[pacman-dev] makepkg security
This continues a thread on arch-general: Thomas Bächler schrieb:
I agree. The question is not about makepkg security, but about sudo security. And frankly, sudo is a security desaster in its default configuration.
Any suggestions for changing / shipping a better default config file? I know little about the security implications of this, but I think we should ship a decent default if possible.
Our policy is usually to ship whatever upstream ships. IMO, a good default would be to set sudo to require the root password (not the user password) and not cache any passwords at all.
Also, I think instead of using sudo in makepkg, we should use su by default (with an option to enable sudo). su always has a good default configuration requiring the root password (it's also possible to set it to allow password-less su in the pam configuration, but everyone who does that is crazy anyway).
The original complaint was that when using makepkg -sic, the sudo password is cached after dependency installation and malicious sudo commands might be executed during build() as the password is cached. My opinion on this is that we should not encourage people to use sudo, Aaron suggested to move it here for further discussion. What do you think?
On Fri 10 Jul 2009 17:25 +0200, Thomas Bächler wrote:
The original complaint was that when using makepkg -sic, the sudo password is cached after dependency installation and malicious sudo commands might be executed during build() as the password is cached.
My opinion on this is that we should not encourage people to use sudo, Aaron suggested to move it here for further discussion. What do you think?
Actually I think syncdeps and install should be removed from makepkg, just as builddeps was. Then sudo can be completely removed from makepkg. People may complain though.
Loui Chang wrote:
On Fri 10 Jul 2009 17:25 +0200, Thomas Bächler wrote:
The original complaint was that when using makepkg -sic, the sudo password is cached after dependency installation and malicious sudo commands might be executed during build() as the password is cached.
My opinion on this is that we should not encourage people to use sudo, Aaron suggested to move it here for further discussion. What do you think?
Actually I think syncdeps and install should be removed from makepkg, just as builddeps was. Then sudo can be completely removed from makepkg. People may complain though.
And I would be one of them as removing syncdeps would make building in a clean chroot an absolute pain in the arse. Anyway, as far as removing sudo usage goes... I haven't thought much about this, but my initial opinion is that people who are concerned about sudo can set it up they way they like. e.g. no password caching and use of root password, which would make sudo essentially an alias for "su -c". So I really think this is a non issue. If someone does not like sudo, do not install it and use "pacman -S --asdep" yourself to install the needed deps. Makepkg gives you the option, but no-one is forcing you to use it. I would consider a patch that allows the user to configure whether they use "sudo" or "su -c". Allan
On Fri, Jul 10, 2009 at 11:11 AM, Allan McRae<allan@archlinux.org> wrote:
Loui Chang wrote:
On Fri 10 Jul 2009 17:25 +0200, Thomas Bächler wrote:
The original complaint was that when using makepkg -sic, the sudo password is cached after dependency installation and malicious sudo commands might be executed during build() as the password is cached.
My opinion on this is that we should not encourage people to use sudo, Aaron suggested to move it here for further discussion. What do you think?
Actually I think syncdeps and install should be removed from makepkg, just as builddeps was. Then sudo can be completely removed from makepkg. People may complain though.
And I would be one of them as removing syncdeps would make building in a clean chroot an absolute pain in the arse.
Anyway, as far as removing sudo usage goes... I haven't thought much about this, but my initial opinion is that people who are concerned about sudo can set it up they way they like. e.g. no password caching and use of root password, which would make sudo essentially an alias for "su -c".
So I really think this is a non issue. If someone does not like sudo, do not install it and use "pacman -S --asdep" yourself to install the needed deps. Makepkg gives you the option, but no-one is forcing you to use it.
I would consider a patch that allows the user to configure whether they use "sudo" or "su -c".
I don't use the option much myself, but yeah, I think removing it would be a bit rough for some. I would also take a patch for the manpage offering some more stern words about what using these options can mean. Keep in mind we've done a few things with sudo and makepkg in the past (in reverse chrono order): http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=f827c9572e9c8a21d... http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=fb10e0c797b649dc0... http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=b6d991cf7b3f3227d... http://projects.archlinux.org/?p=pacman.git;a=commitdiff;h=f6d97da70dfde16f2... -Dan
The original complaint was that when using makepkg -sic, the sudo password is cached after dependency installation and malicious sudo commands might be executed during build() as the password is cached.
My opinion on this is that we should not encourage people to use sudo, Aaron suggested to move it here for further discussion. What do you think?
Couldn't you just add an option to kill sudo after dependency installation?
participants (5)
-
Allan McRae
-
Dan McGee
-
Loui Chang
-
Thomas Bächler
-
Xyne