Bugtraq mailing list archives
More Helix Code installation problems (go-gnome)
From: Peter W <peterw () USA NET>
Date: Tue, 29 Aug 2000 10:08:21 -0400
--Product-- Helix Code Gnome "go-gnome" Web-based installation shell script. --Background-- On Aug 19, Alan Cox disclosed problems with Helix Code's install tools. Helix Code promptly[0] announced fixes for their installer. Presumably this meant their compiled installer app, because their Web site still suggests using the Lynx-source-piped-to-sh hack that uses the "go-gnome" Bourne/awk/gzip script.[1] --Problem-- Leaving aside, for now, the issues of using plaintext HTTP to pass data directly to a shell interpreter,[2] the "go-gnome" shell script[1] unsafely uses fairly predictable filenames in /tmp (for non-Debian distributions) and can be used to overwrite any file on the system that root can clobber with 'cat' if an attacker sets up a symbolic link (it could be done well in advance of go-gnome being run). I.E., on most boxes, every file is at risk. Ironically, ftp://ftp.helixcode.com/helix/ suggests that Helix Code replaced go-gnome at the same time as the new, improved installer binary announced on Aug 20, yet it suffers the same sort of problems Helix Code claims to have fixed in the installer binary.[3] --Workarounds-- 1) Use the manual installation instructions at http://www.helixcode.com/desktop/instructions.php3?distribution=manual instead of go-gnome. Since Helix Code does not GPG sign their packages, you may want to compare checksums with those listed in Helix Code's Aug 20th announcement.[3] Not that it buys you much, as there doesn't seem to be any checksum/signing information embedded in, or protecting, the XML package information files. But it's a start. 2) Apply the attached patch to the go-gnome script. This patch was developed against the 33308 byte go-gnome script available, as of this writing, at ftp://ftp.helixcode.com/helix/ & http://go-gnome.com/ (e.g. 'lynx -source http://go-gnome.com/ > /safe/path/go-gnome') By the time you retrieve and patch the script, you're better off just using the manual installation instructions. See workaround #1. --Vendor response-- While I've publicly written about this as early as June, I only emailed Helix Code last week about the problem, explaining the issue, and providing the patch I have resent here. They have not so much as acknowledged my messages, let alone discussed the problem. --But, isn't Helix Gnome still "Beta" code?-- Usually I'm among the first to gripe about "advisories" exposing problems in beta code. And Helix Code sometimes suggests their code is beta (the CDs I've seen are labeled "Preview Two"). But the Helix Code Web site boasts that their bits are "stable, up-to-date", and, more importantly, Linux mailing list traffic suggests that a *lot* of folks are trying Helix Code Gnome. And Nat & co. are getting their share of attention by the US media. So it's time for Helix Code to start taking security more seriously. --Suggestions-- We've heard many arguments about why Microsoft Windows has historically been more vulnerable to viruses that Unix-like systems, and some boil down to the notion that Unix users know better. This argument weakens as Linux use expands to the non-geek crowd. One of the main goals (and an admirable one) of Helix Code is to make Unix and Linux desktops more usable. But the lynx install hack trades security for a 30 second gain in installation speed. It encourages unsafe practices. If Helix Code's target audience is as new to computers as their site suggests ('Note that the | character above is the "pipe" symbol, obtained by pressing SHIFT-\ on most keyboards'[1]), then these are exactly the folks who should not be taught such risky parlor tricks. IMO, Helix Code ought to completely stop providing and advocating the lynx hack. Tell people how to get the proper installer package. Show them how to use 'md5sum' to check the package integrity. Put download information on an https server. Start GPG signing your packages. Etc. Compared to the effort required to make a first-rate desktop environment (and the recent Helix Code Gnome apps I've seen do look very nice), the effort required to improve distribution and installation security is minimal. Safer systems & safer admins are more valuable than faster installs. -Peter [0] Not promptly after Alan emailed them, but after Alan publicly disclosed the problems. [1] http://www.helixcode.com/desktop/instructions.php3?distribution=gognome [2] There are many points where the `lynx -source http://go-gnome.com/` fetch could be subverted. An https:// server would at least authenticate the identity of "go-gnome.com" but, no. <sigh> [3]http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&msg=200008200739.DAA25668 () trna helixcode com
Attachment:
go-gnome.patch
Description: go-gnome.patch
Current thread:
- More Helix Code installation problems (go-gnome) Peter W (Aug 29)
- <Possible follow-ups>
- More Helix Code installation problems (go-gnome) peterw (Aug 30)
- Re: More Helix Code installation problems (go-gnome) Morten Welinder (Aug 30)