[ale] malicious make scripts

Bob Toxen bob at verysecurelinux.com
Thu Dec 5 15:40:31 EST 2002


On Wed, Dec 04, 2002 at 08:55:08PM -0800, Kevin Krum wrote:
> --- John Wells <jb at sourceillustrated.com> wrote:
> > Has there ever been a case of someone being bitten
> > by a malicious make script?

> Yes, I've heard of project mirrors getting cracked and
> distributing trojaned make files that build and
> install backdoors.  Always check your MD5s and sigs...
> and don't compile as root unless you must!

Is the MD5 sig posted on the same system that might be compromised?  If so,
it too is worthless.  If the GPG private key is on the same system then
the sig too could be compromised.

Besides checking the MD5 and sig, I recommend:

1. Never build as root; use an expendable account.
2. As this unprivileged user, do "make -n install" to see what Make
   "would do" without actually doing it.  (While the Make script *could*
   check if it's being run as root and do different things, the -n will
   cause all of these checks to be shown as it lists each command that
   it "would do".
3. Download from several different sites, if possible, and compare.  It's
   less likely that all of them would be compromised.
4. After downloading, wait a week or so before building and installing.
   After this week has passed, check the web site and security lists to see
   if there's mention of the site having been compromised.  If not then
   proceed with the install.

... yes, I talk about this in the book.

Bob
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list