You are not logged in.

#1 2024-07-16 09:53:11

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,995

[Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

https://bbs.archlinux.org/viewtopic.php?pid=2184217#p2184217 wrote:

]makepkg does it, but uses special methods that significantly reduce the risk.

This is not true, makepkg sources the PKGBUILD like any other bash script. (The "source_safe" just preserves shell options and checks the exit status of "source".) You could do things like unset PATH, but then you would severely limit what you can do in PKGBUILDs.

The reply is by Alad, the text they quote is from me in an earlier post in the same thread.


My impression is that an important feature of makepkg is that it is written/designed to mitigate the risks from sourcing bash scripts (PKGBUILD) with arbirtrary code.
Alad's reply suggests that impression is wrong.


How (un)safe is sourcing PKGBUILDs in makepkg ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#2 2024-07-16 10:26:24

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,478
Website

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

It is very unsafe.  It is not sourced or processed in anyway as root, but a PKGBUILD can easily delete your entire home directory (which I count as far worse!).

Offline

#3 2024-07-16 11:01:06

Lone_Wolf
Administrator
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 12,995

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

Thanks for the clear answer.

The more I learn the more attractive clean chroot building gets.


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.

clean chroot building not flexible enough ?
Try clean chroot manager by graysky

Offline

#4 2024-07-16 11:06:36

schard
Forum Moderator
From: Hannover
Registered: 2016-05-06
Posts: 2,117
Website

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

Building in a clean chroot is great for reproducibility and to prevent packaging error if done correctly.
I, however, would not advertise it as a security feature for the packager. There are ways to break out of a chroot jail.
Nothing beats just reading the PKGBUILD.


Inofficial first vice president of the Rust Evangelism Strike Force

Offline

#5 2024-07-16 12:24:48

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,478
Website

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

schard wrote:

I, however, would not advertise it as a security feature for the packager. There are ways to break out of a chroot jail.

Arch devtools (though have many other potential issues), uses systemd-nspawn instead of chroot.  So I don't think that particular issue exists.

Offline

#6 2024-07-16 12:31:52

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 30,330
Website

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

Allan wrote:

It is very unsafe.

The OP is asking about sourcing it into a user script - and to me this implies the question is how safe/unsafe is this relative to running makepkg on that PKGBUILD to build a package.  I.e., are there any additional dangers.  I don't believe there are additional safety risks, but I'd say it's a bad idea as times when people have wanted to do it was so they could then just use $pkgver or some other variable overlooking that said variable may not be statically set but rather dynamically generated.

EDIT: oops, okay the title is clearly about sourcing via makepkg.  But the context that generated this question was something completely different.

Last edited by Trilby (2024-07-16 12:33:11)


"UNIX is simple and coherent" - Dennis Ritchie; "GNU's Not Unix" - Richard Stallman

Offline

#7 2024-07-16 15:16:41

Alad
Wiki Admin/IRC Op
From: Bagelstan
Registered: 2014-05-04
Posts: 2,418
Website

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

schard wrote:

Building in a clean chroot is great for reproducibility and to prevent packaging error if done correctly.
I, however, would not advertise it as a security feature for the packager. There are ways to break out of a chroot jail.
Nothing beats just reading the PKGBUILD.

That's too complicated... devtools sources the PKGBUILD as your user (through makepkg --verifysource) before running systemd-nspawn.

It is very unsafe.  It is not sourced or processed in anyway as root, but a PKGBUILD can easily delete your entire home directory (which I count as far worse!).

One time I forgot to read a PKGBUILD, and it overwrite my entire emacs configuration smile


Mods are just community members who have the occasionally necessary option to move threads around and edit posts. -- Trilby

Offline

#8 2024-07-16 21:15:15

sitquietly
Member
From: On the Wolf River
Registered: 2010-07-12
Posts: 220

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

Lone_Wolf wrote:

... How (un)safe is sourcing PKGBUILDs in makepkg ?

A thousand years ago when I was trying to create a tool to build archlinux from sources gentoo-style I quickly learned, from reading many, many PKGBUILDs, that sourcing them was not safe.  At the time Community, and especially AUR, PKGBUILDs did many strange things.  My solution then was to treat the PKGBUILD as a set of definitions of variables and functions and to write awk scripts to parse out the information while avoiding executing arbitrary code.  e.g. the header for one of those scripts that parsed out pkgnames, groups and dependencies read like this:
<excerpt from script>
21 # Syntax:
22 #    pkgvariables -vpkg=<pkgname> <pkgbuild-file>
23 #
24 # prints the lines of the pkgbuild file that set *depends and groups
25 # for pkgname.  If the pkgbuild defines multiple packages, split packages,
26 # then more than one depends and groups assignment may be printed but
27 # the last one will be for the specific package requested.
28
29 # Used in a shell script in the form
30 #    eval $(pkgvariables -vpkg=$pkgname PKGBUILD)
31 # to define the depends, makedepends, and groups arrays for pkgname
32
33 # WARNING: this script assumes a specific formatting for PKGBUILD files;
34 # package_xyzzy() definitions start in column 1 and the definition ends
35 # with a } in column 1.
36
37 # Note that comment stripping is simplistic: if a # character occurs
38 # at the beginning of a line, or if there is white space before or
39 # after it, that # is taken to start a comment. A # embedded in text
40 # is left in place to allow through such constructs as ${pkgname#*-}
41 # used by packages in the community repo (e.g. lib32-cdparanoia and
42 # lib32-portaudio).
43 blah blah blah... (obtuse awk code follows)

PKGBUILDs as bash scripts, instead of as declarations such as in Fedora specfiles, is both a blessing and a curse.  The arch system can be a joy to work with.  But executing arbitrary code from a PKGBUILD is a weakness that requires good developers to protect us.

Offline

#9 2024-07-16 21:43:41

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,478
Website

Re: [Solved] How (un)safe is sourcing PKGBUILDs in makepkg ?

Now you can get most of that information with "makepkg --sourceinfo" which does not (I'm fairly sure...) source the PKGBUILD.

Offline

Board footer

Powered by FluxBB