Appimages and security issues

Chat about Linux in general
Post Reply
Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Appimages and security issues

Post by Mintymandy34 » Fri Mar 15, 2019 11:47 am

Hello, new user here.
I've read Security in Linux Mint and Ubuntu: an Explanation and Some Tips by Pjotr.
I've also read countless threads about viruses in Linux(not really viruses) and why not to use anti-viruses or anything similar.
So, this thread isn't about "How to protect Linux from getting infected from Windows viruses".
The concerns I have are quite different.

Pjotr recommends to only install software from the official software sources of Linux Mint and Ubuntu.
This is what I do most of the times.
But in some cases, the said software isn't available in the official Mint and Ubuntu repo and I've to go the developer's website to download them.
Recently I've noticed a lot of developers distributing AppImages as the default format in their websites.
Just to be crystal clear, I'm not talking about untrusted or unverified developers.
I'm not for downloading an untrusted application then thinking about the security issues.
So, back to my points, due to a little rise in popularity of AppImages, I've started preferring AppImages over Flatpaks and Snaps.
This is where my worries begin.

When I started with Linux Mint, two months back, I read about different packing formats, their advantages and disadvantages.
There I found, that AppImages don't have any sandboxing feature by default whereas Flatpaks and Snaps have that.
So, I searched for how people preferred AppImages then and found that it's all about a game of trust.
You've to trust somebody and there are developers who have earned the trust of their users by providing good quality software for years or decades without any catches.
This brought back some relief as I never downloaded any untrusted software to begin with and I've followed the developers for years and know they're really reliable.
But while reading about AppImages, I found the developers recommended using FireJail for sandboxing.
So, I searched a little bit about the implementation and came across a discussion they were having about an implementation of sandboxing within AppImage by default.
Like a curious kid, I tried to dig deeper and I found out a post that broke my reality about the game of trust.

This is my summary of that discussion. (Don't confuse this with that other reply I had made in another unrelated post)
The reason the system repo is safe is because it is verified regularly and the distro devs are really careful what they're passing.
They have a huge community and they can communicate with their users if any major security issue(most likely an attack) is encountered.
But in general, single or small developers might not have this big of a backing or resource because of which they might be more susceptible(not by an alarming rate) to an attack.
So, their websites might get hacked(for a day or two at max) and malwares can be distributed.
Now, this is where the trust becomes an issue.
We trust these developers and they would never choose to distribute malwares, but in some cases, someone pretending to be our trusted developer can distribute a malware to users.
Smart and updated users might know what's up, but people who work a lot in offline modes and don't have much of an online presence might not notice the discrepancies.
This is scary.
I trust my developers to protect their users at all costs, but there's still some risk and if we, as in users, could find a way to implement some safety measures like sandboxes, maybe that can work as a safety net in cases of emergencies.

So, my question is how big can the impact of this sandboxing-issue be and how can it be avoided and how can we use better prevention techniques as safety nets.
This is a pretty long post, I'm still new to Linux and don't know a lot of things, so kindly correct me if you find anything wrong with my post. :D

And please suggest any modifications if the post is really long and drives readers away instead of bringing them. :)

User avatar
BenTrabetere
Level 6
Level 6
Posts: 1019
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Appimages and security issues

Post by BenTrabetere » Sun Mar 17, 2019 4:19 pm

I am surprised I am making the first response to this thread.
Mintymandy34 wrote:
Fri Mar 15, 2019 11:47 am
So, my question is how big can the impact of this sandboxing-issue be and how can it be avoided and how can we use better prevention techniques as safety nets.
I use the AppImage version for several programs, and I have never "firejailed" an AppImage.

As you stated, it is a matter of trust. All but one of the AppImages I regularly use are maintained by the developers, and it is ludicrous to think developers would intentionally sabotage their project. Yeah, yeah, yeah, it is a regular occurrence for Microsoft....

One major exception is the GIMP AppImage maintained by Andrea Ferrero. I fully trust him - he is a long-time contributor to PIXLS.US, and his AppImages are used by a lot of people.

A while back there a question was raised in the AppImage forum concerning the potential for people to create and distribute malicious AppImages. Peter Simon (aka, probono and the developer of AppImage) responded by first pointing out the concerns were essentially about "how executables are handled on Linux in general, not about AppImage in particular" and "AppImage does not improve or worsen the Linux security model in this regard."

https://discourse.appimage.org/t/what-p ... malware/67

Hoser Rob
Level 15
Level 15
Posts: 5612
Joined: Sat Dec 15, 2012 8:57 am

Re: Appimages and security issues

Post by Hoser Rob » Mon Mar 18, 2019 9:19 am

Yes, using appimages and other Linux portables can have old libriaries with security issues. The best answer for this would be coherent and consiistent packaging and libraries and APIs in Linux. Don't hold your breath.

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Mon Mar 18, 2019 2:18 pm

BenTrabetere wrote:
Sun Mar 17, 2019 4:19 pm
I am surprised I am making the first response to this thread.
I'm not surprised, I think you've a lot of experience with AppImages.
BenTrabetere wrote:
Sun Mar 17, 2019 4:19 pm
I use the AppImage version for several programs, and I have never "firejailed" an AppImage.
Nice. Most of the AppImages I'm using actually are recommended by you.
I'm not for firejailing AppImages either because I've also read firejail has bigger surface area and hence higher chances of a possible attack.
BenTrabetere wrote:
Sun Mar 17, 2019 4:19 pm
As you stated, it is a matter of trust. All but one of the AppImages I regularly use are maintained by the developers, and it is ludicrous to think developers would intentionally sabotage their project. Yeah, yeah, yeah, it is a regular occurrence for Microsoft....
No, no, I'm not comparing this with the Microsoft experience.
I also do think it's ludicrous to think developers would intentionally sabotage their project.
In fact, I know if a developer tries to do that in Linux, it'll be the last time his/her apps will be used in Linux, they'll be banned across the board, everywhere.
What I'm really worried about is a potential hack, like hacking a website for a day or two and replacing the original safe downloads with malwares.
I know, Linux desktop is currently not a very lucrative prospect for malware writers but in the future with the growth of Linux desktops, it might attract some malware devs.
I've also read implementing malwares/viruses in Linux is way too tough than in other operating systems, so that brings some relief.
BenTrabetere wrote:
Sun Mar 17, 2019 4:19 pm
One major exception is the GIMP AppImage maintained by Andrea Ferrero. I fully trust him - he is a long-time contributor to PIXLS.US, and his AppImages are used by a lot of people.
I follow PIXLS.US and they seem trustworthy.
But I would love it if it could be made available through GIMP's official channels.
Currently, GIMP only supports Flatpaks other than Linux distro repos.
BenTrabetere wrote:
Sun Mar 17, 2019 4:19 pm
A while back there a question was raised in the AppImage forum concerning the potential for people to create and distribute malicious AppImages. Peter Simon (aka, probono and the developer of AppImage) responded by first pointing out the concerns were essentially about "how executables are handled on Linux in general, not about AppImage in particular" and "AppImage does not improve or worsen the Linux security model in this regard."
https://discourse.appimage.org/t/what-p ... malware/67
Yes, I read that, which is why I'm not saying that AppImages are to be blamed.
And I also don't think AppImages worsen the situation.
Simon Peter was also talking about the sandboxing issue, and he was all for it but he mentioned he wasn't personally interested to invest time on developing a solution and asked if any volunteers would go for it.
I think, he's a good person and the lack of interest maybe is related to the lack of threat.
I mean, when I search, "AppImage virus linux", I don't find anything relevant, so we could assume nobody has been affected till date.
Thanks for the reply. :D
Have you ever used Alternativeto, OSAlt.com or Slant.co?
Do we have something like that for AppImages? Something that's maintained and verified by some senior AppImage developers and also the AppImage user community.
Hoser Rob wrote:
Mon Mar 18, 2019 9:19 am
Yes, using appimages and other Linux portables can have old libriaries with security issues. The best answer for this would be coherent and consiistent packaging and libraries and APIs in Linux. Don't hold your breath.
Yes, totally agree with the first point.
But I think AppImages and Flatpaks only come into play when the default repo's softwares either become unusable according to current standards or they're completely absent.
For general users who only browse the internet or use mails or office apps, latest softwares might not be a necessity.
No offense, but for niche work, default repo can miss more than it hits.
I still think the default repo is cool and I try to use it 99% of times, but in some cases the softwares are kind of out-dated by a year or two.
So, if you're suggesting there's a way to use AppImages along-with coherent and consistent packaging and libraries and APIs in Linux securely, then I would really appreciate if you could elaborate on that.
If you're suggesting "Say no to Flatpaks and AppImages if you want to have security", then I'm just sad that I can't find a middle-ground. :(
Thanks for the post. :D

User avatar
phd21
Level 19
Level 19
Posts: 9449
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Appimages and security issues

Post by phd21 » Mon Mar 18, 2019 3:11 pm

Hi Mintymandy34,

I just read your post and the good replies to it. Here are my thoughts on this as well.
Mintymandy34 wrote:What I'm really worried about is a potential hack, like hacking a website for a day or two and replacing the original safe downloads with malwares.
This theoretically could happen with any software on any computer operating system using any software delivery method which is why people can verify their downloads with checksum and signature methods and why Linux Mint repositories and PPA's require valid security keys, signatures, and such.
Mintymandy34 wrote:I know, Linux desktop is currently not a very lucrative prospect for malware writers but in the future with the growth of Linux desktops, it might attract some malware devs.
I've also read implementing malwares/viruses in Linux is way too tough than in other operating systems, so that brings some relief.
There are some Linux or cross-platform malware that is out there which is why users should apply updates, use some common sense, and I still recommend using a sanboxing application like firejail for all Internet-enabled applications. I have never heard of anyone using Linux or Linux Mint getting affected by malware. It is very much discouraged to install antivirus anti-malware software in "real time" always running mode as these applications themselves are being targeted by malware developers. I have installed a couple different antivirus anti-malware software applications which I do not have running all the time (real time) because I help other people who send me files from MS Windows and Mac computers and I download and test a lot of software for Linux Mint members and myself, so I save everything into my Downloads folder and scan that before I access or use any of those files.
Mintymandy34 wrote:But I think AppImages and Flatpaks only come into play when the default repo's softwares either become unusable according to current standards or they're completely absent.
For general users who only browse the internet or use mails or office apps, latest softwares might not be a necessity. No offense, but for niche work, default repo can miss more than it hits.
I still think the default repo is cool and I try to use it 99% of times, but in some cases the softwares are kind of out-dated by a year or two.
I really like AppImages even more so than Flatpak or Snap packages. I have many AppImages of software applications that I use. If there are new versions of some software applications with new features and or bugfixes, it can take a while to a long time before they show up through the secure stable repositories which is where PPA's, deb files, AppImages, flatpak, and snap packages can help users to get the newer software. Of course, some software is not even available in the Mint Software Manager or Synaptic Package Manager (SPM) (repositories) and must be installed using other methods.
Mintymandy34 wrote:So, if you're suggesting there's a way to use AppImages along-with coherent and consistent packaging and libraries and APIs in Linux securely, then I would really appreciate if you could elaborate on that.
If you're suggesting "Say no to Flatpaks and AppImages if you want to have security", then I'm just sad that I can't find a middle-ground. :( Thanks for the post. :D
If any software you want to use is not accessing the Internet, then there is no need to be concerned and no need to sandbox it regardless of its installation and or delivery packaging options like an AppImage.

AppImage Support | Firejail
https://firejail.wordpress.com/document ... e-support/

Firejail Usage | Firejail
https://firejail.wordpress.com/document ... /#appimage

Hope this helps ...
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

User avatar
Portreve
Level 8
Level 8
Posts: 2148
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Appimages and security issues

Post by Portreve » Mon Mar 18, 2019 3:46 pm

I only have one program on my system which was distributed as an AppImage, and that's the nominally current testing release version of Scribus. I use it for a number of projects.

I also use the current version of LibreOffice; however, I simply installed the program directly from the files The Document Foundation makes available.

I think I've said this elsewhere, but honestly I don't care one way or the other when it comes to AppImage, Flatpack, Snaps, or any other such conduit. I'm not aware of compromization-type problems, but I don't view it as a particularly "clean" way to install a program, and I mean that from a standpoint of trust.
Presently rocking LinuxMint 19.2 Cinnamon.

Remember to mark your fixed problem [SOLVED].

Xi does look like Winnie the Pooh. FTCG.

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Mon Mar 18, 2019 3:49 pm

phd21 wrote:
Mon Mar 18, 2019 3:11 pm
Hi Mintymandy34,

I just read your post and the good replies to it. Here are my thoughts on this as well.

