Page 3 of 3 FirstFirst 123
Results 21 to 22 of 22

Thread: Ubuntu what if questionable repository..

  1. #21
    Join Date
    Aug 2013
    Beans
    336

    Re: Ubuntu what if questionable repository..

    Quote Originally Posted by Irihapeti View Post
    Part of the "always secure" thing is semantics. A "virus" is one quite specific way for a system to become infected, which is rare/difficult on Linux. It's not a synonym for malware in general. There are other ways for a system to become harmed which can happen quite easily.

    For example, a few years ago, there were some theme packages uploaded to a popular website. The uploader had tampered with the postinstall script (I think it was) to include a command to wipe the entire system. Which is what happened to one or two unfortunate people. So, yes, it can happen.

    Personally, I feel that the "no PPAs" rule is too rigid. It's a matter of judgment. I will install some PPAs and not others. For example, if the PPA is managed by the developer (e.g. on Launchpad), then I tend not to worry. But I won't blindly install just any PPA.
    Was this post-install script run manually by the user (with root permissions) or automatically by the package manager? I ask because I always thought that one of the reason for a package manager versus self-executing installers was that even though it does follow 'instructions' from the package, it can refuse to do things such as for example removing the whole root directory or overwriting another package's file. Also the package manager keeps a log of what it did so it can completely remove any files that were installed (while a self-installing program could omit some files it wants hidden). But if also runs arbitary scripts provided by the package then that can't hold true.

  2. #22
    Join Date
    Jul 2007
    Location
    Tāmaki Makau-rau, NZ
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Ubuntu what if questionable repository..

    Many deb packages have pre/post-install scripts to perform setup and configuration tasks. They are run automatically as part of the installation process, so once you've entered the password to allow the package to install, the scripts can do anything.

    In this case, the malicious uploader had edited one of the scripts to include a command that would remove everything from the drive. So, once the user had issued the password to install, the script did its dastardly deed.

    It's actually not hard to look at the scripts in a deb package with an ordinary unarchiving tool or a package such as gdebi, if you're concerned about such things. I managed to get hold of a copy of one of these maliciously-altered packages and had it on an encrypted partition for a while - purely out of morbid curiosity, or perhaps as an Exhibit A in case I came across one of those "Linux is totally secure" people in real life. I do remember showing it to my son, who used Ubuntu for a couple of years.
    BACKUPS are unsexy — until you discover you should have done one yesterday.
    Spare your nerves and do one before you upgrade or install.

Page 3 of 3 FirstFirst 123

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •