So I was browsing the web the other day, and I came across a few places that wanted me to download .deb files - and since those are installed by root (and as such have the "powers" and capabilities of root), I wasn't sure about that.
SnapOverflow
Things to consider:
How well known is the site? For example, was it a random blog covered in ads, was it a random user on some forum, or was it a well known, respected site?
What does it claim to install? For example, does it claim to install a kernel or a iconset, but is it only 1MB big?
How "important" is it that you have the contents of this
.deb?Ways to test things securely:
I use
) sandboxing with my debs (and other things) - use it something like this:
arkose(its in the standard repossudo arkose -n -c "cd $PWD; $SHELL"What that does it give me a "sandbox" (otherwise known as "YAY I CAN SCREW UP!") with copy-on-write access to everything on my computer, including my home directory - so if the nasty nasty
.debdoessudo rm -rf /*, I DON'T LOSE ANY DATA!Another thing that isn't stressed enough is MAKE BACKUPS. Those are extremely helpful, and we have many questions on the topic.
In short, just make sure you think about it, and don't just download a random deb and install it.
If you are downloading a package from untrusted or questionable sources, be paranoid. On popular forums like ubuntuforums.org, if a user makes his first post containing only of a short text like "install this, works for me!", followed by a link, be careful with that link and/ or instructions.
Don't use binary packages if possible, especially from untrusted sources. Get the source (for official Ubuntu packages, this can be done with
apt-get source package-name) and have a look at it.If the package in question is small, it may be worth analysing it. I prefer to use the terminal for that because I then have fast access to other powerful command-line tools like
ls,find,file,less,vim,grep,sed,dpkgand lots others. Make use of tab-completion (i.e. hitting Tab to complete commands and filenames), it really saves time!To download a .deb file, you can use the browser, but copying the link and then use
wgetis faster since you can already experiment with it.Next, it's time to check the file itself.
less(throughlesspipe) can provide a quick overview of the file contents. Arrow keys, page up/down, home/end can be useful for navigating, Q quits the program.After this, you get an overview of the package dependencies and what kind of files it possibly contains. Time to extract the files and analyse the contents using
dpkg-deb. The first command extracts the file tree in a newly created directoryfs, the second one extracts it toDEBIANbecause no other target is specified:We'll use
lessagain to analyze the contents of the maintainer scripts (i.e. the files that will be used/ run during installation (and removal).prerm,preinst,postrm,postinstare scripts run before/after removal/installation which are the most important files to analyse. Use:nand:pto switch between the files. By pressing=, you get the current file name and line number as well as the number of files that are in the list.If the package scripts look sane, it's time to analyse the installed contents (use tab-completion). For shell scripts and interpreted scripts (like Python), analysis is easier (assuming that you're known with the language).
Pay special attention to configuration files, especially if they are using directories like
/etc/init(for startup scripts) or/etc/modprobe.d(options for loading kernel modules).For binaries,
lddcan give an idea what a program could be used for. The below program looks like a graphical program that uses OpenGL.After you are sure that the package looks valid, you can go on install it in VirtualBox booting off a Live CD and use
ps aux,top,strace -f -o logfile.txt programnamefor further analysis.