Is there a reason anyone competent would follow vendor instructions to install it suid?
This Tweet was deleted by the Tweet author. Learn more
Conversation
Replying to
The vendor software installs it setuid for you. It's not like they give you a choice, you just have to remove it later or be aware they did it.
1
Replying to
But why would you run the vendor installer as root rather than as user or fakeroot?
3
1
Replying to
it prompts for elevated permissions on install, additionally most package managers like ArchLinux yourt include the binary as setuid root. I discovered this bug while hacking on the defcon2018 badge.
1
Worth noting that it's a third party package outside the officially repositories for people that aren't familiar with that. Lots of those unofficial packages make bad decisions, although they're just packaging the results of the installer in this case.
2
2
Sure, this is what's happening, but it's irresponsible on the distro's part. A modern distro should have a pretty absolute policy of no suids outside the core packages, or at least not in contrib packages that aren't subject to the level of review main-repo ones are.
1
1
5
It's a completely third party package, not one in a distribution contrib repository. Third party packages can be outright malicious and it doesn't even need to be subtle. It's a bad idea to use AUR helpers like yaourt since they encourage blindly trusting third party code.
I'd recommend using one like auracle simply downloading the PKGBUILD sources and always just treating it as a starting point for making your own packages. It's user generated third party content, not a distribution repository. You could make an account right now and upload one.
1
I definitely think many users end up blindly trusting the AUR even though the distribution makes it clear it's user generated content.
wiki.archlinux.org/index.php/Arch
If someone abandoned a popular package, I expect many lazy people could be compromised by an attacker taking it over.
OK, I don't understand everything about how Arch/AUR does stuff, and I'll probably catch a bunch of other dists in this criticism too...
2
1
But I think it's reasonable to say that users do not generally know, and should not be expected to know, whether third-party package installers run poorly-vetted or unvetted code as root. The package install systems should be designed such that they can't.
1
Show replies