Re: Apturl (security) issues and inclusion in Gutsy
On 9/18/07, Alexander Sack [EMAIL PROTECTED] wrote: On Mon, Sep 17, 2007 at 10:33:15PM +0200, Wouter Stomp wrote: 1. It's possible to run arbitrary scripts in the preinst/postrm phase of dpkg installation or the installed program itself could be malicious. By allowing the repository to be specified the deb can come from anywhere. So, you've basically got just a yes/no dialog stopping arbitrary code execution. (Not far from UAC and ActiveX in windows.) This is a feature of deb packages in general. ATM, you can provide .deb links that will run gdebi by default. The difference of apturl is that it allows you to ship dependencies of your provided packages as well. When clicking on a .deb link, the user is given the choice between downloading the file or opening it with an application of the user's choice. Gdebi is only opened when the user chooses to do so. 2. Repositories added through apturl could provide packages included in Ubuntu but with higher version numbers with malicious code. ... this is a feature, not an issue. This is not a feature, it is very dangerous. 3. there should be a VERY OBVIOUS visual indication of whether the program is going to be installed from the official repos or some third party site (right now it is not) If this is not obvious enough, we should take a look. ATM you get at least a warning because the 3rd party repository is not signed with a trusted key. But once you have added the 3rd party repository, it can replace any package without warning. 4. It is not well maintained. In the two months that it has been in the archives, 20 bugs have been reported, none have been fixed. Only one had a response and that is a bug about a spelling mistake in the package description. (all together it seems to have been uploaded only to enable the plugin wizard in firefox to work, after whcich it hasn't had any more attention) Are there any serious bugs filed? I think so yes, but it actually doesn't matter if they are serious or not. One of the requirements for inclusion in main (let alone to be shipped on the cd) is that upstream supports and cares for the package. Well here clearly no one seems to care for the package. 5. It hasn't had a lot of testing. It wasn't mentioned in any of the tribe release notes. There hasn't been a post in the dev-link forum or on the mailing lists. So not many people know about it or have tested it. The ffox plugin finder wizard was announced with tribe-5. I agree though, that we should call for more widespread testing/comments, especially how we can raise awareness about the security implications of 3rd party packages. apturl itself wasn't announced anywhere 6. It functions for firefox only, even though solutions to enable it for konqueror and opera have been provided in bug report. This makes it impossible for a website to provide an install this link for an Ubuntu package. They have to mention that it only works if you are running firefox, not if you are a kubuntu user running konqueror for example. I don't think that this is a valid argument. As you say, there are solutions for other browsers available. The fact that they haven't been integrated yet is not an issue of apturl. But they should be integrated before shipping apturl by default, otherwise it will reflect badly on ubuntu when a link works on ubuntu but not on kubuntu or xubuntu for example because they use a different browser. 7. There is currently no way for a website to know whether apt urls will work on the users operating system. If a website provides an apt install link it will be broken for feisty and earlier ubuntu versions or other linux distributions, How is this different from providing links to .deb packages? Users unaware about architectures et al are not really capable to understand comments next to the link either. If they are, you can do the same for apturl links. The users don't need to be aware of architectures or anything. But there shouldn't be links to install programs on websites when they don't work. The links should be hidden/removed when they won't work anyway. 8. making people enter their sudo password in a popup you got from clicking on a link on an arbitary website is definitely not secure. I see the point of this. We should investigate how we can make the installer more spoof-proof. IIRC, it shades the application that started the installer atm, which is a good start and probably hard to spoof with just HTML mechanisms. Maybe we can add more prominent/graphical hints that its now the ubuntu install wizard processing your request? It should be made a lot harder. Currently it is very easy to spoof. You know that effect that some pages have when an image pops up and the website itself goes gray? Use that and add a popup asking for the users password and the majority of users won't notice the difference. 9. apturl in its current version
Re: Apturl (security) issues and inclusion in Gutsy
Vincenzo Ciancia a écrit : Adding a way for people to provide user-friendly apt sources without having to upload screenshots on how to add sources in system/administration/sources (whatever it is called in english) does not change the overall security model of ubuntu and apt, which is, if you have the root password, you can do whatever you like to your system, and if you add an apt source and its gpg key using the root password, you are authorizing other people to do whatever they want to your system. The new point is that you can easily add repositories even when you don't know a minimum how apt is working. And once you've added repositories, even pepople willing to help you (by providing new software) can impact in a bad way your desktop, and users will blame Ubuntu for that. Expect to get many non-Ubuntu bugs form users that don't know they are using bleeding-edge software from custom repositories. At least, the first time you add a repository using apt-url, it should warn you in a flashy way wat you're doing, and neeed to to really read the warning. And then, before adding a repository, it should print : - the number of packages the repository provides and - the list of installed or main packages that may be replaced automatically. Using for example two dialogs, you would need to click twice on 'Next' to install it, this would be a minimum protection. Even more: at any time, the user should be able to easily revert to a pure Ubuntu desktop by disabling the custom repositories and removing their packages. I still agree that this feature may lead ubuntu into Windows-like behavior, with unknown programs starting now and then, and an unstable system. We should think twice about it, and wait for apt-url to be really mature (at least, for it to implement all needed security features). -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Apturl (security) issues and inclusion in Gutsy
