You are not logged in.
- Topics: Active | Unanswered
Pages: 1
#1 2009-06-09 14:56:34
- Llama
- Banned
- From: St.-Petersburg, Russia
- Registered: 2008-03-03
- Posts: 1,379
yaourt security warning
Hi,
First Submitted: Thu, 06 Dec 2007 16:55:19 +0000
gnubg 20090412-1 : Backgammon
( Unsupported package: Potentally dangerous ! )
==> Edit the PKGBUILD (highly recommended for security reasons) ? [Y/n]("A" to abort)
==> ----------------------------------------------
==>
What am I supposed to do about it?
Offline
#2 2009-06-09 14:58:48
- lucke
- Member
- From: Poland
- Registered: 2004-11-30
- Posts: 4,018
Re: yaourt security warning
I believe it tries to say that blindly (i.e. without checking PKGBUILDs and .install files) installing software from AUR isn't a good idea.
Last edited by lucke (2009-06-09 15:00:54)
Offline
#3 2009-06-09 15:16:45
- Llama
- Banned
- From: St.-Petersburg, Russia
- Registered: 2008-03-03
- Posts: 1,379
Re: yaourt security warning
I believe it tries to say that blindly (i.e. without checking PKGBUILDs and .install files) installing software from AUR isn't a good idea.
Ah... What am I supposed to spot there? Trojan's banner?
Offline
#4 2009-06-09 16:07:51
- lucke
- Member
- From: Poland
- Registered: 2004-11-30
- Posts: 4,018
Re: yaourt security warning
Things like "rm -rf /"?
Offline
#5 2009-06-09 16:10:02
- Army
- Member
- Registered: 2007-12-07
- Posts: 1,784
Re: yaourt security warning
Ah... What am I supposed to spot there? Trojan's banner?
rm -rf /in the build function for example ;-)
Offline
#6 2009-06-09 18:25:45
- tdy
- Member
- From: Sacremende
- Registered: 2008-12-14
- Posts: 440
Re: yaourt security warning
in the build function for example ;-)
It would have to be in the .install file to do any tangible harm unless you run makepkg as root for some strange reason.. although I'm sure the package would be a dud anyway if they did put that in the PKGBUILD.
Last edited by tdy (2009-06-09 19:06:44)
Offline
#7 2009-06-09 22:46:03
- Army
- Member
- Registered: 2007-12-07
- Posts: 1,784
Re: yaourt security warning
Army wrote:in the build function for example ;-)
It would have to be in the .install file to do any tangible harm unless you run makepkg as root for some strange reason.. although I'm sure the package would be a dud anyway if they did put that in the PKGBUILD.
Of course you are right ;-) But I would hate to lose all my files in home ;-)
Offline
#8 2009-06-09 22:51:03
- lucke
- Member
- From: Poland
- Registered: 2004-11-30
- Posts: 4,018
Re: yaourt security warning
I'm not sure how fakeroot is supposed to work, but I did manage to delete a dir in / from within build().
Offline
#9 2009-06-10 03:36:39
- skottish
- Forum Fellow
- From: Here
- Registered: 2006-06-16
- Posts: 7,942
Re: yaourt security warning
On top of the install files, it's always a good idea to know where software is coming from. Anyone can submit anything to AUR with sources that are malware, knowingly or not. There's a very real risk of users voluntarily installing rouge software, and as Linux becomes more popular, we'll so more and more repos full of this garbage.
*** The greatest risk that Linux will become like Windows comes from it's user base ***
Offline
#10 2009-06-10 11:19:53
- Llama
- Banned
- From: St.-Petersburg, Russia
- Registered: 2008-03-03
- Posts: 1,379
Re: yaourt security warning
On top of the install files, it's always a good idea to know where software is coming from. Anyone can submit anything to AUR with sources that are malware, knowingly or not. There's a very real risk of users voluntarily installing rouge software, and as Linux becomes more popular, we'll so more and more repos full of this garbage.
That's obvious. The question is, how much can I see looking into a port from AUR. What kind of effort is worth putting into it?
Offline
#11 2009-06-11 04:28:48
- tdy
- Member
- From: Sacremende
- Registered: 2008-12-14
- Posts: 440
Re: yaourt security warning
What kind of effort is worth putting into it?
well that's a question only you can answer.. the amount of effort depends on how safe you want to be..
Offline
#12 2009-06-19 12:28:38
- louipc
- Member
- Registered: 2006-10-09
- Posts: 85
Re: yaourt security warning
I'm not sure how fakeroot is supposed to work, but I did manage to delete a dir in / from within build().
From the fakeroot man page:
fakeroot runs a command in an environment wherein it appears to have root privileges for file manipulation.
Fakeroot only makes you appear to have root privileges. A PKGBUILD could potentially destroy anything that your user has access to.
If you want complete peace of mind, you should build under a special build user that doesn't have access to anything important.
I think that if we keep diligent on security there'll be less motivation for people to submit malicious PKGBUILDs. If we're soft on security, then it'll be easier to affect the system, and there may be more motivation to create bad PKGBUILDs.
Offline
#13 2009-06-19 13:12:24
- Mr.Elendig
- #archlinux@freenode channel op
- From: The intertubes
- Registered: 2004-11-07
- Posts: 4,092
Re: yaourt security warning
What you really want to spot, is stupid things in the PKGBUILDs like:
rm -r /usr/include/foobar/*
cp $srcdir/foobar.so /usr/lib/foobar.so.5
instead of:
rm -r $pkgdir/usr/include/foobar/*
cp $srcdir/foobar.so $pkgdir/usr/lib/foobar.so.5Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
Pages: 1