Re: pkg_comp runs everything as root

[Johnny Lam <jlam%pkgsrc.org@localhost>]

Christian Hattemer wrote:
> dunno if tech-pkg would be more appropriate, but for starters here it is.
>
> I've finally looked into pkg_comp and it looks indeed nice for experimenting
> with pkgsrc or building binary pkgs.
>
> However I feel a bit uncomfortable about running everything as root. I
> remember distfiles that got a malicious configure inserted. There's still
> the distfile checksum, but the modification might get overlooked by the
> developer doing the update.

The best thing to do here is to use systrace to restrict the system 
calls that are available to root during the build and install of a 
package.  The work to integrate this into pkgsrc is not hard, but nobody 
has stepped forward to implement this yet.  Ideally, you should be able 
to define PKGSRC_USE_SYSTRACE in /etc/mk.conf and a systrace policy 
would be applied when running "make".

> However an even more effective place for such tampering should be an
> install script which runs as root anyway. Then the unprivileged build
> wouldn't help.

The INSTALL/DEINSTALL scripts are not provided by a 3rd party, but by 
pkgsrc itself, though they may occasionally call utilities installed by 
the package.  Even here, using systrace would help, though I believe 
that in the end, you'll just have to audit the INSTALL scripts in pkgsrc 
to verify that they are not doing anything destructive or deceptive. 
Please take a look at pkgsrc/mk/install, which is the home of the 
pkginstall framework used by most of the packages, and which provides a 
common implementation of a small set of actions that may occur during 
installation or deinstallation.

> Well, it's inside a chroot, so there shouldn't be much permanent damage, but
> backdoor daemons could still run until a reboot.

Backdoor daemons can largely be prevented by, again, the proper use of 
systrace to deny the socket() system call.

        Cheers,

        -- Johnny Lam <jlam%pkgsrc.org@localhost>