PPA's: the main security Achilles' heel?

Chat about anything related to Linux Mint
User avatar
Pjotr
Level 21
Level 21
Posts: 12624
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

PPA's: the main security Achilles' heel?

Post by Pjotr » Wed Mar 02, 2016 4:34 pm

In his February monthly news, Clem has expressed concerns about the potential security risk of PPA's:
http://blog.linuxmint.com/?p=3007

Key quote:
"A malicious PPA archive could affect Ubuntu and Linux Mint users, it could offer legitimate packages for months and then suddenly spread malware that would be immediately accepted by thousands of users."

I think he's right. It's all the more serious because many people are used to adding PPA's almost unthinkingly. So the question is: how can this potential risk be mitigated?

I don't think reactive measures like installing antivirus can help here. While they undoubtedly have a "feel good" value, their practical (real life) value is close to zero or even negative (they're attack vectors of their own).

My opinion is, that it would be good if more critical scrutiny and attention would be given to heightening the security of PPA's on Launchpad. What extra security checks can be added in order to prevent malware being uploaded to a PPA? And what will those extra checks mean for us users, both in added security and in loss of usability? Could Linux Mint talk about this with Canonical?

Furthermore, no less important: how can we raise awareness among Linux Mint users, that they should be critical and restrictive about the PPA's they want to add?

Your thoughts are welcome. :)
Last edited by Pjotr on Wed Mar 02, 2016 6:52 pm, edited 2 times in total.
Tip: 10 things to do after installing Linux Mint 19.1 Tessa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
cholq
Level 3
Level 3
Posts: 113
Joined: Tue Jul 08, 2014 9:27 pm
Location: New Jersey, USA

Re: PPA's: the main security Achilles heel?

Post by cholq » Wed Mar 02, 2016 6:08 pm

Pjotr wrote:how can we raise awareness among Linux Mint users, that they should be critical and restrictive about the PPA's they want to add?
I think the only way you can reach most (but not all) users is through the MintUpdate software itself. Posts on the blog or forum will only get the attention of users who are here regularly. There are a lot of users out there who install Mint but never or rarely go to the blog or forum. The only interaction some people have with the Mint community is when they log onto their PC and use the system and software.

So, the least intrusive things I can think of are potential new features to the Mint Updater.

1) you could add a new column to show "Source Trustworthiness". It could be something similar in appearance to the current "level" column. Mint, Debian and Ubuntu repos would be marked as fully trusted. PPAs could be marked with some sort of "proceed with caution" message or symbol.

2) another alternative would be to make the user "check" a sort of waiver type checkbox the first time mintupdate detects changes being installed from a PPA. Display something simple about understanding the risks associated with PPAs and then a link to a more detailed page if they wanted to actually read about what those risks are.

Neither solution would prevent people from using a malicious PPA. But if your goal is to increase awareness, these could help. And neither option would cause too much extra work for people who really do understand PPAs and the risks involved. I realize that this would fall 100% on the shoulders of Clem and the developers, but realistically, anybody who spends any amount of time on the forum has heard a number of people giving warnings about the dangers of PPAs already. Other than continuing to give those warnings, I don't know that there is a lot else that non-developers can do.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: PPA's: the main security Achilles heel?

Post by Cosmo. » Wed Mar 02, 2016 6:36 pm

Pjotr wrote:So the question is: how can this potential risk be mitigated?
Not at all.

PPAs do exist just as downloads do exist. If the user wants the one or other, he will do this. The only option would be to do as the prayer in the desert; if somebody hears at you is without your influence.

Saying that there is also to say, that not every PPA is to be evaluated equally; in other words, the risk of 2 different PPAs are probably very different.
Take as example the PPA Oracle itself provides for VirtualBox. Assuming that their servers do not get hacked - no server can be given a 100 % guarantee against that - and that Oracle did not make a major fault in their software, this PPA is supposedly as safe as the official repository. Although this PPA is not an official Mint / Ubuntu repository, it is an official Oracle repository.

