Security leak: Public disclosure of user data without their consent by installing software via pkg

Mike Kelly pioto at pioto.org
Fri Apr 9 01:55:31 UTC 2021 

On Wed, Apr 7, 2021 at 11:37 PM Gordon Tetlow via freebsd-security
<freebsd-security at freebsd.org> wrote:

> <snip>
> > Can it be ethically acceptable to put users at risk, for example by
> > intentionally (?) not setting any limits to what extent installer
> > scripts are allowed to collect sensitive user and system data and
> > disclose them to interested third parties?
>
> This is an interesting point. Unfortunately, the technology we have gives unfettered access to the system. I'm having a hard time thinking how we could achieve the goal of installing software (which in our model requires root privileges) while also limiting what it is allowed to do on said system. I'm not aware of any other package system (rpm, deb, etc) that has technical limits on pre/post installation scripts. If you are aware of any examples, I'd love to see it to see if there is something we can incorporate. Patches, as always, are welcome to improve the system.

For what it's worth, there is some "prior art" in other package
management systems for various levels of technical restrictions:

* Gentoo's Portage uses a library called "Sandbox"[1], which uses the
LD_PRELOAD mechanism to put it self "first in line", and it intercepts
various lower level calls that way to mitigate risk.
* Exherbo's Exheres packaging format (derived from Gentoo's) has their
own sandboxing mechanisms[2] which are pretty broad in scope; I think
under the hood it's using sydbox[3], which says it's using ptrace and
seccomp to implement it (so it may be more resilient than an
LD_PRELOAD approach).
* Debian's FakeRoot[4], which seems to use a similar mechanism, but I
think this is only applied during the binary package building.
LD_PRELOAD based as well
* InstallWatch[5] for RPM; seems like this isn't as maintained, so I
can't find as many details, but again, I think this is only used
during binary package builds

That said, I think all these just help protect against accidental
missteps, not malicious intent. There's obviously a lot of implicit
trust when you're running someone else's software.

[1] https://wiki.gentoo.org/wiki/Sandbox_(Portage)
[2] https://exherbo.org/docs/eapi/exheres-for-smarties.html#sandboxing
[3] https://github.com/sydbox/sydbox-1
[4] https://wiki.debian.org/FakeRoot
[5] https://asic-linux.com.mx/~izto/checkinstall/installwatch.html

-- 
Mike Kelly

More information about the freebsd-security mailing list