On Mon, Jan 12, 2004 at 10:58:02AM -0600, Ryan Underwood wrote: > I've often questioned the security of adding 3rd-party sites to my > sources.list that are required for various non-free or other packages > that aren't in Debian yet. Basically, I am putting the security of my > system at the mercy of however secure their system happens to be, by > allowing them to run arbitrary code as root on my system.
This is entirely correct. Maybe if you're not using them too often and have the time/patience/skill the best thing to do is to download the sources only and rebuild the packages. > Would it be a good idea to add a flag to an apt source somehow, that > would be passed along to dpkg, to prevent any maintainer scripts from > being run and prevent any executables being made setuid? This way, the > user would be able to pick and choose what sites he trusts, rather than > hoping on every apt-get update/upgrade that none of his 3rd-party > sources have been rooted recently. I had a similar thought before, running the install scripts as a dedicated user. I soon gave up as nearly arbitary actions are legitimate in the post-install scripts, anything from adding a new user to changing file permissions. This makes it hard to write policies, etc. My solution was simply to scan for setuid/setgid files after the install had finished using the hooks provided and the file list in /var/lib/dpkg/info/$foo.list. (It's entirely possible that a truly that a malicious package could modify this file before I read it of course). I had planned to update the code to scan for new listening sockets at the same time but I didn't get round to it. > There is no reason that most 3rd-party packages need to run maintainer > scripts since the packages tend not to be very complex. Why give an > attacker another easy vector? I guess the tradeoff is the ease of using a premade package vs the trust of an arbitary party. > Note that I ignore trojaned binaries/libraries. The reason is that, > without setuid, you would have to purposefully run these as root, > hopefully knowing the consequences for doing so; there are warnings > everywhere that you should not run untrusted code as root. Maintainer > scripts, OTOH, are run with full root privileges nearly invisibly to the > typical user and as a part of software installation. So simply > installing software, not even running it, from a compromised source > could get your machine rooted. What about an evil script modifying an existing setuid binary? For example /bin/login? To prevent against this type of attack you need aide/tripwire/etc. > I'm curious if anyone else has had any ideas for taking some of the > implicit trust out of software installation from non-Debian sources. My approach applies to all packe installations - as I tend to only use my own backports..! Steve -- Edinburgh System Administrator : Linux, UNIX, Windows Looking for an interesting job : http://www.steve.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]