This means, you cannot set every PPA equal to each other in regard of Clems blog.

What theoretically could be imagined would be a kind of audit for PPAs. I doubt that this is practically doable and I don't know who would be ready to do so. As all PPAs, which are applicable for the Main edition, are at the end for the Ubuntu OS (at least those that I know), this would most likely have to be done by Canonical. I don't think that they will do this and if they would they could also add the audited software into their own repository.

So at the end:
You can tell users to be careful by using PPA, as you can tell them to be careful with mail-attachments or with clicking every link they find, and so on, but there your options are at the end.

Regarding Clem's blog: I am not really sure, how to understand this passage. The respective paragraph starts with gufw and it ends with gufw and in the middle come remarks about 3rd party software and scanners; I don't understand this relationship. He wrote that he will look into that, but I don't understand this in the sense, that he has already a doable plan.

What I could imagine in regard of sources, which at first offer for months legitimate packages and than suddenly spread malware, is a further distinction in the update manager, if an offered package comes from an official repository or from a private one. At now it is near to impossible for the user to tell this from inside the update manager.
If this brings much without the above mentioned, but unlikely audit is the question, but it could be an option.

Quite another idea in regard of what cholq wrote about user's who don't regularly (or at all) read blogs and posts:
The update manager could get an enhancement, which shows in case a message by the notification system of Mint, where the user could directly click a link to go to the blog. If this would already exist, the mass-email we have got a few days ago would not have been necessary. So it would have saved the team much work for sending those mails without the risk that they get filtered out at the receiver side as spam. And also the problem, killer de bug reported here, would not exist.
BTW - and don't forget, that questions about security do not start and do not end with questions about PPA - such an enhancement could also be used to give the user with an outdated system a message that he has to upgrade his system in the next weeks or months. Of course this cannot help for the still existing Mint 16 and below systems, but it could be useful in the next year for Mint 13 systems, if this would be implemented.
Of course there should be an option in the system settings or in the update manager settings to not show such message - some user don't feel comfortable with that.

all41
Level 14
Level 14
Posts: 5367
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: PPA's: the main security Achilles heel?

Post by all41 » Wed Mar 02, 2016 6:40 pm

I see many forum threads advising non-repository software solutions to new users, and even posting sudo commands for adding the ppa's. This teaches new users to add ppas in a willy-nilly fashion--having never seen cautionary statements regarding the possible risks.

User avatar
kyphi
Level 9
Level 9
Posts: 2583
Joined: Sat Jul 09, 2011 1:14 am
Location: The Hunter Valley, Australia

Re: PPA's: the main security Achilles heel?

Post by kyphi » Wed Mar 02, 2016 6:42 pm

You raise some very interesting and valid points Pjotr.

The reasons for using a PPA I see as twofold:

1. To get the latest available software.
2. To get a programme not available from the official repos.

PPAs on Launchpad are marked "untrusted" and I doubt that there is a desire to impose further safeguards. Actively maintained PPAs are currently the responsibility of its authors and are protected by authentication keys.
PPAs not actively maintained should be deleted after installing the programme.

Possible solutions:

1. More timely upgrades of the Linux Mint Software repositories to incorporate more recent software versions (a common complaint) or a notification that upgraded software is being tested by the linux Mint Team and will be released soon (no-one wants to be kept in the dark).
2. Configure the Update Manager to deactivate installed PPAs after (say) 30 days. They could even be deactivated after initial use - unless the user needs updates.
3. Re-educate users, particularly recent migrants from Windows that compulsive upgrading is not necessary.

Final thought - there is no advancement without taking risks.
Linux Mint 19.1 Cinnamon - 64bit

Penn
Level 5
Level 5
Posts: 753
Joined: Tue Jun 10, 2014 1:12 pm

Re: PPA's: the main security Achilles heel?

