These actually will not cause problems in badly written packages, because “SYSTEM” packages (only haiku.hpkg and a few others are these) override non-system packages. A malicious package could claim to be a “SYSTEM” package of course, and then cause problems, but at least badly designed packages will not cause problems here.
Yes, this one would indeed be a problem. But it would be under Linux, too; I don’t think there are defenses against it…
You mean non-packaged directories? In case you ever get such a library in there which is causing problems, the “Disable user add-ons” bootloader option also disables loading libraries from non-packaged directories. So you can rescue your system by enabling that option and then cleaning out the culprit files.
Yes. Not sure that user unfamiliar with computer things can do it itself.
There is even more ultimate recovery solution: boot USB.
Limit permissions of install script to list of permitted directories. Package installation should not use root permissions.
I had weird things happening when one of my packages had a file instead of a directory. Not sure if it was before or after the change to priorize SYSTEM packages, however. Anyway, my main point stands: installing packages is the superhighway way of installing malware in Haiku and we don’t really have any defenses against it, as we allow many ways to install packages without checking anything. Basically all you need is find a way to somehow put a file in /boot/system/packages or ~/config/packages and you can run arbitrary code as root, and persist accross reboots.
I don’t know what an appropriate solution is, but I don’t see how it would be different in a major way from what is done in other OS: ask the user. Linux adds an extra and probably useless password prompt for sudo. Windows just wants you to click a button, but since they show the same dialog for just about everything, they train people to ignore the dialog and click OK whenever they want to do something, or even when the computer appears to want to do something. I think Android gets this right for application installation. Their dialog shows up only in that case, it is very clear about what will be installed and what permissions the app will need. This is easy to understand, and triggered infrequently so if it ever happens outside of you installing an app, or if the app has very unexpected permissions, you can quickly notice it and stop the thing from installing. Yet it integrates well with 3rd party sources (F-Droid and other alternate stores, or just manually installing an APK you got by other ways).
Solution can be provide different packagefs mapping depending on package containing running executable as I proposed above. Installing package can’t harm because it is only mapped to packages that depends on it.
In my view, being able to easily get software from “unvetted” sources is the one of the most important parts of a desktop operating system. You can’t really have freedom if developers need approval to distribute their software.
I don’t see much of a choice - it is either something like that (a prompt or dialog to elevate an app) or have nothing at all (apps have admin rights if the user is admin).
Windows allows both (you can just turn off UAC and it should revert to Windows XP behaviour), but there is a reason MS introduced it. The less you can trust your user base to be tech savy enough not to run malicious software accidentaly, the more you need to lock the system down to prevent it from breaking all the time.
Yes, of course. But this means we can’t consider packaged apps are trusted by default, and we need to protect against apps that are in packages in some way. At a minimum ask the user to confirm when a new package is about to be activated, and make it clear what the app will have access to.
I am not against the option to run applications using different permissions than the current user. But it should be turned off by default (running using the user’s permission).
To not irritate the user is the sane default.
They says you can’t solve a problem with the same intellectual level you created them.
50 years wasn’t enough for the nix folks to find a solution for this problem, created by them:
IMHO one needs to take into account the intended audience for the OS. Windows has to cater for completely computer illiterate users, which are the ones that benefit most from having as many security features turned on by default. And, at the end of the day, it is easier to expect a power user to be able to turn UAC off if they want to than to expect a computer illiterate user to even know what that is, let alone turn it on or even care (their OS install might just crumble and then they’ll curse the computer manufacturer).
Windows’ worst crime here is that the configuration screen to turn it off isn’t that obvious to find unless you know the term to type into the search bar, and it only exists in the legacy Control Panel, not the new configurations app. I’m somewhat amazed (negatively) that the configurations app still lacks so much after 10 years.
Haiku might not have to cater for that though, so the defaults might be different. Or just have a screen in the setup process ask the user which configuration they want as default, e.g. “standard mode” and “secure mode”.
maybe at the system side, just prevent any package’s from installing into the system folders, unless it comes from haiku servers and is a approved system package.
This kind of thinking ruin so much things, and is unfortunately very common. By designing for the lowest common denominator, the rest will suffer. I want Haiku to not make that mistake.
I don’t understand how a vulnerable system prone to malware attacks is considered a same default. The implementation might not be ideal, but UAC is there for a very good reason: Software used to be able to install itself in the background. Turning off UAC, disabling Windows Update, even removing Windows Defender, I’ve read all kinds of stupid advice to ‘increase user friendliness’ (not just on this forum), leaves your computer open to malware attacks. It is not a save default. Same goes for running everything as root on Linux.
Haiku does not have these issues yet, because it is not a big enough target, but currently it is completely open to potential malware attacks in the future. There should be some kind of protection. The challenge is coming up with something better.
Funnily that is exactly how I have run all my computers all my life (disabled everything on Windows, run everything as root on Unix, do not update anything unless absolutely necessary). I’ve had zero problems.
My only protection is free to use anti-virus and a router with NAT (firewall only to protect the router, not the internal NATed network).
I’m not against protection. I’m against intrusive protection.
As has often been written, an implementation of a multi-user area will not come before the end of r1.
I hope that at some point it will become an issue and that we will at least get a minimum for the time being, such as password protection when entering the system.
I’m still of the opinion that it would make sense, later on, to include a changeable home folder, as I suggested here: [Link]
A lot is already there.
possible security through containers.
The user installs malicious software and infects his system (only home is write-enabled as a user), then the admin can remove the container in an absolute emergency and thus avert the danger.
This kind of protection is absolutely unneeded if you (as a user) know at least a little bit about what the hell you’re doing,and absolutely useless if not.
If you get some virus/malware/trojan/whatever,in 99% of cases it is your own fault.
You downloaded and opened a mail attachment from a unknown source,you downloaded a program from some obscure Warez site,you did what that fake Micro$oft support caller told you,…
A program will not install by itself,period.
If you try to do those mistakes mentioned above,no annoying confirmation dialog will help you,because you’ll just click Yes.
If you know a little bit about computers and don’t want to try than,well,what do you need that annoying confirmation dialog for then?
The only case where I can see this prevent bad things from happening is if a program is vulnerable and tries to install another application without the user knowing,but then we should just make the applications more secure and prevent that from happening,instead of annoying all users with stupid confirmation dialogs.
Anyone who has children certainly thinks differently. there are always documents, pictures, videos, etc. that are not intended for children. These should be kept out of their hands.
In addition, many do not have that much space, often only one computer per family. If someone breaks the system, what then? Then no one can do anything, it doesn’t make sense. User management makes sense and it’s not just about security.
I’ve also experienced that people open emails because they don’t think about it any further and in the end their system was blocked and had to be set up again or bought free.
There will be more and more network activities that life is becoming more and more digital. Honestly, it doesn’t work without security.
The question is how do we go our own way.
My observation is that most users absolutely don’t know what they are doing. In the past, just visiting the wrong website could infect your computer, and it happened that this malware spread through common advertisements on credible websites. No confirmation dialog (because no UAC). Thankfully, ActiveX and IE6 are things of the past.
If you know what you’re doing, you’re an exception. You should also know how to disable the user protection shield. Having such a protection disabled by default is asking for problems.
Running everything as root is a leap of faith, unless you’re familiar with all the code that’s running on your system which I am certain you’re not.