App installer design: click packages

[Colin Watson]

On Mon, May 13, 2013 at 01:56:43PM -0400, Marc Deslauriers wrote:
> On 13-05-13 11:05 AM, Alejandro J. Cura wrote:
> > This thread assumes that packages need to be uncompressed and
> > installed before usage, so I'd like to ask if there was any discussion
> > re: using something like squashfs images as the distributed packages
> > instead of a zip or tar-like file.
> > 
> > This would mean that such downloaded images can be mounted read-only
> > by whatever launches applications, using nosuid, nodev, and with the
> > required uid, and then run immediately, instead of having to go thru a
> > copy of files from the package to the storage, which slows down
> > installation and usually requires double the storage space.
> 
> That would mean we'd need to have a privileged helper to be able to
> mount application packages at application execution time. There are a
> lot of security implications of doing something like this, and I fear
> this would be a substantial attack surface.

And even if we mounted them all just once at boot, (a) we'd still need
to use root privilege to mount at application installation/upgrade time,
(b) any bug in squashfs would now become an easy escalate-to-kernel
vulnerability exploitable through the app store.  Now, (b) is still true
for dpkg/tar/etc., but tar is already assumed to take hostile input, and
the relevant parts of dpkg are mainly shared with unprivileged
operations such as 'dpkg -c' which are also assumed to take hostile
input and have had a good deal of attention over the years; and even if
there is a problem we can at least contain it to a less-privileged
specialised 'software' user.

-- 
Colin Watson                                       [cjwatson at ubuntu.com]