Re: O Iceape, where art thou?
Posted: 2013-11-14 11:24
I don't know Phil, I can't claim to be absolutely sure about it (in this I would really appreciate the input of more knowledgeable users than me), but I think what you're saying is not right.
I want to start from the last thing, the upgrading by reinstalling (that is: re-download and re-unpack into /opt ).
I think it is overkill.
Let me make you an example: when you upgrade your system through apt, you temporarily give root permission to that tool (apt-get, aptitude or whatever you use). If by any chance that tool gets compromised, then you are caught with your pants down. Why you do it then?
Because you trust debian's sources and have confidence that when you give root privileges to apt you won't get screwed.
Now, upgrading Seamonkey by running it as root just to upgrade, is pretty much the same thing. As long as you trust the source (and frankly I have no reason not to trust it), there's no problem in upgrading the browser through its built-in feature.
Let's move now to the main issue: security problems in running Seamonkey from the user's home or from system-wide installation.
Through the years I have seen many guides and articles that instructed users about the installation of Mozilla related products (they all work the same as far as we are concerned). They all either suggested to install under the user's home or under /usr or /opt or other system-wide locations, but never I read about security reasons in preferring one over the other (or maybe if there were, they could favor a user's home installation as we'll see later).
I just did a quick search and found a document about installing Firefox on GNU/Linux and they have no problem in suggesting to install in the user's home.
This doesn't prove that what you are saying is wrong, after all there are other guides that only suggest a system wide installation, but it is an official guide that proposes a method without talking about a security flaw.
Actually the only reason for choosing one installation over the other is whether one wants to have Firefox or Seamonkey or whatever available for a single user or for all users.
Now, the reasoning.
As far as my understanding of privileges goes (and it doesn't go far, so I'm humbly just saying how I see it), what matters is not where the files physically reside or who owns them. What matters is who executes those files.
Say you have a script that'll delete all files under the user's home and this script is located both in /usr/bin/malicious-script and ~/.scripts/malicious-script.
What's the difference in executing them?
I see none, either you execute them with root privileges or with your user, files will be deleted (this is why we have to only use scripts we know or from sources we trust).
On the other hand, say we have a similar script, copied in the same two locations, but this time the script will delete root files instead of user's home files.
In this scenario only by executing the script as root you'll do the damage, a user will simply be denied, regardless of whether he executes the script under root or the one under his home.
So, a malicious script or malware or whatever that aims at destroying your home, might be a problem regardless of where you launch Seamonkey from, and as for a script that aims at destroying your system, it won't do anything as long as you don't run it as root.
Now, in this regard, as I anticipated before, having a Seamonkey installation in /opt or any other system-wide location, would actually represent a higher risk than having it in the user's home, but only when used as root, which in turn would only be a realistic risk if used as root for anything but upgrading.
In fact, as I said, if you only run Seamonkey as root for the purpose of upgrading (no navigation, no mail, no nothing else) you won't expose the root profile or the executed process to potential threat. The only source of problems could be the built-in upgrading feature which, as I said before, I think we can trust.
What do you think?
Anybody else cares chipping in a matter of security?
I want to start from the last thing, the upgrading by reinstalling (that is: re-download and re-unpack into /opt ).
I think it is overkill.
Let me make you an example: when you upgrade your system through apt, you temporarily give root permission to that tool (apt-get, aptitude or whatever you use). If by any chance that tool gets compromised, then you are caught with your pants down. Why you do it then?
Because you trust debian's sources and have confidence that when you give root privileges to apt you won't get screwed.
Now, upgrading Seamonkey by running it as root just to upgrade, is pretty much the same thing. As long as you trust the source (and frankly I have no reason not to trust it), there's no problem in upgrading the browser through its built-in feature.
Let's move now to the main issue: security problems in running Seamonkey from the user's home or from system-wide installation.
Through the years I have seen many guides and articles that instructed users about the installation of Mozilla related products (they all work the same as far as we are concerned). They all either suggested to install under the user's home or under /usr or /opt or other system-wide locations, but never I read about security reasons in preferring one over the other (or maybe if there were, they could favor a user's home installation as we'll see later).
I just did a quick search and found a document about installing Firefox on GNU/Linux and they have no problem in suggesting to install in the user's home.
This doesn't prove that what you are saying is wrong, after all there are other guides that only suggest a system wide installation, but it is an official guide that proposes a method without talking about a security flaw.
Actually the only reason for choosing one installation over the other is whether one wants to have Firefox or Seamonkey or whatever available for a single user or for all users.
Now, the reasoning.
As far as my understanding of privileges goes (and it doesn't go far, so I'm humbly just saying how I see it), what matters is not where the files physically reside or who owns them. What matters is who executes those files.
Say you have a script that'll delete all files under the user's home and this script is located both in /usr/bin/malicious-script and ~/.scripts/malicious-script.
What's the difference in executing them?
I see none, either you execute them with root privileges or with your user, files will be deleted (this is why we have to only use scripts we know or from sources we trust).
On the other hand, say we have a similar script, copied in the same two locations, but this time the script will delete root files instead of user's home files.
In this scenario only by executing the script as root you'll do the damage, a user will simply be denied, regardless of whether he executes the script under root or the one under his home.
So, a malicious script or malware or whatever that aims at destroying your home, might be a problem regardless of where you launch Seamonkey from, and as for a script that aims at destroying your system, it won't do anything as long as you don't run it as root.
Now, in this regard, as I anticipated before, having a Seamonkey installation in /opt or any other system-wide location, would actually represent a higher risk than having it in the user's home, but only when used as root, which in turn would only be a realistic risk if used as root for anything but upgrading.
In fact, as I said, if you only run Seamonkey as root for the purpose of upgrading (no navigation, no mail, no nothing else) you won't expose the root profile or the executed process to potential threat. The only source of problems could be the built-in upgrading feature which, as I said before, I think we can trust.
What do you think?
Anybody else cares chipping in a matter of security?