You are not logged in.

#1 2020-06-05 06:34:40

v3n0m19
Member
Registered: 2017-10-08
Posts: 8

Question about malware and pkgbuilds

So, I am a little suspicious about this package, betterdiscord-rauenzi-git
Well, I came across a forum post in google that betterdiscord installs a rootkit


Upon looking at the pkgbuild of this package https://aur.archlinux.org/packages/bett … uenzi-git/

I found that it doesn't compile anything, just makes the package.

Now, I haven't installed the package but I have made it.
The question for me is that does in making package, the files are executed as well which are required by the package for installation.

Looking at the pkgbuild, i found that it copies something just but I am unsure about execution of files.

So, in general does making a package also means that the files to be installed by the package are executed always or not?

You can see the pkgbuild as well on the aur of this package.
Thanks.

Offline

#2 2020-06-05 07:27:29

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,427

Re: Question about malware and pkgbuilds

makepkg does what's defined in the PKGBUILD, since there's no execution happening that means nothing is executed (unless you don't trust your cp or sed, but then you'd have very different and much more problematic concerns).

It's a discord/betterdiscord plugin, unless you have betterdiscord already installed and are using it even installing this package wouldn't do anything.

A simple googler also get's heavily mixed signals on whether it's a malware or not, in general if you don't trust something don't install it. Nothing of this has any direct relation to makepkg or the AUR

Last edited by V1del (2020-06-05 07:35:48)

Offline

#3 2020-06-05 07:32:07

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: Question about malware and pkgbuilds

v3n0m19 wrote:

So, in general does making a package also means that the files to be installed by the package are executed always or not?

No. In the PKGBUILD in question, nothing is marked as executable. This PGKBUILD does not execute anything. All it does is install a couple of files to /usr/lib/betterdiscord-rauenzi-git. The betterdiscord-rauenzi.install file will then make pacman emit a warning, that you need to run some command per user. This command isn't even in the package (betterdiscordctl) and has been moved to an external package, which is only an optdepend. This package does nothing.

betterdiscordctl, on the other hand, is a shell script that is supposed to be run as root and is supposed to patch your discord installation. It can be found here. You can read it yourself and decide whether you want that script run as root on your machine. If anything rootkit-y is going on, it's there.

Now for the underlying question: Should you use an injector that smuggles code into a proprietary communication software, without having read and understood that code?

Offline

#4 2020-06-05 11:47:12

v3n0m19
Member
Registered: 2017-10-08
Posts: 8

Re: Question about malware and pkgbuilds

So, in short if there aren't any compile scripts etc the makepkg just compresses the files in the folders where they are to be installed.
In this case of pkgbuild,
the debug of makepkg is something like this :
download the github repo, make usr/lib directories in the package directory, then copy the contents there, and compress it in tar

Am I right? No execution of scripts from the downloaded github repo is done here?

Offline

#5 2020-06-05 12:05:36

V1del
Forum Moderator
Registered: 2012-10-16
Posts: 21,427

Re: Question about malware and pkgbuilds

For this particular PKGBUILD this is the case yes.

Offline

#6 2020-06-05 13:33:59

v3n0m19
Member
Registered: 2017-10-08
Posts: 8

Re: Question about malware and pkgbuilds

Also you were talking about sed in your previous post, I don't see any use of sed in the pkgbuild.
Is that something to worry about?

Offline

#7 2020-06-05 13:42:58

schard
Member
From: Hannover
Registered: 2016-05-06
Posts: 1,932
Website

Re: Question about malware and pkgbuilds

Look again at line no. 21.
There sed is being used to derive parts of the pkgver.
The point V1del was making is, that the binaries might be compromised on your system (I think?).
Also sed syntax can look obfuscated to people without sed-experience - like me.
In the given case, however, it's pretty obvious what it does.

Last edited by schard (2020-06-05 13:44:49)

Offline

Board footer

Powered by FluxBB