IgnorantGuru's Blog

Linux software, news, and tips

Script: paccheck

«Downloads

 
 
 

IMPORTANT NOTE: Paccheck is no longer maintained by IgnorantGuru. The last version produced by IgnorantGuru was paccheck version 0.8.12 (which only works with pacman versions prior to 3.5 due to minor changes in the Arch database format).
 
MY RECOMMENDATION: Be careful with Arch Linux if you need a reasonably secure system.
In my conversations with the primary Arch Linux devs, I found them to disregard users’ security and concerns, and I found that there was a concerted effort to hide relevant security problems from users. The Arch devs consider the distro more like a toy used for experimentation.

The paccheck usage information and installation instructions below are outdated – they apply to the old version 0.8.12 and may not fully apply to newer versions. For the latest information on paccheck, see the Arch Forum Thread.

 
 
 

Download Links: No longer maintained here – See note above
Description: Compares Arch Linux pacman sync and package cache to multiple mirrors to help detect compromised mirrors
Recommended For: Arch Linux
Tested On: Arch Linux
Current Version: No longer maintained here – See note above
Requires: curl wget sudo
Related: blackpac
License: GNU GPL v3     * SEE DISCLAIMER *
Discussion: Arch ForumLinuxQuestions ForumArchbang Forum

 

Overview

paccheck downloads Arch Linux pacman sync database files from multiple mirrors and compares them against pacman’s sync and package cache in an attempt to detect a compromised mirror.

Rationale: Due to the current problem with unsigned packages on Arch Linux’s distribution mirrors, pacman has no way of detecting when files on any mirror have been compromised. Given that Arch has over 150 mirrors around the world, and these mirrors run assorted operating systems and server software, have hundreds of people with access to the servers, and may be stored on misconfigured or compromised servers, there is no way for an Arch user to evaluate the security of a given mirror. For example, if you use the mirror at ftp.tku.edu.tw, you are downloading your Arch updates from an Apache FTP server running on an Ubuntu machine. Thus your system becomes vulnerable to security problems in Ubuntu or caused by misconfigurations on that server.

paccheck helps to minimize this risk by comparing mirrors you choose against your pacman sync. It first runs sudo pacman to sync and download packages due for update on your system (but installs nothing). It then downloads database sync files from all the mirrors you select. It compares these files to your pacman sync files. If they don’t match, it scans your package cache and compares the desc file of each package against the mirror. If they don’t match, it reports this to you. (desc files contain the MD5 sum of the package, used by pacman for archive integrity checking, so tampering with a package on a mirror would also require changing its desc file.) In this way, paccheck is able to determine to some degree whether a problem is caused by an out-of-sync mirror or a compromised mirror. Finally, paccheck tests the sizes of the packages in pacman’s pkg cache.

Note that aside from triggering a pacman sync and package download, paccheck does not modify your system files or correct problems. It merely alerts you in plain english to what it finds. So it is imporant for you to read its report.

Also note that paccheck is not a comprehensive solution to the lack of package signing in Arch. It merely compares mirrors using your network connection. If your network connection or other system components are compromised, paccheck has no way of detecting this or other vulnerabilities. Yet until package signing is added to Arch, this polling method will somewhat improve your update security.

Hopefully you will never see a report of a MISMATCH on a package, but if you do, do not proceed with pacman’s update until you have determined which mirror is inaccurate.

paccheck --help

Compares Arch Linux pacman sync and package cache to multiple mirrors to help
detect compromised mirrors

Usage: paccheck [OPTIONS]
OPTIONS:
--install PKG [...] Download packages (without sync) and check ONLY those
                    packages, then offer to install
--compare 'MIRROR'  Fully download and compare all non-expired packages in
                    pacman's pkg cache to MIRROR.  Can alternatively be
                    listed in /etc/paccheck/mirrorlist as "compare=MIRROR".
                    MIRROR can also be local dir with packages in MIRROR/pkg/
--targets           Limit check and download to current update targets only
--verbose           Show debugging output
--keep              Don't remove temporary files in /tmp/paccheck.tmp
--alt-size          Use alternate slower test of package sizes (useful due
                    to stat bug with btrfs which gives inaccurate results)
--skip-size         Skip test of package sizes
--no-sync           No pacman update - mainly for use in scripts. paccheck
                    requires an updated pacman sync and package cache.
                    Before running "paccheck --no-sync" be sure to run:
                        sudo pacman -Sy
                        sudo pacman -w --noconfirm -Su