This theoretically could happen with any software on any computer operating system using any software delivery method which is why people can verify their downloads with checksum and signature methods and why Linux Mint repositories and PPA's require valid security keys, signatures, and such.
Hello phd21.
Yes, I understand the verification methods implemented by Linux Mint repos and PPAs and other downloads.
I verify the AppImage downloads with the checksums and signatures.
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
There are some Linux or cross-platform malware that is out there which is why users should apply updates, use some common sense, and I still recommend using a sanboxing application like firejail for all Internet-enabled applications. I have never heard of anyone using Linux or Linux Mint getting affected by malware. It is very much discouraged to install antivirus anti-malware software in "real time" always running mode as these applications themselves are being targeted by malware developers. I have installed a couple different antivirus anti-malware software applications which I do not have running all the time (real time) because I help other people who send me files from MS Windows and Mac computers and I download and test a lot of software for Linux Mint members and myself, so I save everything into my Downloads folder and scan that before I access or use any of those files.
Yes, cross-platform malwares, I've read about them. Are you talking about java-related malwares?
I always keep my system up-to-date and only download softwares from websites I trust.
You recommend using firejail for all internet-enabled applications.
But how do I know which ones are internet-enabled? Is it that they need to connect to internet in order to work?
About real-time anti-virus, yes I don't see the point of installing them if they can get infected easily.
But you're talking about using anti-virus not in real time, how do you do that? And which anti-virus do you use?
I'm not planning to install the anti-virus on my main system, but I think I could test it inside a VM.
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
I really like AppImages even more so than Flatpak or Snap packages. I have many AppImages of software applications that I use. If there are new versions of some software applications with new features and or bugfixes, it can take a while to a long time before they show up through the secure stable repositories which is where PPA's, deb files, AppImages, flatpak, and snap packages can help users to get the newer software. Of course, some software is not even available in the Mint Software Manager or Synaptic Package Manager (SPM) (repositories) and must be installed using other methods.
I like AppImages over Flatpak and Snaps. Reason: Ultra portable.
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
If any software you want to use is not accessing the Internet, then there is no need to be concerned and no need to sandbox it regardless of its installation and or delivery packaging options like an AppImage.
Yes, how can I know that?
How can I know if an application is accessing the internet?
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
AppImage Support | Firejail
https://firejail.wordpress.com/document ... e-support/

Firejail Usage | Firejail
https://firejail.wordpress.com/document ... /#appimage
Yes, I have followed this, and I think you did guide me this way earlier.
Firejail support for AppImages is cool, but I'm not really sure how to choose which one to FireJail.
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
Hope this helps ...
Thanks for the post, it really helps me a lot. :D

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Mon Mar 18, 2019 3:53 pm

Portreve wrote:
Mon Mar 18, 2019 3:46 pm
I only have one program on my system which was distributed as an AppImage, and that's the nominally current testing release version of Scribus. I use it for a number of projects.

I also use the current version of LibreOffice; however, I simply installed the program directly from the files The Document Foundation makes available.

I think I've said this elsewhere, but honestly I don't care one way or the other when it comes to AppImage, Flatpack, Snaps, or any other such conduit. I'm not aware of compromization-type problems, but I don't view it as a particularly "clean" way to install a program, and I mean that from a standpoint of trust.
Are you trying to say that you don't care about any vulnerability with AppImages because it brings the convenience or you simply don't consider it as a threat since you consider it unsafe by default and use it minimally?

Thanks for the reply.
I'm kind of confused though.
Can you please link me to the post where you've elaborated on this?
Thanks. :D

User avatar
Portreve
Level 8
Level 8
Posts: 2148
Joined: Mon Apr 18, 2011 12:03 am
Location: Florida
Contact:

Re: Appimages and security issues

Post by Portreve » Mon Mar 18, 2019 7:14 pm

Wow. You didn't actually read what I wrote. Don't skim.

I have no preference among them. I don't care which one of them a given project uses.

Oh, I have no idea where I've commented previously. It wasn't anything more in depth than — likely not even as in depth as — my comments in this thread. All I'm saying is: this isn't the first time I've commented.

I come from a world where you install software from disk, disc, or download of a disk image container. It's what everyone's used to. Doing software installs in GNU+Linux as we know them today (that is, via a repository) is definitely a better approach. Of course, it's not really all that viable for the closed-source, proprietary software model, but then again, people do not run GNU+Linux just so they can run proprietary software.

I have more of a nascent concern: I want software which has withstood definite public scrutiny and is curated by my distro of choice. AppImage, et al, in that respect, is kind of a corner-cutting approach.
Presently rocking LinuxMint 19.2 Cinnamon.

Remember to mark your fixed problem [SOLVED].

Xi does look like Winnie the Pooh. FTCG.

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Mon Mar 18, 2019 8:01 pm

Portreve wrote:
Mon Mar 18, 2019 7:14 pm
Wow. You didn't actually read what I wrote. Don't skim.
Honestly, I read your reply atleast 3 times before writing my last response.
I asked for clarification because I had trouble understanding it.
Portreve wrote:
Mon Mar 18, 2019 7:14 pm
I have no preference among them. I don't care which one of them a given project uses.

Oh, I have no idea where I've commented previously. It wasn't anything more in depth than — likely not even as in depth as — my comments in this thread. All I'm saying is: this isn't the first time I've commented.

I come from a world where you install software from disk, disc, or download of a disk image container. It's what everyone's used to. Doing software installs in GNU+Linux as we know them today (that is, via a repository) is definitely a better approach. Of course, it's not really all that viable for the closed-source, proprietary software model, but then again, people do not run GNU+Linux just so they can run proprietary software.
Agreed.
Portreve wrote:
Mon Mar 18, 2019 7:14 pm
I have more of a nascent concern: I want software which has withstood definite public scrutiny and is curated by my distro of choice. AppImage, et al, in that respect, is kind of a corner-cutting approach.
Thanks for the clarification. :D

User avatar
phd21
Level 19
Level 19
Posts: 9449
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Appimages and security issues

Post by phd21 » Tue Mar 19, 2019 12:45 pm

Hi Mintymandy34,

You are welcome...
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
There are some Linux or cross-platform malware that is out there which is why users should apply updates, use some common sense, and I still recommend using a sandboxing application like firejail for all Internet-enabled applications. I have never heard of anyone using Linux or Linux Mint getting affected by malware. It is very much discouraged to install antivirus anti-malware software in "real time" always running mode as these applications themselves are being targeted by malware developers. I have installed a couple different antivirus anti-malware software applications which I do not have running all the time (real time) because I help other people who send me files from MS Windows and Mac computers and I download and test a lot of software for Linux Mint members and myself, so I save everything into my Downloads folder and scan that before I access or use any of those files.
Mintymandy34 wrote:Yes, cross-platform malwares, I've read about them. Are you talking about java-related malwares?
I always keep my system up-to-date and only download softwares from websites I trust.
Any malware Java based or any other kind.
Mintymandy34 wrote:You recommend using firejail for all internet-enabled applications. But how do I know which ones are internet-enabled? Is it that they need to connect to internet in order to work?
Yes, If an application accesses the Internet then they are Internet enabled. Some software accesses the Internet all the time (browsers, chat messaging, email clients, active remote control remote access, etc...) and others only at certain times for updates and or adding plug-ins or add-ons. But, if a software was hacked or infected with malware, then even software that would not normally access the Internet could be accessing the Internet because of the malware.

As for how can anyone tell if an application is accessing the Internet, that can be difficult to determine. Applications like Gimp image editor, Kdenlive video editor, Ksnip screenshot app, etc... are not usually accessing the Internet except to update or add plug-ins and add-ons or if you tell them to upload or download to or from Internet based websites.

There are various desktop applications and console terminal application commands that can monitor your Internet connection and display anything accessing the Internet. And, most of these would be difficult for the average non-technical user to understand and use.

Can I monitor connections to open ports? - Linux Mint Forums
viewtopic.php?f=90&t=285851&hilit=ports

Mintymandy34 wrote:About real-time anti-virus, yes I don't see the point of installing them if they can get infected easily.
I did not say the antivirus anti-malware applications can be easily infected just that some of them have been targeted by malware creators and hackers. Most of the antivirus anti-malware software developers are very quick to notice and fix anything that affects their applications. I do not know of any of the Linux antivirus anti-malware applications have ever been targeted, but that does not mean they have not been or will not be in the future.
Mintymandy34 wrote:But you're talking about using anti-virus not in real time, how do you do that? And which anti-virus do you use? I'm not planning to install the anti-virus on my main system, but I think I could test it inside a VM.
Most anti-virus applications have an option to turn off their real-time always scanning mode which means that you have to tell them when you want to scan something (= on demand). Some can even be set with very specific options like only scan a certain folder in real-time. Real-time scanning does not necessarily mean that a particular application is accessing the Internet all the time or is open to intrusion from Internet hackers or malware.

