[Emotional] So I got curious if a simple archive can screw me over...

Chat about Linux in general
lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

karlchen wrote:
Tue May 19, 2020 2:45 pm
This thread did not start with a typical newbie question.
I originally posted it to Other Topics, but someone moved it Newbie Questions by mistake.
karlchen wrote:
Tue May 19, 2020 2:45 pm
Some statements by the OP to the effect that commercial software in general and Microsoft software in particular were superior to open source software in general, raise doubts that
b) the OP's intention is primarily reporting a potentially easy to exploit design flaw in how common file-managers handle .desktop files.
Yup, you got me. My primary intention is expressing my extreme disappointment and frustration. But am I wrong though?

There's no proper FOSS desktop anti-virus; there is ClamAV, but it's really just a mail scanner. Linux desktop security wholly depends on not letting any virus to run in the first place, and given that this bug wasn't quickly assigned a CVE and fixed upon being reported suggests that it isn't good at keeping viruses out either... If Linux were to suddenly get popular overnight, it'd be immediately devoured my malware.

And yes, proprietary software is superior to FOSS in general, because it has ads and DRM for nourishment. But wait, you'll say, FOSS has an advantage of its own: public access to source code! Well, it only helps a chosen few, specifically those who have the time and patience to push through layers and layers of computer madness...

Case in the point: the GIMP build guide. Why can't one just run something like develop gimp, and go grab a cup of tea while the command automatically downloads and installs the dependencies? The usual: fragmentation... I hope someday Flatpak becomes the standard and recommended cross-distribution way to develop stuff, not just run it...

And don't get me started on C, C++, GObject, /bin/bash, etc...

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

lamefun wrote:
Tue May 19, 2020 5:22 pm
And don't get me started on C, C++, GObject, /bin/bash, etc...
Given the level of the rest of that message, please, please take that request seriously. Do NOT get him started on...

Thanks for pointing out the Nemo thing though.

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

rene wrote:
Tue May 19, 2020 5:32 pm
Do NOT get him started on...
I can't resist... I really want to complain about /bin/bash right now... Sorry...

Code: Select all

$ help [[
[[ ... ]]: [[ expression ]]
    Execute conditional command.
    
    Returns a status of 0 or 1 depending on the evaluation of the conditional
    expression EXPRESSION. [...]

    When the `=~' operator is used, the string to the right of the operator
    is matched as a regular expression. [...]
And here we go with madness:

Code: Select all

if [[ 123 =~ [0-9]+ ]]; then
  echo "Match!"
fi

if [[ 123 =~ "[0-9]+" ]]; then
  echo "Match!"
else
  echo "Wut?"
fi
You'd expect it to print Match! twice, but it instead prints:

Code: Select all

Match!
Wut?
Apparently, =~ treats the right-side operand as a normal string when it's quoted... The help doesn't mention this behavior at all, it actually worked in prior versions, so not all tutorials were updated, no warning too...

Yes yes, a small stumbling block... But I mean, stumbling blocks add up, and you have to remember what free software volunteering has to compete with for people's free computer time: addictive social media and games precisely engineered to take advantage of human psychological weaknesses, which means that any given frustrating obstacle, no matter how tiny, can mean all the difference between a user learning scripting and programming and them simply giving up.

In my opinion, the only way for GNU/Linux to succeed is to provide an environment where the OS itself gently nudges people towards learning what they need to make use of software freedom, and where learning is natural, gradual, smooth, and, perhaps most importantly, actually fun for as many people as possible!

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

Okay, well, the issue itself you admittedly slightly less disastrously conceived than was expected after the above, but, yes, it most certainly is documented. man bash, line 218,
Any part of the pattern may be quoted to force the quoted portion to be matched as a string

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

rene wrote:
Tue May 19, 2020 6:33 pm
man bash
Yes, a 6000+ line page with no navigation...

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

What do you mean, no navigation? man bash, /\[\[, <enter>, n (or after I told you, 218g). Or use the texinfo manual, or the HTML manual, or ...

Anyways.

User avatar
smurphos
Level 16
Level 16
Posts: 6805
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by smurphos »

rene wrote:
Tue May 19, 2020 5:32 pm
Thanks for pointing out the Nemo thing though.
...and Caja....and Thunar. All have the same vulnerability.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

all41
Level 16
Level 16
Posts: 6179
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by all41 »

@lamefun
Welcome to the Mint forums 8)
libera ab tyrannis

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

smurphos wrote:
Wed May 20, 2020 12:39 am
rene wrote:
Tue May 19, 2020 5:32 pm
Thanks for pointing out the Nemo thing though.
...and Caja....and Thunar. All have the same vulnerability.
As to first and maybe third that's probably part of the reason then why they don't take it upon themselves to fix this utterly embarrassing issue. As to second, yah, well, the GNOME project is rather in the habit of redefining their bugs as intended behaviour the silly user simply doesn't grasp so less of a surprise there.

I bookmarked https://github.com/linuxmint/nemo/issues/1404 to see if anything in fact comes of this...