Post by Penn » Wed Mar 02, 2016 7:29 pm

kyphi wrote:You raise some very interesting and valid points Pjotr.

The reasons for using a PPA I see as twofold:

1. To get the latest available software.
2. To get a programme not available from the official repos.


PPAs on Launchpad are marked "untrusted" and I doubt that there is a desire to impose further safeguards. Actively maintained PPAs are currently the responsibility of its authors and are protected by authentication keys.
PPAs not actively maintained should be deleted after installing the programme.

Possible solutions:

1. More timely upgrades of the Linux Mint Software repositories to incorporate more recent software versions (a common complaint) or a notification that upgraded software is being tested by the linux Mint Team and will be released soon (no-one wants to be kept in the dark).
2. Configure the Update Manager to deactivate installed PPAs after (say) 30 days. They could even be deactivated after initial use - unless the user needs updates.
3. Re-educate users, particularly recent migrants from Windows that compulsive upgrading is not necessary.

Final thought - there is no advancement without taking risks.
You and I view things mostly the same.

I do agree those are the 2 main reasons why knowledgeable people still use them. Of course there is the point made by all41 that people frequently see the advice of others to install through PPA and the less knowledgeable people just do as they are advised. I can think of multiple situations where using PPA's without understanding them have caused people issues on this board, usually either due to them uninstalling the app or the PPA changing causing the user to see errors from the update manager.

So maybe more responsible usage of advice given. By responsible I don't mean scare people away from PPA's but to make sure they fully understand them. If you disable PPA's and there is a security update, well are you really making things safer? Make sure people know BOTH sides of PPA usage, benefits and possible issues.

More timely upgrades in the repositories would be the biggest help (along with expanding them). I just looked at my PPA's and I have installed using 5 but had previously disabled 2 and just decided to disable a third. Risk mitigation. I decided the most recent disabled PPA (actually removal) is fine because the Mint repos now have the most recent version which had a feature necessary for my system to work with the app. The other 2 are disabled because I consider them low likelihood for security updates. The 2 remaining, I believe, are trustworthy repositories and if new features are added for one of them I don't want to miss that.

So I guess the main point I disagree with is automatically deactivating the PPA's. Some way of educating people for them to decide on their own.

jepo
Level 1
Level 1
Posts: 5
Joined: Wed Mar 02, 2016 7:54 pm

Re: PPA's: the main security Achilles' heel?

Post by jepo » Wed Mar 02, 2016 8:10 pm

A big problem with PPAs is that even experienced users sometimes don't seem to be aware of the situation.
I don't know how often I read statements like 'you have to be careful with PPAs' or 'personally I'm very careful about which PPAs I use' or 'you better check PPAs twice' or 'I'd only use very popular PPAs'.

There is nothing you can be careful about. You're downloading compiled binaries and you allow them to be automatically updated. How many people are using the same PPA is totally irrelevant. If you take 'a closer look' it totally irrelevant. There simply is no guarantee whatsoever that a PPA doesn't get hacked or on purpose suddenly rolls out an update with some lines of code compiled which shouldn't be there and which can have disastrous consequences.

Despite that, it's the most common thing on earth for most people to add PPAs left and right and recommend to use them by throwing in one liners in a forum post and tell a newbie to copy paste it into his terminal.

So yes, it is a problem but I don't really know a solution for it. Maybe recognizing that it is a problem is automatically the first step towards a solution and I believe we aren't even there yet.

I thought about how compiling source code somehow became an almost forgotten craft if you look at the entire user base of Linux today. On the other hand having a lot of software installed which doesn't get automatically updated also isn't exactly a paradigm for security.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: PPA's: the main security Achilles' heel?

Post by Cosmo. » Wed Mar 02, 2016 8:32 pm

In my understanding this thread is not about the technical problems, a PPA may give, but about the possible security risk introduced by them. We should not mix both aspects here.

nhra1ss
Level 1
Level 1
Posts: 19
Joined: Sat Mar 30, 2013 8:37 pm

Re: PPA's: the main security Achilles heel?

Post by nhra1ss » Wed Mar 02, 2016 9:51 pm

all41 wrote:I see many forum threads advising non-repository software solutions to new users, and even posting sudo commands for adding the ppa's. This teaches new users to add ppas in a willy-nilly fashion--having never seen cautionary statements regarding the possible risks.
I am guilty of this as I tried a few programs by ppa in terminal ( media servers ) but uninstalled them because didn't quite understand how to use them. Yes, willy-nilly. Going forward, read more and use Software Manager as much as possible. I know I have a lot to learn yet. Go slow, read, learn and ask questions if unsure.
HP Elitebook 6930p running Linux Mint 17.3 Cinnamon 64 bit

User avatar
Pjotr
Level 21
Level 21
Posts: 12624
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: PPA's: the main security Achilles' heel?

Post by Pjotr » Thu Mar 03, 2016 5:36 am

Thanks for your replies so far. They were all useful. :)

For clarification: the primary aim of my thread is to call attention to the possibility of bad people intentionally uploading malware to a PPA, and how to mitigate that risk.
Tip: 10 things to do after installing Linux Mint 19.1 Tessa
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
LinuxJim
Level 5
Level 5
Posts: 659
Joined: Tue Jan 26, 2016 8:01 pm
Location: Oregon, USA

Re: PPA's: the main security Achilles' heel?

Post by LinuxJim » Thu Mar 03, 2016 6:05 am

Ubuntu and Mint have PPAs, Arch and Manjaro have AUR, Fedora and Red Hat have COPR and rpm-fusion...

The security problem discussed here is a problem for the Linux community at large, and IMO should be addressed as such.

Mint is at a disadvantage in trying to solve this alone, being a derivative of both Ubuntu and Debian. It inherits much of its security policies from two separate groups, with different goals, and then adds a third layer of its own.

While there are hundreds of Linux distributions, there are really only a very small number of 'feeders' from which these distributions are derived (I can think of 5) - I believe it is up to the 'feeders' to get together and collectively look at the issue of securely managing how 'add on' repositories are handled.

BigEasy
Level 6
Level 6
Posts: 1234
Joined: Mon Nov 24, 2014 9:17 am
Location: Chrząszczyżewoszyce, powiat Łękołody

Re: PPA's: the main security Achilles' heel?

Post by BigEasy » Thu Mar 03, 2016 8:05 am

Pjotr wrote: Key quote:
"A malicious PPA archive could affect Ubuntu and Linux Mint users, it could offer legitimate packages for months and then suddenly spread malware that would be immediately accepted by thousands of users."

Yes, PPAs can could affect users. So, official point of view should be: "using PPA is your own responsibility, not Linux Mint's". It must be written with big red colored font at forum homepage. There is very little to do something else.

P.S. I can say more: a malicious DEB could affect Ubuntu and Linux Mint users, a malicious program compiled from malicious source could affect Ubuntu and Linux Mint users as well.
What we have to do with that? Nothing.
Windows assumes I'm stupid but Linux demands proof of it

User avatar
InkKnife
Level 5
Level 5
Posts: 723
Joined: Mon Apr 30, 2012 5:24 pm

Re: PPA's: the main security Achilles' heel?

Post by InkKnife » Sun Apr 10, 2016 12:09 pm

I have a couple of PPA added to my Mint for two pieces of software I want to have the latest of: GIMP and Eye of GNOME (Gthumb). The PPA in question are run by reputable, long time contributors to the FOSS community.
For me that is the best policy, know who you are dealing with. There are many PPA I would recommend without reservation because I know they are maintained by reputable developers. I have run across PPA from outfits I do not know and who seemed to be if not sketchy they lack much reputation online and I avoid those.
Due diligence is required certainly but PPA are a resource that is very important for us and provides the flexibility so one can run a stable OS like Mint while being able to stay up to date on particular software that might be important to a user.
i7 3770, 12GB of ram, 256GB SSD, 64GB SSD, 750GB HDD, 1TB HDD, Cinnamon.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: PPA's: the main security Achilles' heel?