On Mon, Sep 17, 2007 at 10:33:15PM +0200, Wouter Stomp wrote: 1. It's possible to run arbitrary scripts in the preinst/postrm phase of dpkg installation or the installed program itself could be malicious. By allowing the repository to be specified the deb can come from anywhere. So, you've basically got just a yes/no dialog stopping arbitrary code execution. (Not far from UAC and ActiveX in windows.) This is a feature of deb packages in general. ATM, you can provide .deb links that will run gdebi by default. The difference of apturl is that it allows you to ship dependencies of your provided packages as well. 2. Repositories added through apturl could provide packages included in Ubuntu but with higher version numbers with malicious code. ... this is a feature, not an issue. 3. there should be a VERY OBVIOUS visual indication of whether the program is going to be installed from the official repos or some third party site (right now it is not) If this is not obvious enough, we should take a look. ATM you get at least a warning because the 3rd party repository is not signed with a trusted key. 4. It is not well maintained. In the two months that it has been in the archives, 20 bugs have been reported, none have been fixed. Only one had a response and that is a bug about a spelling mistake in the package description. (all together it seems to have been uploaded only to enable the plugin wizard in firefox to work, after whcich it hasn't had any more attention) Are there any serious bugs filed? 5. It hasn't had a lot of testing. It wasn't mentioned in any of the tribe release notes. There hasn't been a post in the dev-link forum or on the mailing lists. So not many people know about it or have tested it. The ffox plugin finder wizard was announced with tribe-5. I agree though, that we should call for more widespread testing/comments, especially how we can raise awareness about the security implications of 3rd party packages. 6. It functions for firefox only, even though solutions to enable it for konqueror and opera have been provided in bug report. This makes it impossible for a website to provide an install this link for an Ubuntu package. They have to mention that it only works if you are running firefox, not if you are a kubuntu user running konqueror for example. I don't think that this is a valid argument. As you say, there are solutions for other browsers available. The fact that they haven't been integrated yet is not an issue of apturl. 7. There is currently no way for a website to know whether apt urls will work on the users operating system. If a website provides an apt install link it will be broken for feisty and earlier ubuntu versions or other linux distributions, How is this different from providing links to .deb packages? Users unaware about architectures et al are not really capable to understand comments next to the link either. If they are, you can do the same for apturl links. 8. making people enter their sudo password in a popup you got from clicking on a link on an arbitary website is definitely not secure. I see the point of this. We should investigate how we can make the installer more spoof-proof. IIRC, it shades the application that started the installer atm, which is a good start and probably hard to spoof with just HTML mechanisms. Maybe we can add more prominent/graphical hints that its now the ubuntu install wizard processing your request? 9. apturl in its current version doesn't show the package description so people don't have a clue about what they are about to install other than the information provided on the website The package description always relies on what the package author provides. Either you trust the package provider or you don't. However, I agree that its worth a wishlist bug to show the package description in the package install confirmation dialog. - Alexander -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Apturl (security) issues and inclusion in Gutsy
On Tue, Sep 18, 2007 at 12:25:00PM +0200, Alexander Sack wrote: 2. Repositories added through apturl could provide packages included in Ubuntu but with higher version numbers with malicious code. ... this is a feature, not an issue. I'm really not convinced by that. We shouldn't be making it easier for users to replace important system files, and we certainly shouldn't be making it easier for arbitrary third parties to encourage them to do so. -- Matthew Garrett | [EMAIL PROTECTED] -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Apturl (security) issues and inclusion in Gutsy
Hello, I would like to discuss the recent inclusion of apturl in the Gutsy default installation. The idea of apturl is great but the current implementation has a lot of issues, some of which I will list here: 1. It's possible to run arbitrary scripts in the preinst/postrm phase of dpkg installation or the installed program itself could be malicious. By allowing the repository to be specified the deb can come from anywhere. So, you've basically got just a yes/no dialog stopping arbitrary code execution. (Not far from UAC and ActiveX in windows.) 2. Repositories added through apturl could provide packages included in Ubuntu but with higher version numbers with malicious code. 3. there should be a VERY OBVIOUS visual indication of whether the program is going to be installed from the official repos or some third party site (right now it is not) 4. It is not well maintained. In the two months that it has been in the archives, 20 bugs have been reported, none have been fixed. Only one had a response and that is a bug about a spelling mistake in the package description. (all together it seems to have been uploaded only to enable the plugin wizard in firefox to work, after whcich it hasn't had any more attention) 5. It hasn't had a lot of testing. It wasn't mentioned in any of the tribe release notes. There hasn't been a post in the dev-link forum or on the mailing lists. So not many people know about it or have tested it. 6. It functions for firefox only, even though solutions to enable it for konqueror and opera have been provided in bug report. This makes it impossible for a website to provide an install this link for an Ubuntu package. They have to mention that it only works if you are running firefox, not if you are a kubuntu user running konqueror for example. 7. There is currently no way for a website to know whether apt urls will work on the users operating system. If a website provides an apt install link it will be broken for feisty and earlier ubuntu versions or other linux distributions, 8. making people enter their sudo password in a popup you got from clicking on a link on an arbitary website is definitely not secure. 9. apturl in its current version doesn't show the package description so people don't have a clue about what they are about to install other than the information provided on the website Conclusion: apturl is a great idea, but needs some work before it can be included and enabled by default on Ubuntu. In its current form it would do Gutsy more harm than good. With some work I think Gutsy could ship with it if for now it would only allow installation of packages from the official ubuntu repositories. Adding of third party repositories by clicking a weblink is something that at least needs some discussion and imho should not be done at all. Cheers, Wouter n.b. link to apturl bug list: https://bugs.launchpad.net/ubuntu/+source/apturl -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss