|
Rationale
When we add a third-party apt repository to our software sources, that source can replace just about any package on our system. That strikes me as a pretty serious security risk.
For example, suppose you get the latest version of Skype by adding skype.com to your sources. Someone hacks the Skype repository and adds a malicious version of Firefox. If the compromised Firefox has a newer version number, then your system will be updated and you end up running the malicious Firefox that transmits private data to Dr. Evil.
I'm just using Skype as an example, it could equally well be mplayer, medibuntu, or John Doe. Clearly the more repositories added, the greater the chance of being compromised.
And when a repository is hacked, all the systems using that repository can be compromised.
Of course the hacker has to get hold of the package signing system too - this provides some protection. But nevertheless control of what packages can be installed should remain on our end.
Here's the key point: just because a repository is in our software sources doesn't mean it should be able to replace *any* package on our system.
|
|
Propose your solution
Attachments
No attachments.
Duplicates
Comments
|
Ssdg
wrote on the 13 Jan 09 at 09:54
|
|
|
-1 totally useless.
Why? because when you install a package, the package gains a complete access to your system via the root account. from here, it can download a package or just a binary and replace your firefox/kernel/banking management tool/passwords keeper/porn Directory/...
Once you add a new repository you're supposed to trust it, if you don't you should not install that package or complain when your system get compromised.
|
|
zoubidoo
wrote on the 13 Jan 09 at 10:26
|
|
|
@Sadg
Useless? If you think it is normal to let third parties (e.g. obscure games packagers) have full control of your system, then you don't have very high security expectations for an operating system.
Why wouldn't it be possible for third party code to be chroot'ed?
I wonder how many users realise that adding a source permits full access to private data, sensitive banking information included. A lot of people are in for some nasty surprises.
|
|
viraptor
wrote on the 13 Jan 09 at 17:26
|
|
|
It's not useless -> most reasonable repositories contain signed packages. You can verify the key needed for them on some web page.
If a random third-party is capable of injecting a package into the repository, but is not capable of signing it with the same key as the other packages, then a repository-whitelist might be a 'good enough' security measure.
|
|
zoubidoo
wrote on the 13 Jan 09 at 19:06
|
|
|
The issue of security with third party repositories is also discussed here:
https://wiki.ubuntu.com/ThirdPartyApt
@viraptor: a repository whitelist is certainly one approach.
Another approach is to use a sandbox such Plash or SysTrace for third party software.
I think it is perfectly normal to trust some package sources less than others. I'm always going to trust the official ubuntu sources more than some obscure gaming site when it comes to my banking details. An OS should definitely allow the user to implement this policy of trust.
|
|
rouge568
wrote on the 14 Jan 09 at 03:26
|
|
|
@zoubidoo
Just fyi, you can edit the "auto generated solution" so that it reflects the one you actually want. You don't have to create a whole new one.
|
|
zoubidoo
wrote on the 19 Jan 09 at 02:39
|
|
|
|
Thanks rouge. Actually I tried and it didn't save my edits so I just created another solution. This was just at the time of the switch to new brainstorm so perhaps it was some transient issue.
|
|
rouge568
wrote on the 19 Jan 09 at 02:50
|
|
|
|
Yeah, I noticed it too, so I posted a bug. It's fixed now!
|
Post your comment
|
