Security of Pybuilds
Currently Portmod is built around executing trusted code from a remote repository, however there are a couple of ways that untrusted code could be executed instead.
- Someone could gain access to the repo and modify pybuilds to include malicious code. This is unlikely, but possible (see here)
- Someone could set up a third party repository that includes malicious code or, as in 1, gain access to a third party repository and add malicious code. Users may believe the repository is benign.
While these two issues will always be a concern, the primary way of preventing them from compromising user systems would be to ensure that pybuilds cannot under any circumstances have a malicious effect on a system. The best way to do this would be to execute within a sandboxed environment of some sort, with Portmod code providing this environment with input sources, and extracting the resulting installation files from the environment when it's done.
Unfortunately this is non-trivial. We need sandboxing of two types:
File System Sandboxing
Prevents malicious code from writing to the filesystem outside of their designated temporary directory.
- Create a portmod user who is only granted privileges on the desired directory. This cannot be done in a cross-platform manner (though it should be possible on non-Unix) and would require the portmod process to have elevated privileges (currently, we've been operating under the assumption that we're always a user process).
- PyPy sandboxing. Not actively maintained and probably not a good option. It also heavily restricts the modules available for use.
- RestrictedPython. Similarly to PyPy sandboxing, heavily restricts the code that can be executed, though you have more control over the code/modules you allow to be used. I'm not sure if it can restrict filesystem access to certain directories, though you could probably use this to restrict language features and then allow filesystem access only through functions that restrict access to a certain directory.
Prevents malicious code from scanning your system and uploading compromising information (banking, credit card, etc.) to a remote server. Without network access, potentially malicious code can have read access to the entire system without being able to do anything nasty.
- Implement using a proxy, forcing all network access during the execution of the pybuild to go through the proxy. E.g. https://github.com/Anorov/PySocks
- Use RestrictedPython or PyPy sandboxing as above and remove access to networking modules entirely.
Note that this is labelled confidential to prevent bad actors from getting ideas until this is implemented.