I use LMD (Linux Malware Detect) in conjunction with ClamAV both of which automatically update themselves. I also have other antivirus apps like BitDefender which has not been updating their free Linux software for a couple years now, but it still gets updated antivirus anti-malware definitions. There are other applications available. And, there are really nice bootable antivirus "rescue discs" that can be put onto a DVD/CD disc or USB stick that anyone can boot to and use to check their entire system and any attached drives; make sure they can scan Linux files. I will usually run a bootable antivirus disc overnight once a month or two, or some related news alert, or whenever something weird happens. They have never found any Linux malware only the occasional MS Windows related malware.

See this post:
Need for an antivirus.?
viewtopic.php?f=90&t=238726&hilit=maldet

phd21 wrote:
Mon Mar 18, 2019 3:11 pm
I really like AppImages even more so than Flatpak or Snap packages. I have many AppImages of software applications that I use. If there are new versions of some software applications with new features and or bugfixes, it can take a while to a long time before they show up through the secure stable repositories which is where PPA's, deb files, AppImages, flatpak, and snap packages can help users to get the newer software. Of course, some software is not even available in the Mint Software Manager or Synaptic Package Manager (SPM) (repositories) and must be installed using other methods.
Mintymandy34 wrote:I like AppImages over Flatpak and Snaps. Reason: Ultra portable.
Besides being more portable, these "self-contained" applications where all or most of the supporting packages required to run them are included which means less chance of conflicts with other installed software and or updates and AppImages tend to work even on slightly older Linux systems like Linux Mint 18.x even if the software was created with newer versions of Linux.
phd21 wrote:
Mon Mar 18, 2019 3:11 pm
If any software you want to use is not accessing the Internet, then there is no need to be concerned and no need to sandbox it regardless of its installation and or delivery packaging options like an AppImage.
Mintymandy34 wrote:Yes, how can I know that? How can I know if an application is accessing the internet?
Already answered earlier in this reply



FYI: You can always sandbox (firejail) any application or all applications.

Sandboxing applications using firejail or another sandboxing application comes with certain changes that can affect how the application(s) work. For instance, firejail sandboxed browsers cannot download anything except to the Downloads folder unless you specifically tell firejail to "whitelist" other folders or that particular firejail profile for that application allows access to other folders. And, lets say you download an installation file like an AppImage, or deb file, etc... from your browser, sometimes a browser or your system will try to automatically open that file to install it, I would recommend that you close the installer spawned by a sandboxed application, then scan it if you want, and install it from your system using your non-sandboxed file manager or console terminal prompt or it may not install properly.

If you are trying to upload files like screenshots to this forum or any other image hosting website from a firejail sandboxed browser, or any other sandboxed applications, they must be in the "Downloads" folder instead of the usual default "Pictures" folder or a "whitelisted" folder or you will not be able to access them. For my screenshot applications like Ksnip, I set their default save options to my "/Downloads/ScreenShots" folder.


Hope this helps ...
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Tue Mar 19, 2019 4:28 pm

Hi phd21.
Thanks for the reply, that was quite informative.
I went through the thread "Need for an antivirus.?" and read about your preferences, and also the FYIs.
I also read about No Tears on Linux.
I'll look into LMD and ClamAV.
The "Can I monitor connections to open ports?" thread went way over my head.

I see you recommend Firejail as a safety net.
I have some experience with using FireJail, by some I meant very little.
I've noticed that some applications simply don't open with Firejail, though it's not an alarmingly huge number.
I knew about the blacklisting and whitelisting features in FireJail.
I've some questions about Firejail usage.
These questions are completely irrelevant for the current thread and I am not sure if they deserve a new thread.
Should I ask you about them in a PM, or should I start a new thread?
I think, the expertise you've with Firejail can really help me with these questions.
Thanks for the help. :D

User avatar
phd21
Level 19
Level 19
Posts: 9449
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Appimages and security issues

Post by phd21 » Tue Mar 19, 2019 5:15 pm

Hi Mintymandy34,

You are welcome...

- FYI regarding antivirus applications: I contacted the developer of the ClamAV desktop application ClamTK and asked - requested if it would be possible to incorporate LMD (maldet) a console terminal application that uses ClamAV into the ClamTK desktop application. We'll have to wait and see. It might help if others would show they are interested in that as well.

