On Wed, Apr 7, 2021 at 11:37 PM Gordon Tetlow via freebsd-security <freebsd-security@freebsd.org> wrote:
> <snip> > > Can it be ethically acceptable to put users at risk, for example by > > intentionally (?) not setting any limits to what extent installer > > scripts are allowed to collect sensitive user and system data and > > disclose them to interested third parties? > > This is an interesting point. Unfortunately, the technology we have gives > unfettered access to the system. I'm having a hard time thinking how we could > achieve the goal of installing software (which in our model requires root > privileges) while also limiting what it is allowed to do on said system. I'm > not aware of any other package system (rpm, deb, etc) that has technical > limits on pre/post installation scripts. If you are aware of any examples, > I'd love to see it to see if there is something we can incorporate. Patches, > as always, are welcome to improve the system. For what it's worth, there is some "prior art" in other package management systems for various levels of technical restrictions: * Gentoo's Portage uses a library called "Sandbox"[1], which uses the LD_PRELOAD mechanism to put it self "first in line", and it intercepts various lower level calls that way to mitigate risk. * Exherbo's Exheres packaging format (derived from Gentoo's) has their own sandboxing mechanisms[2] which are pretty broad in scope; I think under the hood it's using sydbox[3], which says it's using ptrace and seccomp to implement it (so it may be more resilient than an LD_PRELOAD approach). * Debian's FakeRoot[4], which seems to use a similar mechanism, but I think this is only applied during the binary package building. LD_PRELOAD based as well * InstallWatch[5] for RPM; seems like this isn't as maintained, so I can't find as many details, but again, I think this is only used during binary package builds That said, I think all these just help protect against accidental missteps, not malicious intent. There's obviously a lot of implicit trust when you're running someone else's software. [1] https://wiki.gentoo.org/wiki/Sandbox_(Portage) [2] https://exherbo.org/docs/eapi/exheres-for-smarties.html#sandboxing [3] https://github.com/sydbox/sydbox-1 [4] https://wiki.debian.org/FakeRoot [5] https://asic-linux.com.mx/~izto/checkinstall/installwatch.html -- Mike Kelly _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
