[packaging] Meeting next week to discuss trusted third-party repositories

Thomas Leonard talex5 at gmail.com
Wed Dec 17 12:21:08 PST 2008


2008/12/16 Peter Dolding <oiaohm at gmail.com>:
> On Tue, Dec 16, 2008 at 5:56 AM, Thomas Leonard <talex5 at gmail.com> wrote:
[...]
>> Security is the main issue for people? If only if were true ;-)
>>
>> I guess it depends on your perspective. Here's a typical scenario I
>> want to support:
>>
>> - User gets given a file in some odd format (pdf say) and they need to
>> get a third party viewer for it.
>> - User wants to install the viewer and read the file with minimum risk.
>>
>> SELinux, AppArmor and Smack don't seem to help here, because the
>> policy has to be set by the admin, before they even know what the user
>> wants to do. The best you can do is something like:
>>
>> - Acroread has read access to all the user's files.
>> - Acroread has no write access.
>
> That depends on the distribution.   You are badly wrong about selinux
> always needing admin to set rules.

So users can update the kernel's policy and set security labels on
their files? I didn't know that, but however you want to implement it,
that's fine. The information you have when a package is run is:

- The URI of the program
- The path of the file the user dragged to it, if any

That should be enough to have a sensible default policy that keeps
applications separate (particularly configuration files). Plash allows
applications to communicate with a separate process if they want to
display a save as/open dialog. The process then grants the running
application access to the chosen file. I'm sure SE-Linux could do the
same.

> Yes you can write a Selinux policy that allows safe installation of
> malicious software.  Selinux supports sand-boxing and role base and
> user base allocation of access.   It provides two different methods to
> solve you shared directly security problems.

How can you do that (e.g. using RPM, etc)? Can the possibly-malicious
software add a file to /usr/bin, /usr/lib or /sbin? If not, it's going
to fail for a lot of packages. If so, it's hard to see how it can be
secure.

> Using Selinux sandboxs on every account.   This allows users without
> admin rights to set selinux rules for what applications can and cannot
> access in there own account without being able to override the system
> wide settings.   This is what I am talking about there are systems out
> there that provide it even when its on offer 0install does not use it.

So what extra hooks are required? Say the user runs

$ 0launch http://example.com/foo.xml

I guess you need to intercept this, and turn it into something like:

$ 0launch --get-selections http://example.com/foo.xml > selections.xml
[ enter sandbox for http://example.com/foo.xml ]
$ 0launch --set-selections selections.xml

The first downloads the program and adds it to the cache, but doesn't
run it. The program shouldn't get the chance to do any damage here.
The second command runs the cached program from the first step, which
can run in a very restricted environment.

(in real life you'd do this with a Python script rather than messing
about with temporary files, of course)

> You hit is in one.   How can I currently have the advantage of zero
> install and treat users as 100 percent malicious.

I guess I don't really understand why your users are trying to get
around your security policy. Why not let them run whatever they want,
given a suitable sandbox (do you let them run JavaScript in their
browsers?). Even something as extreme as running untrusted apps in
vmware or something might make them happy.

>>> Not registering in package database makes 0install harder to track for
>>> system admins.   Lot of tools out there will pull the main package
>>> manager database to a central location for monitoring.
>>
>> What are you trying to monitor, and why?
>>
> That there are no known defective program installed.

I guess this is the issue. Zero Install regards the cache as
untrusted, in the sense that it doesn't care if there's malicious code
in there, only that it's correctly labelled. A solution that would fit
better would be to prevent the malicious code from getting run, rather
than preventing it from getting cached.

>>> 0install is not space effective system admins don't want symbolic
>>> links for no good reasons.
>>
>> What symlinks are you talking about?
>>
>> Zero Install is very efficient. It shares libraries between programs.
>> It shares programs between users (if you turn on system-wide sharing).
>> It shares files between packages (0store optimise). It even shares
>> packages between virtual machines (even virtual machines with
>> different operating systems and architectures):
>>
>>  http://0install.net/virtual.html
>
> In the home account itself.  System admins prefer not to have symbolic
> links pointing out side from there if they can.

There shouldn't be any symlinks. After all, the cache can be shared
between virtual machines or over a network, and mounted at different
places on each. Can you give an example of a symlink you've found?

(symlinks in upstream packages will be unpacked faithfully, but they
won't be adjusted depending on where the archive was unpacked)

> So a backup typo does not turn into a mother of a disaster.    Every
> user has .cache with symbolic links to central store.

I don't understand this. Can you give an example symlink? The only
possibility I can think of is if a program creates a symlink to some
of its files when run (I think Blender symlinks its configuration
files to the defaults when run, for example, but it's not too serious
if they're missing).

> Laptops are some of the biggest causes if needing to transfer users
> account from network to outside machine and back.  0install is lacking
> the framework to make this process painless for admins.   If we run
> 0install we will get complaints from users on the road without
> internet connection that the applications they want don't work if we
> don't copy with follow links. Yet if we use follow links we bloat
> the user account.

There's no way to avoid that on any system. If the laptop doesn't have
the program they want, and it won't have network access on the road,
then you have to copy the program onto the laptop first.

The two possible compromises (copying all the user's programs and
being slow, or copying none of them and not having some program) are
both supported. Personally, I'd copy none and tell the users to try
running any program they're going to need to make sure they've got it.

> Then there is a worse using mobile phone rates to
> download applications that would be a night mare from hell.

At least they have the option. Hotels usually offer tolerable Internet access.

[sudo vs policykit]
> Difference from sudo to Policykit is that you use a service with the
> different privilege instead of and application.

But how do you get the service running in the first place? Though I
agree it would be better than setuid if you can do it. 0launch doesn't
care what technology you use. It invokes your
"0store-secure-add-helper" script to add the current directory
(freshly unpacked from the download) to the system cache. The example
script uses sudo to get access because most systems have that, but you
can send the directory to a service if you prefer.


-- 
Dr Thomas Leonard		ROX desktop / Zero Install
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1


More information about the packaging mailing list