Request For Candidates: Application Review Board
Rick Spencer
rick.spencer at canonical.com
Sat Aug 28 17:22:36 BST 2010
On Fri, 2010-08-27 at 21:18 -0700, Steve Langasek wrote:
> Hi Allison,
>
> On Fri, Aug 27, 2010 at 04:37:14PM -0700, Allison Randal wrote:
> > Running through the thread again today with Rick, we pulled out 5 things
> > to do immediately:
>
> > - Change Quickly templates to install in /opt by default (FHS location
> > for "Add-on application software packages"). Added Bug #625581.
> > - Define a standard set of technologies for PostReleaseApps (PRAs, to
> > save typing) to use. Quickly is the first, with more to follow as the
> > group has a chance to discuss.
> > - Allow no maintainer scripts in PRAs.
> > - Allow no /etc/cron* files in PRAs.
> > - Allow no suid/sgid, sudo, gksu, pkexec, etc in PRAs.
>
> > Apps that use restricted features get kicked from PRAP to REVU.
>
> /etc/cron* is not the only place that a package could install files that
> would result in untrusted code running as root. /etc/rc*.d, /etc/init,
> /etc/dpkg, /etc/apt,... even installing a binary that shadows the name of a
> system binary into /usr/local/bin or /usr/bin could result in privilege
> escalation. To really avoid the possibility of such a package running code
> as root, I think you have to require that it *only* ship files in /opt, and
> not include /opt directories on root's path.
>
> (Actually, the latter isn't hard at all, there's nothing today that puts /opt
> on *any* user's path... But I guess that rather needs to be implemented, in
> which case care must be taken to set the path correctly when running sudo.)
>
> If you're going to be relying on such rules to help protect the user from
> malicious packages, I strongly recommend that this be subjected to detailed
> scrutiny from and sign-off by the Ubuntu Security Team prior to deployment.
>
To me, the rules are really about helping streamline the review process,
making the packages easier to review by reducing the kinds of
functionality that require close scrutiny. As a reviewer, you don't have
to consider if an app is going to do anything damaging with a maintainer
script, because there are no maintainer scripts, for example.
In any case, I think a review by the security is a team is good idea.
Cheers, Rick
More information about the ubuntu-devel
mailing list