测试了一把,结果显示360基本对Linux社区规范和安全常识不give a fuck。
胡乱打包
首先,这个deb包就是胡乱打包,依赖关系就没弄好:
$ dpkg-deb-I360safeforlinux-3.0.0.66-stripped.deb
[...]
Package:360safeforlinux
Version:3.0.0.66
Architecture:amd64
Maintainer:qihu360 company
Installed-Size:23617
Depends:libc6(>=2.14),libglib2.0-0(>=2.38),python2.7(>=2.7.6),openssl(>=1.0),curl,libqt4-network(>=4.8.5),libqt4-sql(>=4.8.5)
Section:gnome
Priority:required
Essential:yes
Description:360safeforlinux
但是还实际依赖了libpython2.7和libqtgui4两个库没有标明,要我手动修复。
滥用 Essential
这个打包还通过滥用Essential标记来制造卸载的麻烦。
root@debian-amd64:/home/user# apt-get remove 360safeforlinux
[...]
Thefollowing packages will be REMOVED:
360safeforlinux
WARNING:Thefollowing essential packages will be removed.
Thisshould NOT bedoneunlessyou know exactly what you are doing!
360safeforlinux
[...]
**Youare about todosomething potentially harmful.**
Tocontinuetypeinthe phrase'Yes, do as I say!'
?]
Abort.
root@debian-amd64:/home/user# aptitude remove 360safeforlinux
Thefollowing packages will be REMOVED:
360safeforlinux
[...]
Thefollowing ESSENTIAL packages will be REMOVED!
360safeforlinux
WARNING:Performingthisaction will probably cause your system tobreak!
DoNOTcontinueunlessyou know EXACTLY what you are doing!
Tocontinue,type the phrase"I am aware that this is a very bad idea":
关于Essential打包政策,Debian和Ubuntu都只保留给最必要的包。
随意使用 setuid
安装后dpkg配置时它的postinst脚本直接给加上了setuid。如此随意地使用setuid,还能自称是安全?
if["$1"="configure"];then
chmod u+s/opt/360safeforlinux/s360SafeForLinux
[...]
fi
这个的意思就是,以普通用户权限运行这个东西,它会变成root:
user@debian-amd64:~$ id
uid=1000(user)gid=1000(user)groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
user@debian-amd64:~$ start360&
[1]4512
user@debian-amd64:~$ pstree-u
init─┬─dhclient
├─5*[getty]
├─login───bash(user)───startx───xinit─┬─Xorg(root)
│└─x-window-manage
[...]
├─urxvtd(user)
└─urxvtd(user)─┬─bash───start360(root)─┬─{BackendTaskThre}
│├─{BrowserHomePage}
│├─{CpuMemUseState}
│├─{FileWatcher}
│├─{IsolateZone}
│├─{LogCleanThread}
│├─2*[{MyThread}]
│├─{VdUpload}
│└─3*[{start360}]
└─bash───pstree
内核模块?
dpkg的prerm脚本还有奇怪的东西:
rc=`lsmod | grep "rk360" | xargs echo`
if[-n"$rc"];then
rmmod rk3602>/dev/null1>&2
rm-rf/etc/360safe/360safe.ko2>/dev/null1>&2
fi
rc=`lsmod | grep "immu" | xargs echo`
if[-n"$rc"];then
rmmod immu2>/dev/null1>&2
rm-rf/etc/360safe/immu.ko2>/dev/null1>&2
fi
360不仅不满足于root权限,还在用内核模块?不过这次使用中并未发现这两个内核模块。
运行的怪现状
start360启动,然后有两个运行时怪现状:
把pid保存到/etc/360safe/360safeforlinux.pid。会不会遵守FHS?
疯狂扫描系统文件,powertop显示闲置状态每秒30个唤醒,笔记本电池寿命已死。会不会用inotify?