Request For Candidates: Application Review Board

Jamie Strandboge jamie at canonical.com
Thu Aug 26 16:48:58 BST 2010 

On Thu, 2010-08-26 at 10:59 -0400, Marc Deslauriers wrote:
> Installing an application with user privileges is a bad idea.
> Application software should not be vulnerable to tampering, either
> accidentally by the user himself, or by malware running in the user's
> security context. This will make the apps installed via the app store
> unreliable and susceptible to be trojaned. One of the reason that Linux
> is more reliable than other operating systems, is that a user can only
> muck up his own directory. Let's not mess this up by using security as a
> pretext.

I *fully* agree with this. We should also vet the developer in some way
and thus hold her accountable, as Marc also suggested.

That said, there are some low-hanging QA measures we could perform. If
dpkg is going to be used to install the software, I am a fan of
installing in /opt, restricting the use of maintainer scripts as well as
suid/sgid binaries in the package and surely many other things I'm not
thinking of at present. These tests could easily be scripted to
automatically reject applications on upload if they don't pass the
tests.

Alternatively if some other installation method is used, we could
potentially install things into /opt as a dedicated unprivileged
non-root user (eg 'appstore'), which would maintain the separation of
the user's security context and the application installation, and
conveniently disallow suid/sgid binaries, directories, etc on unpack.

I'd also like to be able to grep for sudo, gksu, pkexec, etc, etc not so
much as a 'protection' (cause it could be easily gotten around by a
malicious application) but as a way to inform the developer that these
sorts of things should not be happening in appstore applications. This
might be too brittle in practice and could be covered by a developer
agreement with violations to that agreement resulting in
application/developer removal from the appstore.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20100826/b2fa78ad/attachment.pgp

More information about the ubuntu-devel mailing list