测试了一把,结果显示360基本对Linux社区规范和安全常识不give a fuck。
首先,这个deb包就是胡乱打包,依赖关系就没弄好:
$ dpkg-deb -I 360safeforlinux-3.0.0.66-stripped.deb
[...]
Package: 360safeforlinux
Version: 3.0.0.66
Architecture: amd64
Maintainer: qihu360 company
Installed-Size: 23617
Depends: libc6 (>= 2.14),libglib2.0-0 (>= 2.38),python2.7 (>= 2.7.6),openssl(>= 1.0),curl,libqt4-network(>= 4.8.5),libqt4-sql(>= 4.8.5)
Section: gnome
Priority: required
Essential: yes
Description: 360 safe for linux
但是还实际依赖了libpython2.7和libqtgui4两个库没有标明,要我手动修复。
这个打包还通过滥用Essential标记来制造卸载的麻烦。
root@debian-amd64:/home/user# apt-get remove 360safeforlinux
[...]
The following packages will be REMOVED:
360safeforlinux
WARNING: The following essential packages will be removed.
This should NOT be done unless you know exactly what you are doing!
360safeforlinux
[...]
**You are about to do something potentially harmful.**
To continue type in the phrase 'Yes, do as I say!'
?]
Abort.
root@debian-amd64:/home/user# aptitude remove 360safeforlinux
The following packages will be REMOVED:
360safeforlinux
[...]
The following ESSENTIAL packages will be REMOVED!
360safeforlinux
WARNING: Performing this action will probably cause your system to break!
Do NOT continue unless you know EXACTLY what you are doing!
To continue, type the phrase "I am aware that this is a very bad idea":
关于Essential打包政策,Debian和Ubuntu都只保留给最必要的包。
安装后dpkg配置时它的postinst脚本直接给加上了setuid。如此随意地使用setuid,还能自称是安全?
if [ "$1" = "configure" ];then
chmod u+s /opt/360safeforlinux/s360SafeForLinux
[...]
fi
这个的意思就是,以普通用户权限运行这个东西,它会变成root:
user@debian-amd64:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
user@debian-amd64:~$ start360 &
[1] 4512
user@debian-amd64:~$ pstree -u
init─┬─dhclient
├─5*[getty]
├─login───bash(user)───startx───xinit─┬─Xorg(root)
│ └─x-window-manage
[...]
├─urxvtd(user)
└─urxvtd(user)─┬─bash───start360(root)─┬─{BackendTaskThre}
│ ├─{BrowserHomePage}
│ ├─{CpuMemUseState}
│ ├─{FileWatcher}
│ ├─{IsolateZone}
│ ├─{LogCleanThread}
│ ├─2*[{MyThread}]
│ ├─{VdUpload}
│ └─3*[{start360}]
└─bash───pstree
dpkg的prerm脚本还有奇怪的东西:
rc=`lsmod | grep "rk360" | xargs echo`
if [ -n "$rc" ];then
rmmod rk360 2>/dev/null 1>&2
rm -rf /etc/360safe/360safe.ko 2>/dev/null 1>&2
fi
rc=`lsmod | grep "immu" | xargs echo`
if [ -n "$rc" ];then
rmmod immu 2>/dev/null 1>&2
rm -rf /etc/360safe/immu.ko 2>/dev/null 1>&2
fi
360不仅不满足于root权限,还在用内核模块?不过这次使用中并未发现这两个内核模块。
start360启动,然后有两个运行时怪现状:
/etc/360safe/360safeforlinux.pid。会不会遵守FHS?它提供了一些功能。
rm -r ~/.adobe ~/.cache ~/.local ~/.macromedia ~/.thumbnails /tmp/*。但是这些临时文件是有用的,也占不了多大空间。update-rc.d/chkconfig封装了一个图形界面。/usr/bin/shred?来删除/proc试试?./etc/360safe/urlcheck
./etc/360safe/urlcheck/normalize.py
./etc/360safe/urlcheck/Firefox
./etc/360safe/urlcheck/Firefox/360webshield@qihoo.com.xpi
./etc/360safe/urlcheck/lcloud.ini
./etc/360safe/urlcheck/browserextensionsinstaller.py
./etc/360safe/urlcheck/Chrome
./etc/360safe/urlcheck/Chrome/360WebShield.crx
360唯有一点用功了,就是列了一大堆非GPL的许可证:
license/zlib_license.txt
license/c-ares_license.txt
license/qt_license_lgpl.txt
license/unrar_license.txt
license/sqlite_license.txt
license/elftoolchain_license.txt
license/libcurl_license.txt
license/7-Zip_license.txt
license/boost_license.txt
license/openssl_licnese.txt
license/minizip_license.txt
license/jsoncpp_license.txt
license/protobuf_license.txt
license/Noto fonts_license.txt
license/qt_lgpl_exception.txt
这样人们就无权索要源代码。不过,一个安全产品不公开源代码,然后用setuid拿了root还要搞内核模块,谁知道你要干嘛?总之,360对Linux社区规范和安全常识基本不give a fuck。
这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。
V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。
V2EX is a community of developers, designers and creative people.