Page 16 of 235 FirstFirst ... 614151617182666116 ... LastLast
Results 151 to 160 of 2344

Thread: [Boot-Repair] Graphical tool to repair the PC boot in one click

  1. #151
    Join Date
    Sep 2011
    Location
    New York City
    Beans
    214
    Distro
    Ubuntu 11.10 Oneiric Ocelot

    Question Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    This may be a real dummy question but I'll fire away. Can the boot repair cd be used on a Wubi Installation? Can it also restore a wubi installation before some changes were made?
    When in doubt, check it out!

    If all else fails, check the plug!

  2. #152
    Join Date
    Jan 2008
    Location
    France
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    Hello

    Quote Originally Posted by PayPaul View Post
    This may be a real dummy question but I'll fire away. Can the boot repair cd be used on a Wubi Installation? Can it also restore a wubi installation before some changes were made?
    There is no silly question
    Currently, most of Wubi problems won't be solved by Boot-Repair.
    I need help from Wubi experts to add such features.

  3. #153
    Join Date
    Jan 2008
    Location
    France
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    This morning, I had the surprise to see that someone had added the following comments in https://help.ubuntu.com/community/Boot-Repair, so I would like to say a word about them :

    Quote Originally Posted by mike-worb
    Security Warning

    The instructions below should be disregarded due to unacceptable security vulnerabilities. In particular, the currently posted code for Boot-Repair will do the following, all of which are unacceptable:

    1. It downloads and executes scripts (as root), from two different insecure locations via http.

    2. The scripts adds, without your knowledge, an un-trusted third-party package repository allowing any user with control of that system to install and run arbitrary code on your system.

    Further, despite impressions to the contrary, Boot-Repair is NOT an official offering of Ubuntu.
    - First, Boot-Repair is executed as root, because it is the only way to repair the boot (installing GRUB, using os-prober, or modifying the MBR, all require adminitrator privileges). All other tools dealing with boot will also use root privileges.
    - Second, Boot-Repair auto-updates itself from its PPA when starting. Anyway, to install Boot-Repair, the only current way is to add this PPA.
    - Boot-Repair second button ("Create a Boot-Info Summary") downloads and executes Boot-Info-Script (http://bootinfoscript.sourceforge.net/ ), which is widely used on this forum to diagnose boot problems.
    - If someone is afraid of downloading something from http, he can use Boot-Repair offline.
    - Boot-Repair is not in Ubuntu repositories (that is why it is needed to install a PPA).
    - Boot-Repair is open-source (GNU-GPL), and Boot-Info-Script too, so anybody can check its code.

    Is there such a paranoiac "Security warning" in all wiki pages talking about a PPA software ?
    Proprietary (closed-source) softwares are far more dangerous than PPA software, and they are installed with root privileges too. Is there such paranoia for Google Talk plugin for example ?

  4. #154
    Join Date
    Jan 2007
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    I created the Grub 2 community doc page, as well as others, which are open to others for editing (but not as open as a normal wiki). From time to time I'm surprised what shows up on the page. Even though our input in Community documentation is reviewed, things get input that sometimes aren't correct, or are misspelled, etc.

    Previous pages are saved for review, so if you need to edit the latest be sure to make a detailed comment on why the change is being made. Others should review these changes/reasons before editing and your modifications and explanations for editing are submitted for review.
    GRUB2

    Retired.

  5. #155
    Join Date
    Jan 2008
    Location
    France
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    Thanks drs305, but my concern was not about how to use the wiki (I am ubuntu-fr wiki admin since 2007), but about the way this user added such a "I have doubts, so don't use this app" comment in the wiki without even discussing about it on this forum (nor directly with me) before.
    I made this app open-source (GPLv3), and I spend a lot of time to improve it and help people, so I am a bit sad to see this person spent time to look at the code but only took time to write such a bad comment instead of suggesting improvements.
    I hope my last comment will answer his worries, and anybody is welcome to ask more details if necessary.

    By the way, there is no page about PPAs in the wiki... if i have time i will translate the ubuntu-fr one.

  6. #156
    Join Date
    Oct 2011
    Beans
    3

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    The security issues in Boot-Repair are both real and severe. The degree to which YannBuntu dismisses or excuses the issues further raises concern.

    There are at least two serious issues in the current implementation:

    1. While executing as root, Boot-Repair pulls a script from the web via "http" and executes it. In this way, neither the authenticity of the host nor the code are checked. Anyone with a basic understanding of software security would be shocked at this. There are many ways to attack this scenario, some of which would yield control of every system on which Boot-Repair is run!

    2. Boot-Repair adds, during execution, YannBuntu's personal ppa to the system. This occurs even if the user chose to download the source so as to avoid doing this to install it! Attacks on this could yield control of every system on which Boot-Repair is installed!

    In response to YannBuntu's message above:

    - First, Boot-Repair is executed as root, because it is the only way to repair the boot (installing GRUB, using os-prober, or modifying the MBR, all require adminitrator privileges). All other tools dealing with boot will also use root privileges.
    -- Of course it need to run as root. That is not the problem here. However, once software is running as root, the security bar is raised. Boot-Repair is doing things considered unacceptable in software even when NOT running as root.

    - Second, Boot-Repair auto-updates itself from its PPA when starting. Anyway, to install Boot-Repair, the only current way is to add this PPA.
    -- No software should ever update automatically w/o consent of the user. Further, the software should not register itself with the system's update engine w/o explicit consent of the user.

    - Boot-Repair second button ("Create a Boot-Info Summary") downloads and executes Boot-Info-Script (http://bootinfoscript.sourceforge.net/ ), which is widely used on this forum to diagnose boot problems.
    -- There is a reason people download code via https, and/or check signatures of code after download. If you are going to pull and execute scripts while running as root, you need to pull these from trusted, secure, sources and check signatures. This is not debatable.

    - If someone is afraid of downloading something from http, he can use Boot-Repair off-line.
    -- Assuming they know they SHOULD be afraid, which they won't since you've deleted the heads-up on the Wiki.

    - Boot-Repair is not in Ubuntu repositories (that is why it is needed to install a PPA).
    -- The degree to which you've integrated the documentation of it with items that ARE a part of the official distribution creates the impression otherwise.

    - Boot-Repair is open-source (GNU-GPL), and Boot-Info-Script too, so anybody can check its code.
    -- With the attack vectors you've opened up with Boot-Repair, there is no way for a user to know for sure what exactly they've run on their system.
    Last edited by worb; October 9th, 2011 at 07:32 PM.

  7. #157
    Join Date
    Jan 2008
    Location
    France
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    Thanks for taking time to detail your thoughts.
    - What do you recommend to improve the security during of Boot-Info-Script download and execution ?
    - What do you recommend to improve the security of Boot-Repair update ?

  8. #158
    Join Date
    Oct 2011
    Beans
    3

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    YannBuntu -

    You absolutely need to pull it from distribution for now. You have no right to introduce the kind of security risks that this software contains to anybody else's system.

    You should also understand that major software vendors and open-source developers alike would ship critical security patches ASAP for the kinds of issues in your code.

    I'm not here to train you in secure software development, nor to contribute to the improvement of "boot-repair".

    Per your prior replies, and per your code, I honestly do not think you are qualified to write software that runs as root and is distributed to thousands, if not more, computers.

  9. #159
    Join Date
    Jan 2008
    Location
    France
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Arrow Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    Coming from such a rude person, who has zero contribution on Launchpad, only 2 posts on this forum, and shows such bad will, I don't know if it's a bad joke or else (conflict of interest ?).

    I would really be happy to understand exactly what the "risk" is, and by which mechanism a problem could arise. Are Launchpad and Sourceforge servers risky ?

    Admitting it is risky to update from Launchpad, that would mean that all PPA softwares are risky !!!
    Admitting it is risky to download from SourceForge, that would mean that thousands of Free Software have the same risk !!! And this risk also exists when using Boot-Info-Script "without Boot-Repair".

    Anyway, if these servers are risky, what we could do for now is disabling the auto-update, and including Boot-Info-Script inside Boot-Repair.

    Any "productive" comments are welcome.
    Last edited by YannBuntu; October 11th, 2011 at 03:44 AM.

  10. #160
    Join Date
    Oct 2011
    Beans
    3

    Re: [Boot-Repair] Graphical tool to repair the PC boot in 1 click!

    OK: User knowingly registers a ppa for third-party software.
    NOT OK: Script running as root registers a ppa and automatically performs an update w/o user consent or knowledge.

    OK: Script running as root downloads script via https, validates cryptographic signature of script, and then executes script as root.
    NOT OK: Script running as root downloads script via http and executes script as root.

    Regarding ppa security, any ppa is only as secure as the owner of that ppa. In the case of Boot-Repair, YannBuntu effectively now has easy root access to every system on which it has ever been installed or run. So too would anyone who compromises YannBuntu's personal credentials or systems. For software that does not need to run as root, the risk is considerably less and perhaps tolerable. For software that runs as root, it is unacceptable.

    Regarding downloading, from within a script running as root, additional scripts via http, without signature check, and executing them as root: does the problem with this really need to be explained to anybody?

Page 16 of 235 FirstFirst ... 614151617182666116 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •