FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-12-2008, 10:39 PM
martin f krafft
 
Default What is the best way to manage 3rd party debs?

also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.1931 -0300]:
> If you don't mind I quote from your own book ^^
>
> > > checkinstall is limited in what it can do. To be precise, the
> > packages it creates can only install files, and checkinstall
> > does not care where it installs them. You can overwrite files
> > in home directories with checkinstall, among other things.
>
> I wonder what you recommend as the best way to install 3rd party
> debs (such as cedega, nero, barry)? What is a safe way to install
> them without risk of b0rking my system) ?

How would they break the system? What do you need to protect from?

> If it was up to me I'd install them as a local user in my home
> folder just as I do with source packages and other binaries. But
> afaik this isn't possible.

Not easily at least.

> Or are there things I should pay attention to when inspecting
> a deb file? Are there telltale signs a deb file can cause trouble?
> Thanks in advance.

Make sure to check the postinst/preinst/postrm/prerm hooks. Unpack
the binary with dpkg-deb and make sure ./DEBIAN/* files are alright.

--
.'`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems

"brevity is the soul of wit."
-- polonius (hamlet)
"brevity is ... wit."
-- the simpsons
 
Old 08-12-2008, 10:58 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 19:39 -0300, martin f krafft wrote:
> also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.1931 -0300]:
> > If you don't mind I quote from your own book ^^
> >
> > > > checkinstall is limited in what it can do. To be precise, the
> > > packages it creates can only install files, and checkinstall
> > > does not care where it installs them. You can overwrite files
> > > in home directories with checkinstall, among other things.
> >
> > I wonder what you recommend as the best way to install 3rd party
> > debs (such as cedega, nero, barry)? What is a safe way to install
> > them without risk of b0rking my system) ?
>
> How would they break the system? What do you need to protect from?
I don't know how the debs are packaged, for all I know they can wreck my
system. Or are are there safety features in place that prevents that
from happening?

I am trying to understand how to properly manage a Debian system. That's
why I go in such detail. f you happen to know material that I should
read in order to understand this aspect of Debian better I'm all ears.

> > Or are there things I should pay attention to when inspecting
> > a deb file? Are there telltale signs a deb file can cause trouble?
> > Thanks in advance.
>
> Make sure to check the postinst/preinst/postrm/prerm hooks. Unpack
> the binary with dpkg-deb and make sure ./DEBIAN/* files are alright.
>

I unpacked the deb and didn't find any /DEBIAN/* files. I guess It's
time to start reading the Debian developers manual
--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 11:05 PM
martin f krafft
 
Default What is the best way to manage 3rd party debs?

also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.1958 -0300]:
> I don't know how the debs are packaged, for all I know they can
> wreck my system. Or are are there safety features in place that
> prevents that from happening?

dpkg will prevent them from overwriting files by other packages.

> I unpacked the deb and didn't find any /DEBIAN/* files. I guess It's
> time to start reading the Debian developers manual

You want dpkg-deb -e, not -x.

--
.'`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems

perl -e 'print "The earth is a disk!
" if ( "a" == "b" );'
(dedicated to nori)
 
Old 08-12-2008, 11:23 PM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 20:05 -0300, martin f krafft wrote:
> also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.1958 -0300]:
> > I don't know how the debs are packaged, for all I know they can
> > wreck my system. Or are are there safety features in place that
> > prevents that from happening?
>
> dpkg will prevent them from overwriting files by other packages.
If I understand your correctly I can install deb from any 3rd party provider without fear of b0rking my system. If this is true I don't understand why you warn
against checkinstall.

(Sorry to bother you with these details but I am still trying to
understand)

>
> > I unpacked the deb and didn't find any /DEBIAN/* files. I guess It's
> > time to start reading the Debian developers manual
>
> You want dpkg-deb -e, not -x.
>

Thanks!


--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 11:36 PM
"Mumia W.."
 
Default What is the best way to manage 3rd party debs?

On 08/12/2008 03:42 PM, Aniruddha wrote:

On Tue, 2008-08-12 at 22:49 +0300, Eugene V. Lyubimkin wrote:

If 3rd party deb doesn't contain 'Replaces' field, dpkg will refuse any try to break any
file owned by existing packages.



That sounds good, but what about a deb created by checkinstall?
According to Martin Krafft this can still seriously wreck your system?!





You can extract the .deb in a testding folder and examine its contents.
Use "dpkg -x" for this.





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-12-2008, 11:44 PM
martin f krafft
 
Default What is the best way to manage 3rd party debs?

also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.2023 -0300]:
> If I understand your correctly I can install deb from any 3rd party provider without fear of b0rking my system. If this is true I don't understand why you warn
> against checkinstall.

checkinstall is used to create deb files and it's broken.