User avatar
smurphos
Level 16
Level 16
Posts: 6805
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by smurphos »

rene wrote:
Wed May 20, 2020 6:54 am
As to second, yah, well, the GNOME project is rather in the habit of redefining their bugs as intended behaviour the silly user simply doesn't grasp so less of a surprise there.
To their credit the Gnome project actually got a CVE assigned (but only for Nautilus) pretty much fixed the issue or at least made it way more convoluted to exploit by changing to a metadata based trust model - https://people.canonical.com/~ubuntu-se ... 14604.html, https://security-tracker.debian.org/tra ... 2017-14604

The fix for nemo that Michael was working was a port of the Nautilus solution on but appears never got as far as being merged. I guess one of the problems was to consider the user impact - i.e do we make all launchers in the user's home untrusted initially or can some desktop files be trusted automatically whilst mitigating sufficiently against malicious attacks.

E.g.

User installs a program from the repos. It's .desktop file is safely in /usr/share/applications/ under root ownership.

Is it OK for that launcher to be automatically trusted by the Cinnamon menu without user confirmation? Probably yes.

User right clicks and adds to desktop. We now have a copy of that launcher under the users ownership which could potentially be overwritten by a malicious unprivileged process. Is it OK to automatically trust that copy during the add to desktop process or should the user be required to take a further step to trust the desktop copy? Debatable.

User used the menu editor to modify the category of that applications. We've now got a copy in ~/.local/share/applications under users ownership. OK for the menu to trust automatically? Debatable

User installs another program locally from an archive - it's desktop file ends up in ~/.local/share/applications. Should the menu trust it automatically? Probably not.

Lots of questions and a lot of code needed if desktop files need to be automatically trusted in some scenarios. But imagine the horrible user experience of installing a new distro and then being presented with a dialog the first time you try and fire up Firefox from the menu asking the user if they trust the launcher.

Ultimately though although i think this should be fixed to not use the executable bit as the trust proxy, users downloading software from wherever in archive form are responsible for there own actions. It may look fine but who knows what's going on inside some precompiled binary.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

smurphos wrote:
Thu May 21, 2020 12:42 am
users downloading software from wherever in archive form are responsible for there own actions.
I quite disagree. Users, certainly experienced users, are responsible for their own actions as long as they are given correct information to base their decisions on. Which is obviously not the case if their file manager actively lies to them and tells them the file "malware.desktop" is in fact called "CV.pdf". In program-logic it may be really unfortunate to do something about, but an operating system is not about program-logic. It's the system's human-interface; needs to as such be about human logic.

I am quite sure this exchange will furthermore lead nowhere and I basically don't care about file-managers in the first place so really out of here, but once again... really, file-manager dudes and dudettes?

User avatar
thx-1138
Level 8
Level 8
Posts: 2094
Joined: Fri Mar 10, 2017 12:15 pm
Location: Athens, Greece

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by thx-1138 »

rene wrote:
Thu May 21, 2020 11:48 am
...are responsible for their own actions as long as they are given correct information to base their decisions on.
Which is obviously not the case if their file manager actively lies to them...

... really, file-manager dudes and dudettes?
...ever stumbled upon this? Almost like the 'opposite' of the above...download src, compile with a newer gcc,
(apparently you do trust what you build or even more likely written yourself), then have fun with it...
not executing in the file manager. Please also do note the date of submission in gnome's bugzilla:
https://bugzilla.gnome.org/show_bug.cgi?id=737849
https://gitlab.freedesktop.org/xdg/shar ... /issues/11
https://bugs.launchpad.net/ubuntu/+sour ... ug/1747711
Someone to tell me that explorer.exe would not launch pie exes because they were being...misidentified.
So, to answer the above semi-rhetorical (i assume) question... yes, really, that's the current state of things :)

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

thx-1138 wrote:
Fri May 22, 2020 4:49 am
...ever stumbled upon this?
Yap: viewtopic.php?f=90&t=305053

May I please go now? I'm getting a little tired of every other one of my posts being an extensive rant --- but with file-managers like these...

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

smurphos wrote:
Thu May 21, 2020 12:42 am
User right clicks and adds to desktop. We now have a copy of that launcher under the users ownership which could potentially be overwritten by a malicious unprivileged process.
You know, if you already have a malicious process running, it would simply skip this entirely unnecessary step of messing with your desktop shortcuts and just go straight to encrypting your files and demanding a ransom. You don't want ANY malicious code running on your computer outside of a carefully configured VM, ever.

Really, the levels of naivety I'm seeing in the Linux community are astonishing.

all41
Level 16
Level 16
Posts: 6179
Joined: Tue Dec 31, 2013 9:12 am
Location: Computer, Car, Cage

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by all41 »

lamefun wrote:
Fri May 29, 2020 9:50 pm

Really, the levels of naivety I'm seeing in the Linux community are astonishing.
Now you're getting personal, and I represent that remark in it's entirety! :wink:
libera ab tyrannis

User avatar
smurphos
Level 16
Level 16
Posts: 6805
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by smurphos »

lamefun wrote:
Fri May 29, 2020 9:50 pm
You know, if you already have a malicious process running, it would simply skip this entirely unnecessary step of messing with your desktop shortcuts and just go straight to encrypting your files and demanding a ransom. You don't want ANY malicious code running on your computer outside of a carefully configured VM, ever.

