LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

klik://kspread-1.5-beta is cool (as is the kword one)

klik://kspread-1.5-beta is cool (as is the kword one)

Posted Feb 1, 2006 17:36 UTC (Wed) by pipitas (guest, #22701)
In reply to: klik://kspread-1.5-beta is cool (as is the kword one) by nix
Parent article: KOffice 1.5 beta 1 Released (KDE.News)

True, the "install" script is piped into the shell for direct execution. This script is run straight away. With user privileges, not with root privileges.

I do not see how this is more insecure than running any other installer of a random software package (which you usually do have to run as *root*).

If you do not trust the installer, investigate it. It is shell code, it is open, it is easy: 

  wget klik.atekon.de/client/install -O potential.danger.klik.installer
  vim potential.danger.klik.installer
If you then do trust it, run it with some "debug" output: 
  sh -x potential.danger.klik.installer
And if you do still not trust it after investigating, just leave it. Don't touch it. But please, don't start spreading FUD ;-)

You can read more about klik in my blog, or in this Dot story which explains a bit more about some beneficial use cases of klik (as well as some of its limitations).

Cheers,
Kurt Pfeifle

(Log in to post comments)

klik://kspread-1.5-beta is cool (as is the kword one)

Posted Feb 1, 2006 23:28 UTC (Wed) by nix (subscriber, #2304) [Link]

There are no signatures or any other way to determine that the site you think you're getting the klik package from really is that site. Think DNS cache poisoning attacks, for starters...

Security

Posted Feb 1, 2006 23:41 UTC (Wed) by Ross (subscriber, #4065) [Link]

It is less secure in a number of ways.

First, the actual download isn't being performed separately. Second, some installers do not allow the package they are installing to take arbitrary actions (unfortunately both RPM and Debian packages run scripts which can basically do what they want as the installing user). Third, there is no sanity checking, checksum verification, or signature checking. How do you even know what you are installing is the same as what was on the Web page two seconds ago?

What is the best way to install software? Well, for one thing it should be downloaded by a non-priviledged user, then verified correct against a trusted source through at least a checksum, but optimally through verification of a cryptographic signature. Then, the install tool should finally compile (if needed) and install the software. Any compilation and installation should not be performed with the root uid (even if started by root). This is possible through many mechanisms, but the most obvious one is setting group writability on the destination directories and making the install process run with membership in that group. Does anything work that way out of the box? Not to my knowledge.

But klick is basically the least secure method, similar to the old Nessus installation instructions.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds