Arch Linux

Lemanr

Member

Registered: 2020-03-22

Posts: 36

Need someone to look over this anki aur package, seemed suspicious

Hello everyone,

So this aur package just had some suspicious files in it that I needed someone more veteran than I to look over. I've only started linux about 2 years ago and only been good enough to run arch well for about 4 months, only started aur installs a few days ago. So I could be worried about nothing here. Anyway It can be found at:
anki-official-binary-bundle aur package 

The files are called: Dockerfile   docker.sudoers   update_srcinfo.sh

infact the pkgbuild doesn't even seem to use these but the impression i got is that:

Dockerfile:

# https://serverfault.com/a/1053273
# TEMP-FIX for pacman issue
RUN patched_glibc=glibc-linux4-2.33-4-x86_64.pkg.tar.zst \
    && curl -LO "https://raw.githubusercontent.com/sickcodes/Docker-OSX/master/${patched_glibc}" \
    && bsdtar -C / -xvf "${patched_glibc}" || echo "Everything is fine."
# TEMP-FIX for pacman issue

RUN pacman -Sy --noconfirm sudo fakeroot base-devel
RUN pacman -S --noconfirm git
RUN pacman -S --noconfirm vim
COPY docker.sudoers /etc/sudoers.d/wheel
RUN useradd user
RUN usermod -a user -G wheel

seems to copy docker.sudoers to wheel (I'm assuming wheel is also created inside directory sudoers.d). user is added by useradd and added to group wheel. Another weird thing is that a patched glibc is is downloaded from githubusercontent.

docker.sudoers:

 
%wheel ALL=(ALL) NOPASSWD: ALL

so this would mean that now user (who was added by Dockerfile) doesn't need a password? why would anki or docker need this?

update_srcinfo.sh:

#!/bin/sh

DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"

echo Updating .SRCINFO

cd "$DIR"
makepkg --printsrcinfo > .SRCINFO
git add .SRCINFO

this doesn't look suspicious but was one of the files I wasn't expecting so thought i'd add it here anyway in case i missed something.

Anyway when it comes to security it's smart to communicate concerns so that's what i'm doing. Wasn't sure where the right place would be. Worst case I am wrong and someone can explain why this is harmless or needed and I learn something. On the comments the maintainer responded to someone else asking about these files saying:

kuklinistvan commented on 2022-01-01 12:56 (UTC)
@derivator Thank you for getting in touch, and I wish you and everyone a happy new year! The Docker image is only there to provide an easy way to build the package regardless of the builder's currently used distribution.

I'm not sure if removing small tools aiding the build from this repository is justified, some restructuring could be of use, though.

If you have the time to "emulate" a PR for me (clone the repository, modify its content according to your idea, host it somewhere publicly and share the link), I can review and incorporate your changes.

Anyway thanks for those who may looks this over and at a risk they waste their time. To be clear I am not officially making some accusation, just communicating about a package i am unsure about.

---

Warning recovering help-vampire: Do not feed me help (July, 8th 2020)
Fully Recovered help-vampire (at some point late 2021)
Linux journey (approximately) Ubuntu -> Arch -> Debian -> Manjaro -> NixOs -> (attempted: unresolved hardware issues) gnu guix -> Gentoo -> Fedora -> Arch (current) (very outdated but back to arch as I put together my own distro).

HalosGhost

Forum Fellow

From: Twin Cities, MN

Registered: 2012-06-22

Posts: 2,097

Website

Re: Need someone to look over this anki aur package, seemed suspicious

I would imagine that things inside the Dockerfile would be run only inside a container (i.e., not actually modifying your system).

However, that's kind of strange for a lot of reasons, and my immediate feeling is that such things should™ not be necessary (whether or not they actually are).

All the best,

-HG

---

Code of Conduct

Lemanr

Member

Registered: 2020-03-22

Posts: 36

Re: Need someone to look over this anki aur package, seemed suspicious

to build on that, it seems you could even delete those files and build the package anyway as pkgbuild doesn't seem to use them, unless i missed something. Perhaps they should be put in their own aur labeled something like anki-docker or some such, require the original aur package (this one) as dependency and go from there. But I guess that's for the maintainer to decide anyway.

Last edited by Lemanr (2022-02-14 07:13:44)

---

Warning recovering help-vampire: Do not feed me help (July, 8th 2020)
Fully Recovered help-vampire (at some point late 2021)
Linux journey (approximately) Ubuntu -> Arch -> Debian -> Manjaro -> NixOs -> (attempted: unresolved hardware issues) gnu guix -> Gentoo -> Fedora -> Arch (current) (very outdated but back to arch as I put together my own distro).

elken

Member

From: Emacs

Registered: 2013-10-17

Posts: 67

Re: Need someone to look over this anki aur package, seemed suspicious

Looks like a dockerfile used to test the package. Nothing suspicious here.

---

Useless shit wot I do | "A very witty and relatable quote." -- A wise man

Lemanr

Member

Registered: 2020-03-22

Posts: 36

Re: Need someone to look over this anki aur package, seemed suspicious

These files aren't that complicated so I'd be comfortable with having this thread closed seeing as 2 vets had eyes on it. Unless something weird is buried in the glibc patch I can agree that anything being bad here is very unlikely.

---

Warning recovering help-vampire: Do not feed me help (July, 8th 2020)
Fully Recovered help-vampire (at some point late 2021)
Linux journey (approximately) Ubuntu -> Arch -> Debian -> Manjaro -> NixOs -> (attempted: unresolved hardware issues) gnu guix -> Gentoo -> Fedora -> Arch (current) (very outdated but back to arch as I put together my own distro).