Really, the levels of naivety I'm seeing in the Linux community are astonishing.
I'm just taking your concern over the potential to abuse launcher behaviour to it's logical conclusion. You are the one who is click-happy in a random archive without checking the content - I call that naive :wink:
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

rene
Level 16
Level 16
Posts: 6266
Joined: Sun Mar 27, 2016 6:58 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by rene »

lamefun wrote:
Fri May 29, 2020 9:50 pm
Really, the levels of naivety I'm seeing in the Linux community are astonishing.
Well, no, versus the actual threat-levels the level of security paranoia is in fact (also) on Linux far, far beyond sensible --- but I'll agree that the level of stupidity of the GNOME community IS certainly astonishing. A file called foo.desktop shall not be presented to the user as CV.pdf, be it an executable desktop file or not, with the actual desktop the only exception when in "desktop view". If that even needs discussing it is proved that Nautilus is the exact type of complete and utter horseshit garbage I always held it to be.

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

smurphos wrote:
Fri May 29, 2020 10:50 pm
You are the one who is click-happy in a random archive without checking the content - I call that naive :wink:
But I am checking the content - namely, the file's extension! If I see a Song.mp3, I'd expect it to open in a music player where it won't be able to do any damage... at least if the player doesn't have a serious security vulnerability, which, let's face it, is most likely to be caused by the use of the C programming language... Maybe someday codec developers will heed the truth-seers' dire warnings and rewrite in Rust...

User avatar
smurphos
Level 16
Level 16
Posts: 6805
Joined: Fri Sep 05, 2014 12:18 am
Location: Britisher
Contact:

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by smurphos »

If you read my replies you'll see that I don't disagree that this should be fixed. My concern is the ramifications on fixing it fully on UX - this isn't just a File manager issue, it could potentially affect any part of the system that use the .desktop spec and sources .desktop files from the users home, but present the .desktop Name in the GUI - i.e. the menu in pretty much every Linux desktop environment.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.

lamefun
Level 1
Level 1
Posts: 25
Joined: Fri Jun 02, 2017 2:15 pm

Re: [Emotional] So I got curious if a simple archive can screw me over...

Post by lamefun »

smurphos wrote:
Sat May 30, 2020 2:50 am
My concern is the ramifications on fixing it fully on UX - this isn't just a File manager issue, it could potentially affect any part of the system that use the .desktop spec and sources .desktop files from the users home, but present the .desktop Name in the GUI - i.e. the menu in pretty much every Linux desktop environment.
Some ideas:
  • Files in /usr/share/applictions and ~/.local/share/applications should just be considered trusted, I mean, why not?
  • Adding menu entries to desktop should produce symlinks to /usr/share/application files - this would even update the desktop shortcuts when the orginals get updated!
  • To protect non-technical users, ALL executable files should require explicit authentication (scripts, desktop files, regular executables) via a dialog with a scary-looking message to be executed via the file manager:
    ⚠ Security Warning

    This file is a computer program, but we can't confirm it comes from a trusted source. Malicious programs can steal your personal information (for example, passwords, documents, or credit card details), hold your files them for ransom, and potentially damage your computer.

    [ Get me out of here! ]

    ► I understand the risks
Now the problem becomes: how to track which files are trusted by which user? Using paths might be fine IMO, there could even be a centralized panel in the System Settings to manage trusted paths, maybe even allow wildcards to allow programmers to work without annoying dialogs:
Trusted programs:

/home/user/Projects/**

[ + ] [ - ]
Still, a problem remains: while you might not have untrusted code on your computer, you might still unpack an archive directly to desktop, and answer "Replace All" to a replacement prompt, possibly silently replacing executable files whose paths have already been marked as trusted... I think the best solution is for GUI archive managers to scan archives for executable files beforehand, and show a warning if there are any, and where possible, check if they try to disguise themselves as regular files:
⚠ Security Warning

This archive contains computer programs disguised as regular files, which means that they are almost definitely malicious. Malicious programs can steal your personal information (for example, passwords, documents, or credit card details), hold your files them for ransom, and potentially damage your computer.

Programs in this archive:

CV.pdf.desktop

[ Get me out of here! ]

► I understand the risks
Again, heuristics may be needed to detect whether unpacking the archive will replace configuration files:
⚠ Security Warning

Unpacking this archive here will overwrite system configuration files, which may cause malicious programs to be installed on your computer. Malicious programs can steal your personal information (for example, passwords, documents, or credit card details), hold your files them for ransom, and potentially damage your computer.

Configuration files in this archive:

.bashrc

[ Get me out of here! ]

► I understand the risks

Post Reply

Return to “Chat about Linux”