichert too, as well there was a very
interesting and informative thread on debian-devel about digital
signatures for packages last month.
> convenience is bought at the price of trust in the system. How would
> you answer the following questions? Do you agree or disagree that the
> concerns they express are valid? If they are valid and are not
> currently addressed, do you have any ideas about how the problems
> could be fixed?
It depends who is expressing them :> If the 'old timers' use source
packages with signature files and check those signatures then they are
pretty safe. If they audit all the source code they hand compile then they
are pretty safe. But, if they just download random .tar's and compile them
without even looking they are no better off than we are, possibly worse
off.
> * What facilities does your package manager (or a third party add-on,
> such as autorpm) provide for automatic upgrading of installed
> packages?
APT! :>
> * Who controls the package archives from which new packages are
> downloaded? If it's possible for third party archives to be used,
> does your package manager warn the user that packages are being
> downloaded from somewhere other than the official source?
The user has choice here. Our default setup uses our top level 'official'
mirrors. If third party archives are used they would have to be manually
configured by the user. No special warnings are given for these sources.
> * Does your package manager support digital signatures that can
> confirm that the package is from the packager it claims to be from
> and has not been tampered with?
No. This is a very tricky topic given Debian's distributed nature.
> * Are there procedures in place to check for trojans/virii/etc. in the
> original source package?
Depending on which maintainer you talk to, yes or no. Some packages are
inspected carefully, some are not.
> * Are there procedures in place to check for trojans/virii/etc. in the
> package itself (for example, in the scripts used to install the
> package)?
I don't think we have an official program for this. People do look
occasionaly, I'm sure.
> * If someone were to sneak a trojan into a package, it could spread to
> thousands of machines overnight as admins performed automated
> upgrades on their systems. If this were to happen, would it be
> possible for you to prepare a package that would fix the problem on
> the next dist-upgrade (not everyone reads security bulletins, so not
> everyone will be aware that she's been compromised)?
Yes, barring the point below.
> * The answer to the previous question is naturally somewhat dependent
> on the nature of the trojan. As a worst case scenario: Is it
> possible for someone to insert a trojan into your upgrade stream
> which would disable your package upgrade system on the client side,
> making it impossible for you to distribute a fix through the normal
> method?
Yeap, the packages install with root privilege a well written trojan can
do anything.
> * If the answer to the previous question is "yes", do you think it
> would be beneficial to establish a class of protected packages which
> can only be upgraded with packages that come signed by you?
This would not really help prevent the attack above, you can always use
some trivial package to modify the files of an important one.
Jason
Reply to: