Am 17.05.2014 22:08, schrieb Bardur Arantsson:
On 2014-05-17 21:50, Roland Tapken wrote:
Hi Bardur,
Maybe I've missed something reading through this thread, but *assuming* (yeah, I know) that packages can't run arbitrary scripts at install time (which I think is a valid assumption for pacman),
Is this so? I don't know since I've only scratched the surface of arch until now. But I'm not quite sure about this, since, for example, there must be a way to add new users like http after installing apache. How should this be done without a post-install-script?
I always thought that "this package needs users X,Y and Z" was handled via some metadata in the package description, not via scripts per se. Maybe I'm wrong on that too.
Such things are handled via install scripts[0], called by pacman when (un)installing/upgrading packages... and yes, packagers can put arbitrary code in there. (postfix exmaple[1])
Of course an attacker can still (via the build executables) delete all the files you actually care about ($HOME) or install trojans into your $HOME/bin (etc.), but still... If you discover such a comprosmise you'd "only" have to delete your $HOME and restore from backup[0], whereas a root compromise would require a full reinstall of everything.
Even if your assumption about pacman is correct: Just let the malicious PKGBUILD write a file into /etc/cron.d/, /etc/systemd or something like that and you're doomed. No need for privilege escalation.
Ah, yes. True, of course. I knew I'd missed something! :)
Regards,
[0] https://wiki.archlinux.org/index.php/PKGBUILD#install [1] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/install?h=pa... Cheers