Subject: Re: pkg_comp runs everything as root
To: Christian Hattemer <firstname.lastname@example.org>
From: Johnny Lam <email@example.com>
Date: 04/24/2006 12:09:09
Christian Hattemer wrote:
> dunno if tech-pkg would be more appropriate, but for starters here it is.
> I've finally looked into pkg_comp and it looks indeed nice for experimenting
> with pkgsrc or building binary pkgs.
> However I feel a bit uncomfortable about running everything as root. I
> remember distfiles that got a malicious configure inserted. There's still
> the distfile checksum, but the modification might get overlooked by the
> developer doing the update.
The best thing to do here is to use systrace to restrict the system
calls that are available to root during the build and install of a
package. The work to integrate this into pkgsrc is not hard, but nobody
has stepped forward to implement this yet. Ideally, you should be able
to define PKGSRC_USE_SYSTRACE in /etc/mk.conf and a systrace policy
would be applied when running "make".
> However an even more effective place for such tampering should be an
> install script which runs as root anyway. Then the unprivileged build
> wouldn't help.
The INSTALL/DEINSTALL scripts are not provided by a 3rd party, but by
pkgsrc itself, though they may occasionally call utilities installed by
the package. Even here, using systrace would help, though I believe
that in the end, you'll just have to audit the INSTALL scripts in pkgsrc
to verify that they are not doing anything destructive or deceptive.
Please take a look at pkgsrc/mk/install, which is the home of the
pkginstall framework used by most of the packages, and which provides a
common implementation of a small set of actions that may occur during
installation or deinstallation.
> Well, it's inside a chroot, so there shouldn't be much permanent damage, but
> backdoor daemons could still run until a reboot.
Backdoor daemons can largely be prevented by, again, the proper use of
systrace to deny the socket() system call.
-- Johnny Lam <firstname.lastname@example.org>