I once read how to define ownership of a computer system. It was
"someone who has the root password."
The autopackage system automatically installs software packages
on your system.

http://autopackage.org/

While installing the "support software" for autopackage, I found
myself actually shocked that a pgm designed to connect to the
internet and then write files to my directories was asking for
my root password. This was not as part of a particular
install--the pgm asked for it so *any* installs would be easier.
What? It wants what?


No,I did not give it my root password, and yes the install I was
trying did _not_ go smoothly. Too bad. I'll compile and install
my own manually.

Look, this may be fine software, but isn't this one of the sort of
things that cause windows such trouble? Is there really any
safe way to do this sort of thing?
I'm really happy about the amount of spyware/malware that has no
foothold in Linux...why would anyone want to open the door this wide?

I apologize for the rant...but I'm curious if the Security Forum
might have some opinions on this.

Thanks,
Lawrence

An rpm package is installed as root. However, even for binary packages, you can read the script that the rpm system uses to install a package.

I don't like two things they did. One is that software not supplied by the distro should always be installed to /usr/local/ instead of /usr. Secondly, they don't sign the packages, so someone could repackage standard open source packages on their own ftp site and anyone finding it using Google could end up installing a rootkit as well. It is better if a distro that compiles a binary package from source, signs their packages. That way, the distro's signature is used to validate the package, even if you downloaded it from an independant ftp site. A signature doesn't prevent a malicious developer or software company from putting out binary closed source packages of their own code, using their own signature. Remember Gator on windows. Without signing the only way to prevent

There are packages that install programs that might impose security risks. Many music or video players for Windows will phone home when you use them. This is spyware. If such a player is also offered for Linux it might do the same thing.

I'm thinking of the media players that are on commercial DVD video disks. However, I wouldn't be surprised if Windows Media Player, Real Player, or the DivX Player do the same thing. However, the Helix (Real) Player is open source. Any media player with a web based DRM is also spyware. Steve Gibson made a similar observation from another angle on his Security Now podcast. He argued how copyright enforcement requires a lack of anononymity which is required for free speech.

Maybe I got a bit off tangent. However any propriety binary code that you install requires a level of trust of the source. Using Open Source software even on Windows is safer because code submitted in the open can't hide bad behavior. There was a Perl developer who submitted a library to CPAN that contained some dial home code when the library was loaded. He wasn't doing anything malicious, but it got pulled very quickly and he was blackballed from CPAN.

For the level of assurance that you seem to want, you could use SELinux or AppArmor to protect system programs and configurations. People using these would be protected against propriety programs or libraries trying to alter protected system binaries, libraries or config files. Another option is to mount /bin and /usr readonly. (This is how some commercial servers are set up.) This is another reason why independant packages should use the /usr/local/ directory hierarchy, which can mounted on it's own rw mounted partition.

Also, because many people use SELinux and AppArmor, a program that tries to do something malicious to the system would raise the alarm for the rest of the Linux community.

jschiwal, thanks for your thoughtful reply...I suppose it was the unsupervised nature
of a program _automaticaly_ installing binaries as root that upset me. A binary
could change the install program itself, then what? When installing a RPM it is
still my call to go super user and proceed...not so in the automatic case. And
yes SELinux and AppArmor are an excellent way to detect bad actors once they
have acted.

Since I tend to try out a lot of software, at first glance, a read only mount
of /bin and /usr might be difficult for me. Perhaps if I change the way I test
software and mount an independent partion with an install structure, I might
feel better about this...but that seems like a lot of work to use a labor saving
device.:-)

In Slackware it is rare that I've installed a RPM or binary packages at all...I
suppose I really do like rolling my own and seeing what the developer intended..
Ah, maybe LFS is in my future :-)

Thanks,
--Lawrence

I was using rpm as an example. It seems to me that the true aim of the project is to come up with a universal installation programs that developers could use to install propriety software. Without that, software developers may not develop programs that prevents Windows users from adopting the Linux desktop.

If they added signing, that would add a level of assurrance that the install program hasn't been altered. But you still need to trust the source.

As you mentioned in your first post, it truly is a matter of trust.
I install nearly two whole cd's full of binaries each time I upgrade Slackware. But because I trust the distribution, security isn't a
question. In terms of signing, it depends on who does the signing.
One can invent all sorts of dramatic twists to the process. Even
the Romans would ask "Who watches the watchers? For instance,
were the FSF , for a fee verify a package spyware/virus free--would
that fee compromise other stands they might take? But I'm just musing,
If I had a solution sure to work I would certainly publish it.

But our discussion won't solve anyone's pressing security issue, and will I think, rapidly veer into politics, economics, business practice, and law. Perhaps for a different forum?

You properly noted the technical solutions available in your first post.
As usual, now I must decide how much of my behavior I will alter to
be at a comfortable level of security.

My point about signing is that if you trust the signer, then you can trust that the package wasn't altered by a 3rd party. You can download the package from any mirror without worry.