You are not logged in.

#1 2003-08-22 21:36:00

Comete
Member
From: France
Registered: 2003-08-03
Posts: 46

about post install scripts...

hi,

i wonder if there is a solution for the post-install script problem to prevent some commands like "rm -rf /" to be executed. I know that Gentoo hasn't got this problem because ebuild scripts use a particular language that doesn't implement a such command. But for Arch which uses bash, could this problem be really resolved ?


Comete.

Offline

#2 2003-08-22 23:44:28

contrasutra
Member
From: New Jersey
Registered: 2003-07-26
Posts: 507

Re: about post install scripts...

Well, everytime I get a package off of something other than the official trees, im sure to read the .install scripts and PKGBUILD.

I mean, theres no better security than vigilance.

But I think That "fake root" thats being implemented will solve the problem completly.


"Contrary to popular belief, penguins are not the salvation of modern technology.  Neither do they throw parties for the urban proletariat."

Offline

#3 2003-08-23 15:40:14

Xentac
Forum Fellow
From: Victoria, BC
Registered: 2003-01-17
Posts: 1,797
Website

Re: about post install scripts...

fakeroot won't fix that problem... but you're basically going to have to check the install scripts so that they don't do that.  I'd say it's pretty safe to trust the packages that the archlinux maintainers create, but third party ones are always iffy.


I have discovered that all of mans unhappiness derives from only one source, not being able to sit quietly in a room
- Blaise Pascal

Offline

#4 2003-08-25 16:02:39

romankreisel
Member
Registered: 2003-08-07
Posts: 14

Re: about post install scripts...

Xentac wrote:

fakeroot won't fix that problem... but you're basically going to have to check the install scripts so that they don't do that.  I'd say it's pretty safe to trust the packages that the archlinux maintainers create, but third party ones are always iffy.

Xentac is right: fakeroot won't save you from such things, but neither does a check for the post-install scripts!

You'd have to check the install-scripts, the patches and (of course) also the sourcecode of the programm itself, if it wasn't downloaded by YOU from a more trustful source than the package maintainer.

Offline

#5 2003-08-25 17:36:25

Toth
Member
Registered: 2002-12-04
Posts: 82

Re: about post install scripts...

Comete wrote:

hi,

i wonder if there is a solution for the post-install script problem to prevent some commands like "rm -rf /" to be executed. I know that Gentoo hasn't got this problem because ebuild scripts use a particular language that doesn't implement a such command. But for Arch which uses bash, could this problem be really resolved ?


Comete.

There really is nothing you can do about this problem. Even if there were no post install script, one could create a package containing a bash script named "netcheck" that "requires root privileges to run" and just executes rm -rf /  No amount of post-install script checking will save you if you execute that script (what you believe to be a legit app) as root. This is not specific to Arch. One could easily package such a script in an RPM, DEB, Slackware TGZ, or an ebuild.

A package is software, and you have to trust that the software you are downloading is legit. If it is, and you trust the packager, you have no reason not to trust the package.

I assure you, if the package maintainers ever run across a submitted package with "rm -rf /" in the post install script, they won't add it to the Arch Linux repositories. If/when you find a 3rd-party Arch package for download, that's a risk you are going to have to take. Check the scripts, check the source of the program (if you're paranoid). That's about all you can do.

Offline

#6 2003-08-25 21:39:46

dp
Member
From: Zürich, Switzerland
Registered: 2003-05-27
Posts: 3,366
Website

Re: about post install scripts...

Toth wrote:

[...]
A package is software, and you have to trust that the software you are downloading is legit. If it is, and you trust the packager, you have no reason not to trust the package.

exactly ---> do not download from sources you dont trust
(if you ever worked on a windows, you know that already, because there is a lot of evil things around (spyware, virus, bacteria, nice VB-scripts, nice JS-scripts ...))

-> the problem about security: if your OS becomes popular, then the bad guys see it as enough popular to do something bad with it

Toth wrote:

I assure you, if the package maintainers ever run across a submitted package with "rm -rf /" in the post install script, they won't add it to the Arch Linux repositories. If/when you find a 3rd-party Arch package for download, that's a risk you are going to have to take. Check the scripts, check the source of the program (if you're paranoid). That's about all you can do.

what about a check (in pacman), to give warning, that something will be done with / ... as i know, there is no line to run with / as parameter for a normal reason during an installation or upgrade

if you download a non-archlinux.org package (downloaded from somewhere else), the install procedure is now this:

> pacman -A bad-0.1-1.pkg.tar.gz
loading package data... done.
checking for conflicts... done.
installing ... done.
>

the check would look like this:

> pacman -A bad-0.1-1.pkg.tar.gz
loading package data... done.
checking install/upgrade scripts ...

Warning: Found lines in Install-Script that contain / :

line 3: do something
line 4: cd /            <---
line 5: rm -rf * 
line 6: echo "I was a bad script"

Continue with installation [y|N] y

checking for conflicts... done.
installing ... done.
I was a bad script
>

this will at least give the user a chance to look at code that contain "/ " in the install/upgrade/remove-scripts and have some control

of course this will not check the package-content :-( ... but at least you will have one leak closed particulary


The impossible missions are the only ones which succeed.

Offline

#7 2003-08-26 01:32:54

apeiro
Daddy
From: Victoria, BC, Canada
Registered: 2002-08-12
Posts: 771
Website

Re: about post install scripts...

slashes are everywhere in post-install scriptlets...

[judd@earth abs]$ cat `find . -name "*.install"` | grep '/'

besides, this would get around it:

rm -rf *

since pacman heads to / automatically before executing the script.

Any sort of mitigation in this area is quite easily defeated by a determined evil-doer.  Trust your package sources.

One improvement that I think would be useful is an extension of the -Qip options.  Normally they will output the .PKGINFO file for a given .pkg.tar.gz file, but it would be handy to have it also output the .install file, if there is one.

Offline

#8 2003-08-26 02:29:11

dp
Member
From: Zürich, Switzerland
Registered: 2003-05-27
Posts: 3,366
Website

Re: about post install scripts...

apeiro wrote:

slashes are everywhere in post-install scriptlets...

[judd@earth abs]$ cat `find . -name "*.install"` | grep '/'

i meant

[damir@Asteraceae abs]$ cat `find . -name "*.install"` | grep '/ '

-> a slash with a space behind ... this is not so often found

apeiro wrote:

besides, this would get around it:

rm -rf *

since pacman heads to / automatically before executing the script.

-> that's why i used this example

->i didnt know that pacman goes automatically to / ... sorry

apeiro wrote:

Any sort of mitigation in this area is quite easily defeated by a determined evil-doer.  Trust your package sources.

One improvement that I think would be useful is an extension of the -Qip options.  Normally they will output the .PKGINFO file for a given .pkg.tar.gz file, but it would be handy to have it also output the .install file, if there is one.

this would be great, yes


The impossible missions are the only ones which succeed.

Offline

Board footer

Powered by FluxBB