If you install a third party deb, you should inspect its contents
exactly to make sure it doesn't touch files in /etc. Also check the
hooks. If there are no problems, then it's probably safe.

--
.'`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems

"by accepting this brick through your window, you accept it as is
and agree to my disclaimer of all warranties, express or implied,
as well as disclaimers of all liability, direct, indirect,
consequential or incidental, that may arise from the installation
of this brick into your building." -- seen on irc
 
Old 08-13-2008, 12:25 AM
Joey Hess
 
Default What is the best way to manage 3rd party debs?

martin f krafft wrote:
> If you install a third party deb, you should inspect its contents
> exactly to make sure it doesn't touch files in /etc. Also check the
> hooks. If there are no problems, then it's probably safe.

Did you know that dpkg will not install /var/lib/dpkg/info/* if it's in
the package's data.tar.gz? I'm sad that I cannot give that as an example
of an attack such checks will miss, but including files in /dev/* is nearly
as much fun. /proc/acpi/sleep is an amusing file to ship in a deb too.

If you want to run arbitrary code, you need to be more sneaky.. Shipping
a /root/.bashrc or /usr/local/bin/cat is too obvious, instead you can
ship a /lib/i486-linux-gnu/somelib.so. (The linker won't use it until
something else eventually runs ldconfig but this just hides that your
package is what causes the eventual breakage.)

Be sure to include some /var/run/*.pid files, with a pid of 1 of course,
so that stopping daemons causes the system to reboot. Including
a /tmp/.X11-unix/X0 will mess up the running X nicely.

BTW, including /bin/sh in a package won't work due to overwrite
checking, but you can include /usr/bin/awk and replace the symlink to
alternatives, since that symlink is not in a package. Finally,
installing a 'sl' or other typo-squatting command is always an option.

If these examples didn't make sense to someone, don't install third party
packages from untrusted sources, no matter how much checking you do..

--
see shy jo
 
Old 08-13-2008, 07:08 AM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 20:44 -0300, martin f krafft wrote:
> also sprach Aniruddha <mailing_list@orange.nl> [2008.08.12.2023 -0300]:
> > If I understand your correctly I can install deb from any 3rd party provider without fear of b0rking my system. If this is true I don't understand why you warn
> > against checkinstall.
>
> checkinstall is used to create deb files and it's broken.
>
> If you install a third party deb, you should inspect its contents
> exactly to make sure it doesn't touch files in /etc. Also check the
> hooks. If there are no problems, then it's probably safe.
>

Thanks, I'm beginning to understand now. To make it more concrete I've
written down what I think is the correct procedure to check deb files:

1) Run 'dpkg-deb -e *.deb' and read postinst, postrm, preinst, prerm to
check if it contains the sentence '/etc'.

2) Run 'dpkg-deb -x *.deb' and check if doesn't overwrite anything in
' /etc' (or other important locations).

Is this correct? Thanks!


--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-13-2008, 07:12 AM
Aniruddha
 
Default What is the best way to manage 3rd party debs?

On Tue, 2008-08-12 at 20:25 -0400, Joey Hess wrote:
> martin f krafft wrote:
> If these examples didn't make sense to someone, don't install third party
> packages from untrusted sources, no matter how much checking you do..
>
I'm not worried about purposeful malicious intent (otherwise I would
just use a chroot). I want to prevent an accidentally badly build deb
from wrecking my system.

--
Regards,


Aniruddha



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 08-13-2008, 02:50 PM
Osamu Aoki
 
Default What is the best way to manage 3rd party debs?

On Wed, Aug 13, 2008 at 09:12:01AM +0200, Aniruddha wrote:
> On Tue, 2008-08-12 at 20:25 -0400, Joey Hess wrote:
> > martin f krafft wrote:
> > If these examples didn't make sense to someone, don't install third party
> > packages from untrusted sources, no matter how much checking you do..
> >
> I'm not worried about purposeful malicious intent (otherwise I would
> just use a chroot). I want to prevent an accidentally badly build deb
> from wrecking my system.

So far, badly created {post|pre}{inst|rm} has been the source of trouble
in this respect for me with Debian unstable itself from this respect.

Non-Debian package's quality check in this respect can be done
relatively simply by using mc to look into binary package. But you
never know what does the binary files do when executed unless you check
the source.

If you feel its needs to be inspected, I think it is time to rebuild it
by yourself and run lintian etc. to test its compliance to Debian policy.

Regards,

Osamu

PS: Please remember that installing package created by someone is giving
packager a full root authority of your machine.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 06:57 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org