the Software Manager is flawed

Write suggestions and new ideas in here
More ideas here http://community.linuxmint.com/idea/welcome
Forum rules
No support questions here please.
No ideas for application developers here please. For example instead use GitHub for Cinnamon and Nemo.

the Software Manager is flawed

Postby the big e on Fri Jan 03, 2014 3:28 pm

I have just recently installed Mint after some time using Ubuntu.
Everything worked right, right off the bat. So I am generally happy.

However, there is something I noticed about the Software Manager that bothers me.

It lets you in as Superuser when you start the program. This seems unnecessary. You are not doing any action that needs to be done as Superuser until the moment you actually decide to install something.

Furthermore, when you are in Software Manager and you find a link to a developer website in the software description, and you click on it, the website opens within software manager, rather than in a browswer window.

Is that outside website being handled by a process that has Superuser priveliges? If so, that could be a way to sneak a script in.

So my suggestion is, these issues need to be fixed.
the big e
Level 1
Level 1
 
Posts: 13
Joined: Fri Jan 03, 2014 3:08 pm

Linux Mint is funded by ads and donations.
 

Re: the Software Manager is flawed

Postby computerbob on Fri Jan 03, 2014 3:35 pm

It has always been a root privilege to open Software Manager. You could have other users on the computer and you don't want them adding and deleting programs.
The developer website is not a link. It is a screen shot of their web page.
computerbob
Level 4
Level 4
 
Posts: 284
Joined: Wed Jan 01, 2014 1:55 pm

Re: the Software Manager is flawed

Postby the big e on Fri Jan 03, 2014 3:59 pm

well, that's reassuring. it's not as bad as it looked.
the big e
Level 1
Level 1
 
Posts: 13
Joined: Fri Jan 03, 2014 3:08 pm

Re: the Software Manager is flawed

Postby xenopeek on Sat Jan 04, 2014 3:26 pm

Software Manager used to start with asking for your password, but then if you had a couple of packages to install or remove, you had to give your password for each and every one of those. From community feedback gathered, the Software Manager was changed to ask for your password only once--at startup. Perhaps not perfect for all users either, but as they say there is no pleasing everybody :wink:

BTW you're not limited to Software Manager for installing software. This is just one of the APT package management front-ends you can use to install software. What you install through one APT front-end is visible also on other APT front-ends. For example on Linux Mint you have:
- Software Manager (the easiest :wink:)
- Synaptic Package Manager (advanced package manager, with various tools to help you repair problems)
- GDebi (the installer for .deb files you download yourself)
- Update Manager (handles the updates for all your installed packages)
- apt-get (a command line interface to APT)
- aptitude (a console interface to APT)

Aside from that there are other APT front-ends you could use and perhaps one of these will suit your requirements better.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14735
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: the Software Manager is flawed

Postby the big e on Sat Jan 04, 2014 9:50 pm

Well, the thing that bugged me is that the Software Manager looks like it can go and look at web pages while logged in as superuser.

And I think the earlier poster is mistaken to say that the thing I was seeing was not a link, but a screenshot. Some of the links within those pages function too.

I say, it is possible for people to make sure their repository is clean, but not possible to know that there is no malware on all the associated websites.

So if the Software Manager can surf the web while it is logged in with superuser priveleges, this is a hazardous thing to do.
the big e
Level 1
Level 1
 
Posts: 13
Joined: Fri Jan 03, 2014 3:08 pm

Re: the Software Manager is flawed

Postby xenopeek on Sun Jan 05, 2014 5:22 am

You are right, though not all packages have such a link. I looked at the package for the Opera web browser, and that has a link that is opened in Software Manager.

Looking at the source code of mintinstall (/usr/lib/linuxmint/mintInstall/mintInstall.py) I think it is using a webkit plugin to show the website and may not be lowering privileges--I haven't read the entire source so can't comment on whether it (or webkit) is temporarily dropping privileges or not. While in mintinstall's Edit > Preferences menu you can enable to open links in an external browser (hey :)), this for sure doesn't lower privileges and runs your browser as root :shock:

While the first isn't easily patched, at least not by me, the second we can patch though I don't have the skills to do it cleanly. This is the bit of code where changes are needed:
Code: Select all
    def on_website_clicked(self):
        package = self.current_package
        if package is not None:
            if self.prefs['external_browser']:
                os.system("xdg-open " + self.current_package.pkg.candidate.homepage + " &")
            else:
                self.websiteBrowser.open(self.current_package.pkg.candidate.homepage)
                self.navigation_bar.add_with_id(_("Website"), self.navigate, self.NAVIGATION_WEBSITE, "website")

It's trivial enough to replace this line:
Code: Select all
os.system("xdg-open " + self.current_package.pkg.candidate.homepage + " &")

with:
Code: Select all
os.system("sudo -u username xdg-open " + self.current_package.pkg.candidate.homepage + " &")

Replace "username" in that with your username (I already said I didn't have the skills to do this cleanly, right?). It then lowers privileges and runs the browser as you instead of as root.

Looking at it, there are unfortunately many more things wrong with mintinstall. It retrieves screenshots and reviews from the web, and malicious users could possibly exploit webkit bugs with malformed images or something and those would execute in privileged environment :| mintinstall also stores settings in /root instead of storing these, as you would expect, in the home directory of the user that started mintinstall.

It needs a lot of rework IMHO. I actually never open mintinstall except for help other users with problems they are having. It's just too slow for me and I prefer searching and installing using apt command line.

All that said, I'm not immediately worried for anybody using mintinstall except for when they have enable to use the external browser. That introduces users to risks beyond Linux Mint's websites and users might keep the browser open and go visit less reputable websites also... All the while as root, without any extensions they might have their on their own browser to keep malicious content out (Adblock Plus, NoScript, those kinds of things).

Edit: some more looking I see mintinstall is running as "/usr/bin/sudo -H -S -p GNOME_SUDO_PASS -u root -- mintinstall". That might be a mistake, as -H causes the process to set HOME to /root instead of preserving HOME as you would ideally do. If HOME was preserved, we could instead use the following code to drop privileges to the user that started mintinstall (still a hack though, as this assumes your home directory's name is the same as your username):
Code: Select all
os.system("sudo -u " + home.rpartition('/')[2] + " xdg-open " + self.current_package.pkg.candidate.homepage + " &")
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14735
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: the Software Manager is flawed

Postby Monsta on Sun Jan 05, 2014 6:08 am

Wow. I never used this software myself, but from your posts I see there's a couple of issues that should probably be reported straight to https://github.com/linuxmint/mintinstall/issues :)
Monsta
Level 8
Level 8
 
Posts: 2417
Joined: Fri Aug 19, 2011 3:46 am

Re: the Software Manager is flawed

Postby the big e on Sun Jan 05, 2014 12:36 pm

xenopeek, thank you for the suggestions. But I think you are discussing things that are above my skill level (for now) so I can't do them myself.
the big e
Level 1
Level 1
 
Posts: 13
Joined: Fri Jan 03, 2014 3:08 pm

Re: the Software Manager is flawed

Postby the big e on Sun Jan 05, 2014 12:41 pm

monsta, I don't know much about github. Who is reading at that link you told me about?
the big e
Level 1
Level 1
 
Posts: 13
Joined: Fri Jan 03, 2014 3:08 pm

Re: the Software Manager is flawed

Postby xenopeek on Sun Jan 05, 2014 1:15 pm

The Linux Mint developers. When next I catch Clem (project lead) on IRC and having some time, I'll discuss at least mintinstall launching the browser and webkit plugin as root with him. Ideally these should go as separate issues onto GitHub (hint hint :wink:). Aside from the hack to launch the browser not as root I did, I think running webkit plugin not as root might need some serious rewriting...
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14735
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: the Software Manager is flawed

Postby xenopeek on Thu Jan 09, 2014 8:43 am

I talked to Clem about it today. Ideally mintinstall would be rewritten to use polkit (so it runs not as root). They are considering it for Linux Mint 17.
User avatar
xenopeek
Level 21
Level 21
 
Posts: 14735
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: the Software Manager is flawed

Postby anandrkris on Thu Jan 09, 2014 8:49 am

Its always heartening to see issues getting reported and progressing swiftly... :D
Cheers,
If there is a drive, there will be a path
User avatar
anandrkris
Level 5
Level 5
 
Posts: 865
Joined: Fri Nov 16, 2012 1:13 am
Location: Chennai

Linux Mint is funded by ads and donations.
 

Return to Suggestions & New Ideas

Who is online

Users browsing this forum: No registered users and 6 guests