Executable format without +x permissions
 

Hi

I'm trying to think of a file format that will allow a downloaded file to be executed. I assume it's not possible to force +x permissions from the server for HTTP or FTP downloads.

One can download a shell script and run 'sh downloaded.sh' but for that one needs to be in a terminal and type the command.

Thanks

Sysadmins specifically try to prevent that sort of thing. It's a security breach. If the webserver process has write permission in a directory, then the +x can be set from the webserver (e.g. php or something else). But, typically, it is assumed that user intervention should be required to download an executable and then execute it. If you had it set up in a tarball or something like that, it could come out with the x. But, again, that should require user intervention to untar it.

Yes I understand that it's what sysadmins want - but look at it from the point of view of the user. I can download a program and run it in Windows, I can do it on a Mac, why the hell not on Linux?

Say I'm a regular Joe with a regular machine (except it's running Linux). I don't have a sysadmin. I can't tell a terminal from the screensaver. I don't know how, or it's too much effort to use a program to extract the tarball. I don't like this linux thing?

I just finished writing a blog post about it: http://littlesvr.ca/grumble/2007/10/...te-a-download/

I'm not quite grasping the problem here....why can't you set the execute permission?

"Regular Joe" can install SW with the package manager. Little-known fact: With the modern Linux package management / repository scheme, installing SW is typically easier than on Windows.

Because I don't know there is such a thing. Again, think you're a regular Joe.

And the issue doesn't apply only to installers but to any executable file.

That feature is why viruses are able to proliferate on the Windows platform. It is simply a terrible idea. If you use windows, you know that an .exe file is an executable. It isn't any harder to know that in Linux you need to set the executable bit. Give users a little credit. They are as stupid as you think.

You're confused, because:
1: that feature doesn't seem to aid viruses in proliferating on Macs
2: you can already download a .deb file and that will run on a double-click and can do as much damage as an executable script

It is a lot harder to learn to change permissions to a file and do it than learn to double-click on a file and do it. And it has nothing to with being stupid. Your're talking like a mechanic who thinks everyone who has a car needs to know how to change the oil.

If the user is a "regular Joe" as you put it, they probably do not know if the file is safe to run. In which case, they shouldn't be running it from the Web Browser in the first place. The poor implementations of Microsoft Windows security is hardly an argument here; if Windows lets an "average Joe" user do this, then it's broken. (Incidentally, a senior spokesman recently apologized for "letting users down" with the level of security in Windows XP while promoting Windows Vista).

I have read your blog post and think it's a very bad idea. Consider what would happen if someone put up a web-site with a script like "rm -rf $HOME/", and linked to it with something like "critical linux security fix; all users should download and run this now!". An average Joe would not be expected to read the script (you wouldn't do that on Windows, and anyway it could easily be an executable that you would have to disassemble to read).

Another problem is that file types are supposed to be determined by the contents of the file, not the last part of the filename (which is another limitation of Windows).

I still don't know why you want to do this, but a better solution would be to add an option like "Run program" to the icon's right-click menu, displaying a security warning to the user and offering them the chance of setting the execute bit on the file.

In the case of installing programs, a solution already exists; just put a Debian package or RPM file (of appropriate type for the OS) onto the page and link to that; the user will then be prompted to install the package with appropriate warnings already in place.

If I abuse and twist the definition, "Regular Joe" has one or more of the following attributes:

• Does not know or care what an operating system is.
• Thinks "computer" means Windows.
• Regards anyone with a Mac or Linux as some kind of geek fringe.
• Would never trust free software.
• Would hire the "Geek Squad" or equivalent to install an external USB hard drive.
• Might understand the impact of monopolies such as MS, but would never do anything about it.

I have limited interest in catering to this person.

I'm not sure I see your point. Are you saying users shouldn't be able to download and run programs at all? Or unless they are knowledgeable enough to... what?

I'm sure you didn't read the last configure script that you ran, or disassembled the last .deb/.rpm file you downloaded.

Hm.. good point. I'll have to investigate and find out how many file managers have this.. feature.

I'm writing a virus muwhaha :) No, i have a project in mind that would need this to work and I'm still not sure if that project makes much sense; but regardless I think this is something that needs to be done.

As to the warning - indeed why not? The esh program in my blog doesn't have to be just a line of C, it can have a dialog in there that asks the user if they're sure. Would this be acceptable to the naysayers?

Except for the 'never trust' bullet that's the kind of user I'm talking about.

That's fair, but I have a lot of interest in it since I'm looking for ways to significantly expand the Linux userbase - and that's not going to work if education in computer science is a requirement.

In the days of the Apple-II, the machine starts up (very quickly) and then the rectangular cursor blinks at you. If you want to--eg--run the word processor, you have to know to type "write". This does not require an education in computer science--only the ability to follow instructions.

For 99% of all Linux usage, your "Joe Sixpack" will only have to follow instructions as to where to find the package manager. On rare occassions, he might have to download and set execution privileges.

I really worry about someone who cannot follow a simple instruction such as:
open a terminal
type su
enter your password
type chmod +ux filename

To be sure, there are many in the world that won't do this, but don't tell me they can't Most people who say they can't learn something are really saying they don't want to. I can't help them.....

You are right about one thing. Double clicking on a debian or rpm package will install a precompiled binary.

You still need to be careful about where you obtain your software. Behavior on the web is the most important thing a user can do to prevent malware.

I still don't agree that Joe six pack can't understand the the idea of permissions. If they share files in windows, they deal with with ownerships and permissions. On a mac, you need to give permission to install a file. Also, an OS X mac is bsd based and so scripts need the same permissions changed as in Linux. A package manager in Linux will set the permissions for Joe six pack.

I don't have a mac but I've been assured that one does not need to open a terminal to run a downloaded application on OSX.

I'm not talking about users who know how to share files on a network :)

I condensed what I found so far and put it on a webpage. I also made a prototype program to run shell scripts. Please see http://littlesvr.ca/uli/esh/

If you use the package manager that comes with your distro, you don't need to open a terminal to download an application in Linux.

Some of the same source packages you might install for Linux will test for BSD in the configure phase. Some are cross platform and will install on windows as well. You may have the same "./configure", "make", "make install" steps. The difference being that the configure script produced a version of a makefile for the platform you have.

Often, there will be prepackaged debian or rpm packages prepared for packages that the distro doesn't provide. Such as mp3 enabled xmms or Audacity.

Yep - but like I say on the webpage the developer needs to learn to make a couple of .deb format packages, half a dozen .rpm formats, and another dozen random packages used by less popular distros. And then update all those packages for every release of the program.

esh is not for the popular software - it's for new software that didn't yet make it into the proper package format and into the distros' repositories.