What Are Package Managers?

Deja vu Security Associate Security Consultant Aadarsh Karumathil gives us this walkthrough of package managers APT, yum, pacman, and brew. Aadarsh was previously with Oracle and Avnet Services, and has a master’s from the Rochester Institute of Technology.


AdobeStock_62331513.jpeg

What Are Package Managers?

Linux is open source, which makes it easy for communities to develop their own versions of the popular operating system. Known as “Linux distributions,” these modified versions utilize different package managers depending on developer community preference. So what are “packages” and in-turn, “package managers?” Linux software applications are called packages, and package managers are software that handle the process of installing, maintaining, and uninstalling these packages. A few commonly used package managers include APT, yum, pacman, and brew, and each of these has a process for maintaining the integrity of the packages in-transit and at-rest. APT, yum, and pacman do this with their own implementations of Gnu Privacy Guard (GnuPG).


GnuPG

GnuPG is an open source implementation of Pretty Good Privacy (PGP), and uses asymmetric encryption to encrypt and sign data. Asymmetric encryption utilizes a matching pair of keys. One of the keys is a public key available to everyone, and the other is a secret key called a private key. Any data encrypted using a public key can be decrypted using the matching private key, and any data encrypted using the private key can be decrypted using only the public key. This process of encrypting data using the private key is known as signing. Signing provides non-repudiation; since the private key is secret, only the owner of the key could have signed it. In GpuPG, when a user signs or encrypts data using their private key, it means they trust the data. This signing enables GnuPG to use a web of trust for verification. In a web of trust, anyone can sign another person’s key; when signed, it’s implied the person trusts that key. This process of trusting a key is a confirmation that the public key belongs to that user.


APT

Package Managers - APT Diagram.png

Advanced Package Tool (APT) is a widely used package manager in Debian and Debian-based Linux distributions, combining the features of apt-get, apt-cache, apt-secure, and various other apt tools into a single package manager. APT uses the DPKG packaging system on the backend to install packages; when Debian Linux or a distribution based on Debian Linux is installed, the official repositories are configured in the /etc/sources.list file. The public keys of these repositories are also installed into the keyring of the Linux distribution at /usr/share/keyrings/. The following are three main components used in Debian architecture to maintain integrity:

  1. Keyserver – A central authority which holds all the public keys and signatures on those public keys. In Debian, keyring.debian.org is a keyserver, and before their key gets added into the keyserver, developers need to prove their identity and get their key signed by another developer.

  2. Repository – A space to host packages available to download.

  3. Keyring – A local storage of all the trusted keys. It includes any keys present in /usr/share/keyrings, /etc/apt/trusted.gpg, and /etc/apt/trusted.gpg.d.

When a user wants to add additional repositories, the apt add-repository command is used. The following then occurs:

  1. The package manager queries the repository to get the public key fingerprint.

  2. The package manager downloads the public key from the keyserver using the fingerprint.

  3. The package manager verifies the signature and adds it to /etc/apt/trusted.gpg or /etc/apt/trusted.gpg.d/.

  4. The repository is then added to /etc/apt/sources.list or /etc/apt/sources.list.d.

This enables the package manager to check the added repositories for updates on packages and verify integrity upon download. To update and upgrade packages, the user runs apt update && apt upgrade. This does the following:

  1. The package manager obtains the list of repositories from the /etc/apt/sources.list and /etc/sources.list.d.

  2. The package manager queries these repositories to obtain two files– release and release.gpg files–from #{repository}/#{distribution}/#{distribution-updates}. The release file contains checksums of all the packages along with the date of release.

  3. The signature on release.gpg is verified. If the signature is valid, the package manager downloads the packages in need of upgrade.

  4. The checksum of the packages is validated with the checksum provided in the release file.

  5. The packages are installed when checksum validation is passed.

APT does not check for signatures on packages individually–it only determines if the checksum in the release file matches the checksum of the package. Users can install a package in two different ways:

  1. Install a package using the apt install command–when the APT install command is run, the package manager:

    • Queries all the repositories in etc/apt/sources.list and /etc/sources.list.d.

    • Downloads the package over http/https.

    • Generates the checksum of the package and validates it against the release file.

    • Installs it only if the checksum validation is successful.

  2. Install a package locally

    • Users can download a package and install it by putting it in /var/cache/apt/archive and running apt-install #{package-name}, or using dpkg –I.

When a package is installed locally, it doesn’t check for checksum validation and signature. APT works under the assumption that the user downloaded the packages in a secure manner. By default, the signature verification of packages installed using the second method are turned off at /etc/dpkg/dpkg.conf using the no-debsig option.

The list of updated packages can be obtained from the logs at /var/log/apt/history.log.


YUM

Yellowdog Updater Modified (stylized “yum”) is the standard package manager for RHEL and RHEL-based distributions. It uses the RPM packaging system for installing packages, and GnuPG for package integrity. Unlike Debian, where each developer has a key to encrypt packages, RHEL uses a standard set of keys for every release. The public keys are present in /etc/pki/rpm-gpg/ after installation, and only packages signed using these keys are installed. Additional repositories are added in yum using the config manager. When adding a repository in RHEL, the details of the repository along with the key are downloaded as a .rpm file, which is signed using one of the keys in the keyring. Thus, only packages approved by official RHEL or the distribution of RHEL can be installed with validation.


Pacman

Pacman (short for “package manager”) is the packaging system for Arch Linux. It has the capability to handle all the functions of a package manager; and, like yum and APT, Pacman maintains integrity using GnuPG. In Arch Linux, a root key is used to develop seven master keys, and all the developer keys are signed using these keys. The public keys of the master keys are found in /etc/pacman.d/gnupg. Only packages signed by a developer key, which is in-turn signed by a master key, are installed. However, pacman doesn’t check for signatures on local package installations by default. This can be changed in the configuration file at /etc/pacman.conf.


Brew

Package Managers - Brew Diagram.png

Brew–a package manager commonly referred to as “Homebrew” in OS X and “Linuxbrew” in Linux–is written in Ruby and relies heavily on GitHub to deliver packages. When brew is installed, it clones the entire GitHub repository at /usr/local. This directory contains formulas–Ruby code specifying download and build instructions. Brew also has an additional option of enabling tap, a third-party formula repository. Brew maintains integrity by hardcoding checksums of the packages downloaded into the formulas; however, there are formulas in taps without a checksum validation.


Potential vulnerabilities

  • Package managers by default download on http if an http mirror is specified in sources.list. Even when checksum validation occurs, it doesn’t necessarily stop vulnerabilities in a package manager. The recent remote code execution in APT is a real-world examples of these issues. Therefore, it is advisable to use https mirrors only.

  • Packages installed locally in apt and pacman are not validated, and should always be downloaded using https.

  • Not all formulas in brew have checksum validation.

  • When a package is installed as root by brew, it has the permission to execute as root, leading to the possibility of corrupting files which are accessible by root only. Therefore, never install brew packages as root.


Summary/quick reference

Package managers summary table.png