Convenient way to check AUR PKGBUILD against malicious code?
As is well known, one should take care when installing packages from the AUR, because the PKGBUILD may not do what you expect and may be malicious. For this reason, my workflow for installing and updating packages from the AUR is the following (using yaourt):
Check the PKGBUILD:
- Does the
source=(...)
part only contain URLs from the expected source? - Quickly scan the
package(){...}
part if it only does the usual install/copy operations
I assume that using this procedure is as safe as downloading the software from the source and install it manually. Note that I am not talking about whether the software to be installed is safe itself, I want to consider the additional security issues of a package.
The questions are:
- Is this as safe as I assume? Are there other places (in the PKGBUILD or elsewhere) where an attack could be placed?
- It is very inconvenient to check the whole PKGBUILD at every update of the package. In most cases, only version numbers or URLs are changed. Is there a tool or simple way to present/highlight the differences from the last PKGBUILD?
- Is there a tool that supports the user with checking PKGBUILD files?
Solution 1:
Questions answer
Is this as safe as I assume? Are there other places (in the PKGBUILD or elsewhere) where an attack could be placed?
As long as you trust the software, it's safe for you. If there's no software editor, what you're doing is the minimum according to [Arch Wiki] because you don't really check the source code of the downloaded source(s) where malicious code can be inputted.
To quote the wiki:
Warning: Carefully check all files. Carefully check the
PKGBUILD
and any.install
file for malicious commands. PKGBUILDs are bash scripts containing functions to be executed bymakepkg
: these functions can contain any valid commands or Bash syntax, so it is totally possible for aPKGBUILD
to contain dangerous commands through malice or ignorance on the part of the author. Sincemakepkg
uses fakeroot (and should never be run as root), there is some level of protection but you should never count on it. If in doubt, do not build the package and seek advice on the forums or mailing list.
It is very inconvenient to check the whole PKGBUILD at every update of the package. In most cases, only version numbers or URLs are changed. Is there a tool or simple way to present/highlight the differences from the last PKGBUILD?
It's never inconvenient to check the whole PKGBUILD
at every update because:
Weird bugs can do bad things.
AUR include Git so you can check changes made into an AUR repository from https://aur.archlinux.org/cgit/aur.git/log/?h=yourPackageNameHere
.
Is there a tool that supports the user with checking PKGBUILD files?
At the time I write this, there is no tool for that but let see what will the future be!
Detection/Avoid of malicious
Please consider the following as not complete and open to modifications.
You can't really check a PKGBUILD without an extensive audit of the code and observe it in action from out of the box for example with the help of using a virtual machine.
There is no tool and no automated way to find malicious packages but you can (not should) avoid malicious code with the help of the following.
- Download the package and its source, unpack it but don't install it.
- Run a virus check on the unpacked/source files. This will help you find some known problems or hacks.
- Before using it, install it into a virtual machine and check that it doesn't do anything wrong like touching a file it should not or for example communicating with servers. The use of a rootkit detector should automate the detection of such things.
- Install it in a restricted environment such as SELinux, chroot jail, virtual machine, separate machines...