On May 30, 2014, at 2:41 PM, W. Martin Borgert wrote: > Quoting Jeremie Marguerie <jere...@marguerie.org>: >> Thanks for bringing that issue! I feel the same way when I install a >> packet from a non-official PPA. > > Unfortunately, every package can do anything: pre-inst, post-inst, > pre-rm, post-rm run as root. If you don't trust a PPA the same way > you trust your OS vendor (Debian, Ubuntu or whoever), install only > in a VM or a container (not sure, whether a docker container is > considered safe enough, but chroot is not sufficient). > > Alternatively, download the package, unpack it, remove maintainer > script or check them carefully, check for s-bits on binaries etc. > repack it and install. I'm probably missing more checks here. > > While it would be nice to have sth. like "less trusted sources" and > allow their packages only certain kinds of install/de-install > operations (i.e. no maintainer scripts) etc., it's hard to get > right and a broken solution would put users at risk.
This could be approached another way. There could be scripts in the packaging tools that mark a package if it does not run anything in any of the scripts that does not come from the packaging tools. I think many many packages would qualify here, most packages do not touch the pre/post scripts, so the ones that are included are generated by debhelper or whatever. Then you could see whether a package is requesting to run its own scripts as root, and make the call there. A package that does not add anything to those scripts would be pretty safe to install, at least. .hc -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/9145da3f-12d4-42fc-80a3-2b918e510...@at.or.at
