Autopackage = hazardous?

Gullible Jones · 2006-06-28 00:29:41

I just noticed that the Autopackage installer can install things to system directories even when run as a user. Granted, a user with sudo priveleges (though not on the root wheel)... Still, I wonder - was that using sudo, or can Autopackage simply bypass Linux's security measures? :shock:

iBertus · 2006-06-28 01:53:43

Some portion of the Autopackage installer would have to be running with root access for this to happen. You should can sudo and try it again. I'm willing to bet that it won't work without sudo.

Gullible Jones · 2006-06-28 01:56:40

I'll see...

Also, forgot to mention... When I tried to run it via './foo.package' I got a "not permitted" error. But when I did 'sh foo.package' it ran and installed everything. AFAIK there should be no difference between those commands...

deficite · 2006-06-28 02:07:45

I've had the nVidia driver's installer do that to me before. I could run it with "sh nvidia-installer.sh" but not "./nvidia-installer.sh"

The only other way I can see Autopackage getting around priveledges besides sudo is by running a daemon of some sort.

iBertus · 2006-06-28 02:35:39

The difference comes from execute permissions. Try chmod +x <filename> and then ./<filename> and see if it works.

Gullible Jones · 2006-06-28 13:09:02

Hmm, it looks like autopackage does take advantage of sudo when it can. It could at least tell you that it installs to somewhere in the system or not at all... Blech. At least it's easy to remove.

(And I have a feeling that, some day, someone will make an Autopackage-based trojan and attach it to spams. Oh well, I can only blame myself for this.)

iphitus · 2006-06-28 16:06:13

Gullible Jones wrote:

(And I have a feeling that, some day, someone will make an Autopackage-based trojan and attach it to spams. Oh well, I can only blame myself for this.)

LOL! That's just so stupidly ridiculous.

Autopackage doesnt bypass any security or anything, it just uses the existing sudo setup. You could configure sudo to deny autopackage if you so wished.

And why would someone go to the effort of using autopackage... when they could use any other install format? Why would someone go to that much effort, when the exploitable target audience is negligable...?

James

iBertus · 2006-06-28 16:28:53

Things like autopackage are designed to provide point-and-click software installation for ease of use. While I don't personally like this sort of thing, it is much easier to just use sudo instead of fooling with password prompts when possible. I don't think autopackage is targeted to the security minded, advanced user. If security is a concern, you should check all of your packages before installing (regardless of the package management system).

deficite · 2006-06-28 18:02:08

*cough* iBertus.....I've used chmod quite a few times in my day. I was going to ask Jones the same question but I didn't want to sound like I was belittling him

I do understand you're just trying to help though.

Gullible Jones · 2006-06-28 18:39:21

Duh. How did I forget about chmod? Absolutely brilliant... I was using it rather heavily just last week. Shouldn't really matter whether I executed it or ran it through sh though.

At any rate, Autopackage provides a convenient uninstaller, which also works with sudo, so the offending files are off my system. I'll just remember from now on that you can't tell Autopackage scripts where to install their payload.

Arch Linux

#1 2006-06-28 00:29:41

Autopackage = hazardous?

#2 2006-06-28 01:53:43

Re: Autopackage = hazardous?

#3 2006-06-28 01:56:40

Re: Autopackage = hazardous?

#4 2006-06-28 02:07:45

Re: Autopackage = hazardous?

#5 2006-06-28 02:35:39

Re: Autopackage = hazardous?

#6 2006-06-28 13:09:02

Re: Autopackage = hazardous?

#7 2006-06-28 16:06:13

Re: Autopackage = hazardous?

#8 2006-06-28 16:28:53

Re: Autopackage = hazardous?

#9 2006-06-28 18:02:08

Re: Autopackage = hazardous?

#10 2006-06-28 18:39:21

Re: Autopackage = hazardous?

Board footer