Hi, Am Mittwoch, den 11.05.2005, 14:04 +0100 schrieb Mike Hearn: > On Wed, 2005-05-11 at 10:40 +0200, Danny Milosavljevic wrote: > > yes, copy/pasting and adding some non-trivial text, that is. I'd say > > that's pretty hard to do "accidentially" > > Well, by that I meant that emails could ask people to do it. > > > "the user has made a decision to run a program" is only half the story. > > If it doesnt have +x, it _is no program_. > > That's a rather strange way to look at it. A shell script is definitely > a program no matter how it's marked. Hm, in my shell scripts, I have one(sometimes maybe more) main shellscript that has +x and tons of "library" shellscripts that don't (which are sourced by the main shellscript). So from a developer standpoint the "library" shellscripts aren't executable programs and when I click on them I want to edit them or I misclicked :) Though that would just be my habit that can be broken :) > > And as for now, shell scripts *are* only recognizable as executable > > program by the +x flag (hmm ok, and maybe the shebang, if available at > > all). > > Exactly ... > > > I think the root cause is the browser not flagging the shell script as > > executable (the browser should check that and just ask if it should add > > +x, really - maybe use a special mime type for shell script transfer so > > it is obvious without having to download the file first) > > That's another way to look at it, but it's not just browsers but any > program that can retrieve data from some source (so p2p programs, > download managers, email clients, chat programs etc). IMHO the problem > is that the +x bit doesn't add security, so it should be ignored, rather > than hacking around the problem in every single program. that depends on which is considered "hacking around", adding it to the browser(etc) or the nautilus ;) Well, at least +x its nice to have because its very clear to the user/admin/... what should be executed and what shouldnt (although it doesnt do any good because it just can be changed, yeah :)). > > > > Q: What about noexec mounts? > > > A: Users can already circumvent the noexec bit for shell scripts anyway, > > > so it makes no difference. > > > > I'd say then that (which makes them able to circumvent the noexec bit > > easily) would be a bug. What is it ? > > Well, "bash foo.sh". Or for ELF binaries execute it using the linker > directly. Well, 'easily' for me means like 'click on xyz', 'drag around', or at least 'open a terminal and type "start foo.sh"' (although the last one is already at the very limit :) - "bash? who should I bash? What are you talking about?" :)) > > > > Q: Why don't you just ship the installer in a tarball? > > > A: Because this is lame, adds additional complexity for users who already > > > have too much, and is working around the desktop not being easy to use > > > instead of fixing it > > > > That depends on how tarballs are handled. > > MacOS9 (which I have on my very very old powermac here :)) does it that > > way: > > Whenever you click on a stuffit archive, it will automagically (and > > instantly) get extracted into the current directory into a new subfolder > > (and when I started using macos after using windows first I went "HUH?! > > Why doesnt a window/app appear" but about two seconds later I saw the > > new folder that appeared - plus, if the extractor program notices that > > there already is a folder, it could say "Hey lookie there, there is a > > folder, maybe you already clicked on the tarball") > > That'd certainly be a nicer way of handling tarballs. Alternatively some > MacOS X style DMG disk image that the desktop understands and can mount > would be good (but you need some way to mount them without root). GnomeVFS comes to mind > > > I dont see how that could get difficult to use at all, ever. Please do > > tell me how :) > > No I think that'd be OK, though the net result is that the user doesn't > have to set the +x bit _which is exactly what I'm proposing_ :) Why is Yeah, but wíthout overriding unix permissions all over the place ;) > it better to wrap something in a container so the user doesn't have to > mess around with properties than simply to not need that messing about > in the first place? Well, from a puristic standpoint the downloading programs are broken / unsuited for downloading binaries, because having nautilus unbreak the permissions (or worse, ignoring them) which the admin set isnt going to make him happy, at least. Though the user would like it, I'm sure :) But on second thought, its the users file, so as long as he gets asked and confirms, its his own fault ... hmm ... still I feel uneasy adding a unbreak-me dialog... but maybe for now it could be a stop-gap measure, as long as we are talking about: +---------------------------------------------------------------------------- | ! File is not a known program | | The file "installer" you clicked is not known to be an executable program. | However, by looking at the contents it seems that it should be. | | [ Cancel ] [ Fix and Start ] +---------------------------------------------------------------------------- and not: (silence... and ... runs weird file immediately ;) though it would certainly give more of a scary feeling running up and down like "why is it working like crazy on the harddisk ... what the hell did it deem executable *now*" :)) Yeah, so I'm biased in that I *do* rely on 1) executable flags and 2) well-behaved programs not stabbing me in the back :) We perhaps could do away with 1) though ... I'm thinking you are starting to convince me, since having a file flagged non-executable although it *is* an executable file just gives a false sense of security, so if looking at the contents is 100% safe all the time, I'm starting to think thats better. btw how are mono executable files handled ? Windows PE exe files ? > > Plus, just have the browser check the mime type of the shell script that > > will be downloaded and figure out that it should +x it, I can't see any > > shortcoming with that (ok, other than it adds a confirmation dialog to > > the download process - which could be considered a good thing). > > That only fixes it for one browser, but there are lots. And then there's > all the other programs I mentioned above. freedesktop comes to mind > > thanks -mike > cheers, Danny -- www.keyserver.net key id A334AEA6
Attachment:
signature.asc
Description: This is a digitally signed message part