Michel Schinz <Michel.Schinz@epfl.ch> writes:
Hi!
> This could be added, but I first need to be convinced that this is
> indeed necessary, which I'm not really right now :-).
Is it that much work to separate the two steps? Ok, I'll try to
explain it a little better:
>> This is both a potential security hazard (because the system
>> administrator has to inspect everything that happens in the build
>> phase to determine if the package can be trusted and not only the
>> install steps, which means the risk for malicious actions to remain
>> unnoticed is much higher)
>
> I don't really buy this, for two reasons:
>
> 1. Nothing forces you to perform installation as root.
That is true. I can install it into ~/stow/ or somewhere else for
example. But this will mean either I am the only person using the
software, or everybody else who wants to use my installation will have
to trust me.
But I was talking about system wide installation on a multi-user
system, where not necessarily every user knows every other user.
Doing a preliminary install as non-root and then copying the files
over as root is just a workaround for the missing separate build
phase.
One important ingredient of file-, network- and application-security
on a unix-like system (and probably all others, too) is the principle
of least privilege. A process should only have root (or any elevated)
privilege, if it absolutely needs to. Application are installed as
root, because the root user (the system administrator) should (!) be
trustworthy (because it is the one account that users are actually
*forced* to trust) and this way no other user is able to modify the
(trusted) files.
> 2. If you are really worried about malicious code, then you should
> read the *whole* makefile, *and* the whole source code of the
> program anyway, because even as somebody else than root it can do
> nasty stuff.
This kind of all-or-nothing generalisation doesn't apply either here,
or for any security consideration. There is no absolute security. Only
an unpowered (unusable) system is absolutely secure.
Every step that is done as root could potentially screw up the whole
system, so the administrator is well advised to take caution and
perform only the necessary steps as root. Every step done as user will
only screw up your account, and thus is able to do a lot less damage
(providing there's a working backup system and the system itself
remains uncompromised).
In this sense, the more you adhere to the principle of least
privilege, the more secure you are. The only step that needs to be
done as root with most packages is system-wide installation (or
modification) of files.
Thus separation of the build an install phase of the package manager
makes it more secure.
I hope I made the point clear.
>> and an inconvenience, since it conflicts with existing packaging
>> systems (e.g. bkhl pointed out that he couldn't separate the compile
>> phase and the install phase for a debian package that way).
Uhm, sorry, I mixed that one up a litte. So it was the FBSD port.
Kind regards
--
Friedel
'Let's settle this once and for all, shall we?' said Cohen. He stood
up. 'Hands up those who'd rather die than have me as Emperor.'
-- Terry Pratchett "Interesting Times"
|