ClamTK - Feature request - please integrate Linux Malware Detect (LMD) with ClamTK · Issue #112 · dave-theunsub/clamtk
https://github.com/dave-theunsub/clamtk/issues/112

- FYI regarding Firejail: The Firejail websites have much more information on Firejail than I can provide. And one of the Linux Mint members Fred is a contributing developer and maintainer for the Firejail project. You can create a new post for any Firejail questions or contact Fred directly or you can ask me as well.

You can also register and make posts and replies on the Firejail related websites and GitHub site issues.

Another post: Firejail and Mint 19 - Linux Mint Forums
viewtopic.php?f=42&t=273533&hilit=firejail+fred


Firejail - security sandbox - wordpress
https://firejail.wordpress.com/

Firejail GitHub - netblue30/firejail: Linux namespaces and seccomp-bpf sandbox
https://github.com/netblue30/firejail
.
.
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Fri Mar 22, 2019 3:49 pm

phd21 wrote:
Tue Mar 19, 2019 5:15 pm
Hi Mintymandy34,

You are welcome...

- FYI regarding antivirus applications: I contacted the developer of the ClamAV desktop application ClamTK and asked - requested if it would be possible to incorporate LMD (maldet) a console terminal application that uses ClamAV into the ClamTK desktop application. We'll have to wait and see. It might help if others would show they are interested in that as well.

ClamTK - Feature request - please integrate Linux Malware Detect (LMD) with ClamTK · Issue #112 · dave-theunsub/clamtk
https://github.com/dave-theunsub/clamtk/issues/112
Thanks, I'll add to that.
I currently don't have the full understanding about LMD with ClamAV, but I can learn about that and will add to that request. :D
phd21 wrote:
Tue Mar 19, 2019 5:15 pm
- FYI regarding Firejail: The Firejail websites have much more information on Firejail than I can provide. And one of the Linux Mint members Fred is a contributing developer and maintainer for the Firejail project. You can create a new post for any Firejail questions or contact Fred directly or you can ask me as well.
I went through the complete guide and I still have some doubts, a lot of things got cleared though.
phd21 wrote:
Tue Mar 19, 2019 5:15 pm
You can also register and make posts and replies on the Firejail related websites and GitHub site issues.
Sure.
phd21 wrote:
Tue Mar 19, 2019 5:15 pm
Another post: Firejail and Mint 19 - Linux Mint Forums
viewtopic.php?f=42&t=273533&hilit=firejail+fred
I could post on that post but I think, it's better to ask those questions in a new post.
phd21 wrote:
Tue Mar 19, 2019 5:15 pm
Firejail - security sandbox - wordpress
https://firejail.wordpress.com/

Firejail GitHub - netblue30/firejail: Linux namespaces and seccomp-bpf sandbox
https://github.com/netblue30/firejail
Thanks, I use them for firejail guides, I'll bookmark them. :D
Thanks for the post.

Offcenter
Level 2
Level 2
Posts: 69
Joined: Sat Mar 10, 2012 5:15 pm
Location: New Jersey, USA

Re: Appimages and security issues

Post by Offcenter » Tue Mar 26, 2019 10:14 am

I'm a complete newbie here and I don't know squat about security.
But I just installed an Appimage program called ClipGrab.
Couldn't have been easier, and it WORKS!
George, High in the hills of Jersey

User avatar
phd21
Level 19
Level 19
Posts: 9449
Joined: Thu Jan 09, 2014 9:42 pm
Location: Florida

Re: Appimages and security issues

Post by phd21 » Tue Mar 26, 2019 11:42 am

Hi Mintymandy34,

You are welcome...
Mintymandy34 wrote:I currently don't have the full understanding about LMD with ClamAV, but I can learn about that and will add to that request. :D
Although "LMD" (maldet) is run from a console terminal, it is fairly easy to use. The Link I provided before has examples of using it.

Need for an antivirus.? - Linux Mint Forums
viewtopic.php?f=90&t=238726&hilit=maldet
Examples: May need "sudo" in front of commands, if you did not change "scan_user_access="1".

To scan all the files residing in a specific directory:
To scan your downloads folder

Code: Select all

maldet -a /home/yourusername/Downloads
or what I prefer

Code: Select all

maldet -a  ~/Downloads

To scan your entire "/home" folder for all users(Documents, Downloads, Music, Pictures, Videos, etc...)

