Monday, May 22, 2017

security - Is there any guarantee that software from Launchpad PPAs is free from viruses and backdoor threats?



As Linux continues to grow and develop, and the more we use Linux, the greater the threat from viruses.



We also know that a virus/threat in Linux (if any) would have difficulty running or spreading when it is running as a normal user, but it is a different story if the virus/threat is running as the root user.




An example of this danger would be if a virus is tucked inside a PPA (intentionally or unintentionally) or if an application has an intentionally planted backdoor (e.g., pidgin could secretly send passwords to a particular address).



If we add software from a Launchpad PPA, is there any guarantee that software is from free viruses/backdoor threats?



Every package's install script has root access to your system, so the mere act of adding a PPA or installing a package from one is an implicit statement of trust on your part of the PPA owner.



So, what happens if your trust is misplaced and a PPA owner wants to be naughty?



In order to upload to a PPA, a package must be signed by a GPG key unique to the launchpad user (indeed, the same key they signed the code of conduct with). So in the case of a known malicious PPA we would simply ban the account and shut down the PPA (affected systems would still be compromised, but there's no good way fix them at that point anyway).




To some extent Launchpad's social features can be used as a bit of a preventative measure of bad users -- someone who has a history of contributing to Ubuntu and some established Launchpad karma, for instance, is less likely to be setting up a trap PPA.



Or what if someone gains control of a PPA that isn't theirs?



Well, this is a bit tougher of a threat scenario, but also less likely since it requires an attacker getting both the launchpad users's private key file (generally only on their computer) as well as the unlock code for it (generally a strong password not used for anything else). If this happens, though, it's usually fairly simple for someone to figure out their account has been compromised (Launchpad will for instance email them about the packages they're not uploading), and the cleanup procedure would be the same.



So, in sum, PPAs are a possible vector for malicious software, but there are probably much easier methods for attackers to come after you.


No comments:

Post a Comment

11.10 - Can't boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...