[ubuntu-hardened] synaptic

John Richard Moser nigelenki at comcast.net
Mon Jan 16 04:26:59 GMT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Peter Pun wrote:
> Hi,
> 
> Does Synaptic authenticate all packagaes ? Or are only packages named
> "something-ubuntu" authenticated? Does it use gpg and md5 ?
> 

Another question, synaptic gets the gpg key file from the server (uh!)
while doing the apt-get update.  Can't the repo just replace the GPG key?

We have several possible scenarios here:

trusted repo --> download gpgkey -> authenticate -> install pkg
             |-> no gpgkey -> fail to authenticate --> install pkg
                                                    |-> cancel install
untrusted repo --> download gpgkey -> authenticate -> install pkg
               |-> no gpgkey -> fail to authenticate --> install pkg
                                                     |-> cancel install

In either case, the package can be authenticated or not; the user is not
involved in caring about the GPG key.  If it's not authenticated, it can
still be installed, if the user explicitly agrees to it; this could
happen if the user downloads a random .deb from sourceforge.  If the
user adds a repo suggested on a forum or Web site, however,
authentication can be automated by the repo maintainer.

This means we have room for automatic authentication of malicious
repositories.  If a repo is added that has been compromised (or you DNS
poison the user to see archive.ubuntu.com at your server), or that is
simply malicious, the packages can be easily authenticated via the GPG
key in the repo.  This is not security, it's handwaving.

Further, there is no room for the end user to quick audit the activities
of the packager.  They are practically untracable (debugger, strace, not
user friendly) and beyond any analysis at the application level (even a
wrapper like Gentoo libsandbox can be defeated with a script that brings
its own syscall() function).

Pre-install and post-install scripts, as well as configuration scripts
and the other 6 things that dpkg runs, are BASH SCRIPTS RUN AS ROOT.
Trivial example, install Blackdown JRE and when prompted for the license
agreement say "no."  You will need to re-install Ubuntu to ever install
Blackdown JRE; the package fails to install and leaves extraneous data
on the system.  This could in theory be accompanied by installing a
rootkit if so inclined (or spyware, viruses, etc).

So I may answer your question with another question:  Why do you care?

> Peter
> 

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDyyCShDd4aOud5P8RAr8aAJ4qyVLHHWVqkjak7RbCTc0UTRtyLACbBZsV
j7BEGOnrGIDIpdRrxh94Ta8=
=gLbf
-----END PGP SIGNATURE-----

More information about the ubuntu-hardened mailing list