On Fri, Aug 13, 2004 at 05:26:44PM +0900, Alexander Kellett wrote:
> [ummm wish i could get send hooks to change my from addr]
> 
> anyone with a brain could get malicious code into
> any package available on the planet, be it debian

Right.
We can only make it a bit more difficult.

> or whatever. the fact that ruby is so dynamic only
> makes this problem worse. only thing that is 
> really going to stop this is a correctly sandboxed 
> installer which uses a non-root user to compile
> and run the unit tests.
> 
> even this isn't enough. but its closer at least.
> 
> root attacks are the killer and neither rpa-base
> nor gem's provide easy to use non-root installs
> at the moment.

I believe both allow non-root installs fairly easily.  Well,
RubyGems doesn't quite because the stubs are always installed in
Config::CONFIG['sitelibdir'] (so you could if you never used stubs),
but rpa-base certainly allows non-root installs, since it's the first
thing it will ask you when you install for the first time (it then asks
you for the $prefix where it should install itself + all the packages
it manages, and won't touch anything outside besides /tmp).

However, preventing direct access to root for the malicious code only
buys you time before it can leverage some local root exploit or perform
privilege escalation by sniffing all the data it can get hold of.
In other words, you cannot guarantee total security, but that doesn't
make it any less interesting an ideal goal to strive for.

I am planning to add package/port signatures soon (so that an attack
involving replacing files in the repository cannot succeed), and will
think about ways to chroot the environment managed by rpa-base.

> On Fri, Aug 13, 2004 at 01:44:33PM +0900, Richard Kilmer wrote:
> > OK...so you want to bet I can write malicious Ruby code that a QA person
> > would not find?  I mean really, QA is fine, 'this appears to work well...no
> > obvious flaws' but it is NOT security.  It quite silly to equate the two.

You could audit some key software components, but it takes a lot of
resources.

-- 
Running Debian GNU/Linux Sid (unstable)
batsman dot geo at yahoo dot com