Post by Cosmo. » Sun Apr 10, 2016 4:33 pm

InkKnife wrote:Eye of GNOME (Gthumb)
Sidenote: Eye of Gnome (eog) and gthumb are 2 different programs.

User avatar
InkKnife
Level 5
Level 5
Posts: 723
Joined: Mon Apr 30, 2012 5:24 pm

Re: PPA's: the main security Achilles' heel?

Post by InkKnife » Sun Apr 10, 2016 11:55 pm

Cosmo. wrote:
InkKnife wrote:Eye of GNOME (Gthumb)
Sidenote: Eye of Gnome (eog) and gthumb are 2 different programs.
Gah! Of course you are right, I don't know what I was thinking. Early posting with too little coffee. :oops:
i7 3770, 12GB of ram, 256GB SSD, 64GB SSD, 750GB HDD, 1TB HDD, Cinnamon.

glitchathon
Level 2
Level 2
Posts: 85
Joined: Thu Mar 17, 2011 12:27 pm

Re: PPA's: the main security Achilles' heel?

Post by glitchathon » Mon Apr 11, 2016 3:26 pm

What I always did was after using a PPA, I would disable it in Synaptic, and only once every couple months, re-check them and look for updates and know exactly which packages to look for. Is this a generally safer way to go? My thought was that if a PPA got hacked and some critical system packages got put up there, I would not want to automatically update them without knowing the source.

Cosmo.
Level 23
Level 23
Posts: 17827
Joined: Sat Dec 06, 2014 7:34 am

Re: PPA's: the main security Achilles' heel?

Post by Cosmo. » Mon Apr 11, 2016 4:42 pm

glitchathon wrote:Is this a generally safer way to go?
Only marginally. At first Mint does no automatic updates; the only automatism is to look for available updates. But the real point is, that even with your method you cannot really tell, if the update is legitimate or not without looking into the sources.

thom_A
Level 4
Level 4
Posts: 314
Joined: Tue Jun 09, 2015 1:26 pm

Re: PPA's: the main security Achilles' heel?

Post by thom_A » Thu Apr 14, 2016 11:57 am

I use Grub Customizer ever since I discovered it about more than a year now. All of my PCs are on multi-boot system. Just recently it's included in the update list. I wondered what the update was all about. I googled and didn't find any mention of the update.

fraxinus_63
Level 4
Level 4
Posts: 219
Joined: Fri Jan 01, 2010 2:25 pm

Re: PPA's: the main security Achilles' heel?

Post by fraxinus_63 » Fri Apr 15, 2016 8:30 am

I think the concerns raised by the original post are very valid, and that PPAs could be a major attack vector against the *buntu family of distros in particular if Linux gains more market share in future.

I do use PPAs, but with caution. This partly reflects laziness. My laptop runs Mint 17.2 but my main PC (and my wife's too) are both still running Mint 13 - because it works flawlessly for us and is still supported. To get up-to-date versions of LibreOffice, Inkscape and Scribus I have enabled the relevant PPAs; also Trinity, which allows me access to a few old KDE3 bits and pieces that I find useful.

However, I regard these as pretty reputable sources. It is not the same at all if people are encouraged to paste a command into a terminal to access a bit of software that they may know very little about - either the product or the people producing it! As the original post says, awareness-raising is key.

all41
Level 14
Level 14
Posts: 5367
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: PPA's: the main security Achilles' heel?

Post by all41 » Fri Apr 15, 2016 9:14 am

Another concern regarding ppa's--how secure is the hosting server?
Has it been compromised?
Naivety is the major threat

Post Reply

Return to “Chat about Linux Mint”