Request For Candidates: Application Review Board

Steve Langasek steve.langasek at ubuntu.com
Sat Aug 28 05:18:59 BST 2010 

Hi Allison,

On Fri, Aug 27, 2010 at 04:37:14PM -0700, Allison Randal wrote:
> Running through the thread again today with Rick, we pulled out 5 things
> to do immediately:

> - Change Quickly templates to install in /opt by default (FHS location
> for "Add-on application software packages"). Added Bug #625581.
> - Define a standard set of technologies for PostReleaseApps (PRAs, to
> save typing) to use. Quickly is the first, with more to follow as the
> group has a chance to discuss.
> - Allow no maintainer scripts in PRAs.
> - Allow no /etc/cron* files in PRAs.
> - Allow no suid/sgid, sudo, gksu, pkexec, etc in PRAs.

> Apps that use restricted features get kicked from PRAP to REVU.

/etc/cron* is not the only place that a package could install files that
would result in untrusted code running as root.  /etc/rc*.d, /etc/init,
/etc/dpkg, /etc/apt,... even installing a binary that shadows the name of a
system binary into /usr/local/bin or /usr/bin could result in privilege
escalation.  To really avoid the possibility of such a package running code
as root, I think you have to require that it *only* ship files in /opt, and
not include /opt directories on root's path.

(Actually, the latter isn't hard at all, there's nothing today that puts /opt
on *any* user's path...  But I guess that rather needs to be implemented, in
which case care must be taken to set the path correctly when running sudo.)

If you're going to be relying on such rules to help protect the user from
malicious packages, I strongly recommend that this be subjected to detailed
scrutiny from and sign-off by the Ubuntu Security Team prior to deployment.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: Digital signature
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20100827/9e0461f8/attachment.pgp

More information about the ubuntu-devel mailing list