[maemo-users] [maemo-users] Re: Bricked a third time

From: Eero Tamminen eero.tamminen at nokia.com
Date: Tue Feb 13 18:55:37 EET 2007

ext Aniello Del Sorbo wrote:
> Frantisek Dufka wrote:
>> Aniello Del Sorbo wrote:
>>> I mean, if my apps need to be called as "helloworld" and it looks at 
>>> a conf file called "helloword.conf", why I have to copy the 
>>> executable in /usr/bin and the conf file in /etc while I can just 
>>> copy it to /usr/local/bin (owned or writable by 'user) and the conf 
>>> file in /usr/local/etc  ? (just to give an example) and add 
>>> /usr/local/bin to the path?
>> Yes it was similar except /usr/local was /var/lib/install. And it was 
>> done in such way that no package could ever put file outside of 
>> /var/lib/install (the only way that gives you some additional security 
>> you probably want).
>> So you had 2 classes of packages (system ones in / and user ones in 
>> /var/lib/install) which made system more complex and prevented you 
>> from making 'system' packages i.e. ones which modifes or extends the 
>> system in interesting way.
>> Frantisek
> I do not want that either.
> I am not saying we should run dpkg in a chrooted enviromnent.
> I am only saying we should run it with the -x (I think) option that 
> points to something like /usr/local where user can write. In this case 
> there would be no need to gain root privileges unless the .deb is a 
> system package (and the system could ask for a password, a la Mac OS X).

Sorry that I didn't understand you at first.

> As it is now, and as I understand it, every .deb can brick my device if 
> it has been built from a malicious user.

Even something run as user can make the device pretty unusable either
at install time (e.g. by messing up with Gconf keys or removing some
other user configuration / or data files), or at run time by eating
all resources or killing all your apps.

As to the other security aspects, anything you install onto your
(Maemo/Linux/Windows) machine, can spy anything you do (which passwords
you enter to the Browser etc).  The warning you get when you install
a new package are there for a reason!

Only thing that helps to this is more and wider testing (and of course
developers being more careful etc).

	- Eero

More information about the maemo-users mailing list