Code: Select all

maldet -a /home
or
Scan files that have been created/modified in the last X days. 5 = the last 5 days.

Code: Select all

maldet -r /home 5
When a scan has completed, you have an option to view the log it created.
scan report saved, to view run: maldet --report 170425-1437.21389
- Just highlight the last part maldet --report 170425-1437.21389, right click copy, and then right click and paste it back into the console terminal prompt and hit enter. To exit the report screen, hit Ctrl-x

The "inotify" monitoring feature is designed to monitor users in real-time for
file creation/modify/move operations. For more information and help, type in "maldet --help", or See the readme file in the maldetect folder.

Code: Select all

sudo apt-get install inotify-tools
Enable real time monitoring of a directory folder.

Code: Select all

maldet -m /home
or your Downloads folder

Code: Select all

maldet -m /Downloads
or a local web server folder

Code: Select all

maldet -m /var/www/html/
Check the monitor log file:

Code: Select all

sudo tail -f /usr/local/maldetect/logs/inotify_log
Hope this helps ...
Phd21: Mint KDE 18.3 & 19, 64-bit Awesome OS, Ancient Dell OptiPlex 780 Core2Duo E8400 3GHz,4gb Ram,256gb SDD, Video: Intel 4 Graphics, DVD Lightscribe. Why I use KDE?:https://opensource.com/life/15/4/9-reasons-to-use-kde

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Tue Mar 26, 2019 7:30 pm

phd21 wrote:
Tue Mar 26, 2019 11:42 am
Hi Mintymandy34,

You are welcome...
Mintymandy34 wrote:I currently don't have the full understanding about LMD with ClamAV, but I can learn about that and will add to that request. :D
Although "LMD" (maldet) is run from a console terminal, it is fairly easy to use. The Link I provided before has examples of using it.

Need for an antivirus.? - Linux Mint Forums
viewtopic.php?f=90&t=238726&hilit=maldet
Examples: May need "sudo" in front of commands, if you did not change "scan_user_access="1".

To scan all the files residing in a specific directory:
To scan your downloads folder

Code: Select all

maldet -a /home/yourusername/Downloads
or what I prefer

Code: Select all

maldet -a  ~/Downloads

To scan your entire "/home" folder for all users(Documents, Downloads, Music, Pictures, Videos, etc...)

Code: Select all

maldet -a /home
or
Scan files that have been created/modified in the last X days. 5 = the last 5 days.

Code: Select all

maldet -r /home 5
When a scan has completed, you have an option to view the log it created.
scan report saved, to view run: maldet --report 170425-1437.21389
- Just highlight the last part maldet --report 170425-1437.21389, right click copy, and then right click and paste it back into the console terminal prompt and hit enter. To exit the report screen, hit Ctrl-x

The "inotify" monitoring feature is designed to monitor users in real-time for
file creation/modify/move operations. For more information and help, type in "maldet --help", or See the readme file in the maldetect folder.

Code: Select all

sudo apt-get install inotify-tools
Enable real time monitoring of a directory folder.

Code: Select all

maldet -m /home
or your Downloads folder

Code: Select all

maldet -m /Downloads
or a local web server folder

Code: Select all

maldet -m /var/www/html/
Check the monitor log file:

Code: Select all

sudo tail -f /usr/local/maldetect/logs/inotify_log
Hope this helps ...
So, LMD is purely command line based, and by integrating it into ClamAV and ClamTK, we get an absolutely phenomenal antivirus with a GUI, that was originally CLI.
I'm totally for it. :D
I'll raise the request right-away, I don't have a github account, but I'll surely create one now. :)

Mintymandy34
Level 4
Level 4
Posts: 377
Joined: Mon Feb 11, 2019 10:57 pm

Re: Appimages and security issues

Post by Mintymandy34 » Tue Mar 26, 2019 8:11 pm

Offcenter wrote:
Tue Mar 26, 2019 10:14 am
I'm a complete newbie here and I don't know squat about security.
But I just installed an Appimage program called ClipGrab.
Couldn't have been easier, and it WORKS!
It's a great technology, it's compatible across a lot of distros, it's really small in size and they've built quite a following.
I use AppImageHub to look for AppImages that I didn't know existed, I then follow through that to finally download the AppImages from the official website of the developer.
They are quite good for specific usage. :D
They don't work nicely with the system themes is what I've noticed.

Post Reply

Return to “Chat about Linux”