Full System Update Procedure:
   1) Run paccheck and examine report
   2) If no package MISMATCH then run "sudo pacman -Su" to update your system

Desired mirrors may be configured in /etc/paccheck/mirrorlist

NOTE: paccheck only tests these official repositories (if configured):
      core extra community community-staging community-testing
      gnome-unstable kde-unstable multilib multilib-testing staging testing

Exit Status:
    3  Package MISMATCH, download failures, or other errors
    2  Packages missing from some mirrors
    1  Out of sync mirrors (DATABASE CONTENT MISMATCH) or other warnings
    0  All OK

The system update procedure with paccheck is:

paccheck

# then, if you're comfortable with paccheck's report:
sudo pacman -Su

When run with no options, paccheck runs “pacman -Sy” (update your database) and “sudo pacman -w –noconfirm -Su” (downloads needed updates but installs nothing). It then checks the files and gives you a report. Nothing is installed.

Another example: to install new packages ‘abc’ and ‘xyz’ to the system:

sudo pacman -Sy   # sync first if desired
paccheck --install abc xyz

This will download the packages and their dependencies, check only those targets (including full mirror compare if configured), and offer to install them. Be sure to read the report to determine if installation is indicated.

If you are concerned about the unlikely possibility of fraudulent packages constructed with an MD5 collision, you can use one or more ––compare ‘MIRROR’ options. paccheck will fully download all non-expired packages in your cache from MIRROR, and will compare them byte-for-byte. To limit the download to current update targets only, include the ––targets option.

––no-sync is provided for scripts. Be sure to update pacman and download needed packages before running paccheck with this option, or you won’t check what’s needed. Prior to running “paccheck ––nosync” you should run:

sudo pacman -Sy
sudo pacman -w --noconfirm -Su    # download, no install

 

Installation Instructions

IMPORTANT NOTE: Paccheck is no longer maintained by IgnorantGuru. The last version produced by IgnorantGuru was paccheck version 0.8.12 (which only works with pacman versions prior to 3.5). For the latest information on paccheck, see the Arch Forum Thread and the AUR package. The usage information and installation instructions below are for version 0.8.12 and may not fully apply to newer versions.
 

You can use the AUR or “packer -S paccheck”.

Or, follow the standard Script Installation Instructions.

For greatest security, use Tier 1 mirrors, or Tier 2 mirrors that use a variety of Tier 1 mirrors as their upstream. See http://www.archlinux.org/mirrors/ Observe the Tier number of the mirrors, and click on a Tier 2 mirror to see its upstream Tier 1 mirror. You can also check the mirror status to find the most up-to-date mirrors.

Desired mirrors can be configured in /etc/paccheck/mirrorlist. If you didn’t install using the AUR, you’ll need to create this file (as root):

mkdir /etc/paccheck
touch /etc/paccheck/mirrorlist

Then edit that file as root, and copy any mirrors you want to use from /etc/pacman.d/mirrorlist (paccheck accepts mirror entries in the same format as that file). Here is a default mirrorlist:

# Compare pacman sync and package cache to these mirrors:
# Copy desired mirrors from /etc/pacman.d/mirrorlist

Server = http://mirror.aarnet.edu.au/pub/archlinux/$repo/os/$arch
Server = ftp://ftp5.gwdg.de/pub/linux/archlinux/$repo/os/$arch
Server = http://ftp.tku.edu.tw/Linux/ArchLinux/$repo/os/$arch

# Example - Do full package download and compare on this mirror
#           (same as --compare command line option):
# Compare = ftp://ftp5.gwdg.de/pub/linux/archlinux/$repo/os/$arch

 

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92 other followers