Bug 469275 - Bad experience installing through firefox
Bad experience installing through firefox
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: PackageKit (Show other bugs)
10
All Linux
medium Severity medium
: ---
: ---
Assigned To: Richard Hughes
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-30 21:23 EDT by Owen Taylor
Modified: 2009-06-03 04:43 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-03 04:43:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
fixes permission and native confusion (7.30 KB, patch)
2008-10-31 12:27 EDT, Richard Hughes
no flags Details | Diff

  None (edit)
Description Owen Taylor 2008-10-30 21:23:00 EDT
A) I click on a RPM in koji with firefox, and choose "Open With Package Installer (default)"

B) It asks me questions along the lines of: (from memory)

  A) Do you want to install this package
  B) Do you want to copy this package to the shared location /tmp so it can be installed (huh????)
  C) A couple of more dialogs about signatures blah blah

C) Then it silently installs with no feedback, I think the installation failed

On the terminal where I started Firefox from, I see:

cp: `/tmp/xorg-x11-drv-ati-6.9.0-38.fc10.i386.rpm' and `/tmp/xorg-x11-drv-ati-6.9.0-38.fc10.i386.rpm' are the same file
Comment 1 Richard Hughes 2008-10-31 06:49:37 EDT
A) We have to ask the user to confirm
B) I wasn't sure to put this in the UI or not -- what it's saying is:

You downloaded a file to a private location that can only be accessed by your user. As packagekitd runs under a different user (uid 0), we have to copy this file to /tmp (shared) so the daemon can access and install the file.

The reason it asks rather than just doing it, is that the rpm might be secure or private to the user, and probably shouldn't be put somewhere public without asking. This might be cracktastic, maybe we should just do it.

C) signatures are a necessary evil. Not that I like them either. :-(

>I think the installation failed

Normally when it fails it throws up a GUI error, but I admit I haven't handled the copy failed case. I'm slightly confused why it tries to copy to itself. Doing some debugging:

1. download file using firefox to /tmp
2. look at permissions:

-r-------- 1 hughsie hughsie 199960 2008-10-31 10:37 /tmp/codeblocks-devel-8.02-3.fc9.i386.rpm

So gnome-packagekit looks at the permissions for UID 0, and finds it's not able to access the file, so it chooses to copy the file to tmp and....

So, is the correct thing in this case:

1. firefox downloads the file with -r--r--r--?
2. gnome-packagekit chmod a+x the file before it does the uid 0 read check if the file is owned by the current user? Is this bad form making the file readable by all users?
3. change the copy directory to /tmp/packagekit rather than /tmp

Ideas welcome, but I'm erring on 3.

Richard.
Comment 2 Owen Taylor 2008-10-31 07:51:48 EDT
As far as I know the installation did succeed despite the cp error (do you check the status?) "I think the installation failed" shows the problem with informally
narrating in the present tense :-).

The main reason for mentioning A) and C) was that the shear number of dialogs was dizzying... and after that many dialogs popping up, my expectation was definitely that it would continue to be chatty and give a dialog on success. 

The fact I was confused about whether it succeeded is not necessarily evidence
that there needs to be positive confirmation of success, it's just one data
point.

Of course, root can access -r--------- <somebody else> files fine.
(unless they are on a root-squashed nfs partition, AFS, etc.)

If you are really worried about root squash, then I'd suggest

 - Copy it to a mkstemp() file in /tmp with permissions -r-------
   (I assume packaging systems don't care about names) That will be
   readable by the user and root.
 - Don't ask me. Even if you have to make it world readable, don't ask
   me. Asking me doesn't make the security problem one whit better. 

I'm not sure I understand the a+x you propose. Do you mean a+r?
Comment 3 Richard Hughes 2008-10-31 11:57:12 EDT
>Do you mean a+r?

Yes, sorry.

>Of course, root can access -r--------- <somebody else> files fine.

Except if they are using gvfs -- for instance look at bug https://bugzilla.redhat.com/show_bug.cgi?id=456094

You can reproduce mounting a ssh share using gfvs, and then trying to list files in /home/foo/.gvfs/ from the root user.

>Copy it to a mkstemp() file in /tmp

I thought about that too, but we hand yum a filename, not a fd, so there would be a race anyway. I'm thinking of just copying the file from $x to ~/.PackageKit/cache/ as then we don't have to use a world writeable directory like at all.

Of course, firefox is still ultimately downloading the file to /tmp and then executing the handler, so I'm sure that's not ideal either. Does firefox purposefully copy the file, or is that it's download-dir when it's going to launch a mime helper?

>Asking me doesn't make the security problem one whit better

No, sorry if it came out like that. I don't think this is any more of a security problem now as it was when we used pirut to install the package in F8, it's just not ideal at all. I'll work on the security copy check stuff now.

Richard.
Comment 4 Richard Hughes 2008-10-31 12:27:31 EDT
Created attachment 322106 [details]
fixes permission and native confusion

This patch is a first cut at removing the permission checks, and relying on GIO to tell us if the file is native (i.e. not on FUSE filesystem). This fixes things for me.

The patch needs some more work, as that bit of code is horrible, and needs refactoring.

Richard.
Comment 5 Richard Hughes 2008-10-31 13:40:08 EDT
commit 838241d093a7be7600d05d35d02b6e6050904b28
Author: Richard Hughes <richard@hughsie.com>
Date:   Fri Oct 31 17:25:56 2008 +0000

    bugfix: fix the interaction when installing local files by only showing the
    copy dialog for non-native paths. Also add a confirm dialog when the files
    were installed correctly, and also make sure the dialog is shown for the
    untrusted 2nd pass of the installation. Fixes rh#469275

They'll be a new upstream release of PackageKit on Monday, although I probably
can't do a major version upgrade until we branch for F11.
Comment 6 Richard Hughes 2008-10-31 13:41:04 EDT
Ohh, there are rpm's and srpm's here if you want to test: http://www.packagekit.org/packages/
Comment 7 Bug Zapper 2008-11-25 23:31:28 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.