LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-05-2007, 06:50 AM   #1
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Rep: Reputation: 33
Executable format without +x permissions


Hi

I'm trying to think of a file format that will allow a downloaded file to be executed. I assume it's not possible to force +x permissions from the server for HTTP or FTP downloads.

One can download a shell script and run 'sh downloaded.sh' but for that one needs to be in a terminal and type the command.

Thanks
 
Old 10-05-2007, 07:22 AM   #2
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,194

Rep: Reputation: 105Reputation: 105
Sysadmins specifically try to prevent that sort of thing. It's a security breach. If the webserver process has write permission in a directory, then the +x can be set from the webserver (e.g. php or something else). But, typically, it is assumed that user intervention should be required to download an executable and then execute it. If you had it set up in a tarball or something like that, it could come out with the x. But, again, that should require user intervention to untar it.
 
Old 10-05-2007, 07:32 AM   #3
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Original Poster
Rep: Reputation: 33
Yes I understand that it's what sysadmins want - but look at it from the point of view of the user. I can download a program and run it in Windows, I can do it on a Mac, why the hell not on Linux?

Say I'm a regular Joe with a regular machine (except it's running Linux). I don't have a sysadmin. I can't tell a terminal from the screensaver. I don't know how, or it's too much effort to use a program to extract the tarball. I don't like this linux thing?

I just finished writing a blog post about it: http://littlesvr.ca/grumble/2007/10/...te-a-download/
 
Old 10-05-2007, 07:39 AM   #4
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
I'm not quite grasping the problem here....why can't you set the execute permission?

"Regular Joe" can install SW with the package manager. Little-known fact: With the modern Linux package management / repository scheme, installing SW is typically easier than on Windows.
 
Old 10-05-2007, 07:42 AM   #5
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Original Poster
Rep: Reputation: 33
Quote:
I'm not quite grasping the problem here....why can't you set the execute permission?
Because I don't know there is such a thing. Again, think you're a regular Joe.

And the issue doesn't apply only to installers but to any executable file.
 
Old 10-05-2007, 08:36 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
That feature is why viruses are able to proliferate on the Windows platform. It is simply a terrible idea. If you use windows, you know that an .exe file is an executable. It isn't any harder to know that in Linux you need to set the executable bit. Give users a little credit. They are as stupid as you think.
 
Old 10-05-2007, 08:49 AM   #7
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Original Poster
Rep: Reputation: 33
Quote:
That feature is why viruses are able to proliferate on the Windows platform.
You're confused, because:
1: that feature doesn't seem to aid viruses in proliferating on Macs
2: you can already download a .deb file and that will run on a double-click and can do as much damage as an executable script

Quote:
If you use windows, you know that an .exe file is an executable. It isn't any harder to know that in Linux you need to set the executable bit. Give users a little credit. They are [not?] as stupid as you think.
It is a lot harder to learn to change permissions to a file and do it than learn to double-click on a file and do it. And it has nothing to with being stupid. Your're talking like a mechanic who thinks everyone who has a car needs to know how to change the oil.
 
Old 10-05-2007, 08:56 AM   #8
rjlee
Senior Member
 
Registered: Jul 2004
Distribution: Ubuntu 7.04
Posts: 1,991

Rep: Reputation: 76
If the user is a "regular Joe" as you put it, they probably do not know if the file is safe to run. In which case, they shouldn't be running it from the Web Browser in the first place. The poor implementations of Microsoft Windows security is hardly an argument here; if Windows lets an "average Joe" user do this, then it's broken. (Incidentally, a senior spokesman recently apologized for "letting users down" with the level of security in Windows XP while promoting Windows Vista).

I have read your blog post and think it's a very bad idea. Consider what would happen if someone put up a web-site with a script like "rm -rf $HOME/", and linked to it with something like "critical linux security fix; all users should download and run this now!". An average Joe would not be expected to read the script (you wouldn't do that on Windows, and anyway it could easily be an executable that you would have to disassemble to read).

Another problem is that file types are supposed to be determined by the contents of the file, not the last part of the filename (which is another limitation of Windows).

I still don't know why you want to do this, but a better solution would be to add an option like "Run program" to the icon's right-click menu, displaying a security warning to the user and offering them the chance of setting the execute bit on the file.

In the case of installing programs, a solution already exists; just put a Debian package or RPM file (of appropriate type for the OS) onto the page and link to that; the user will then be prompted to install the package with appropriate warnings already in place.
 
Old 10-05-2007, 08:56 AM   #9
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
If I abuse and twist the definition, "Regular Joe" has one or more of the following attributes:
  • Does not know or care what an operating system is.
  • Thinks "computer" means Windows.
  • Regards anyone with a Mac or Linux as some kind of geek fringe.
  • Would never trust free software.
  • Would hire the "Geek Squad" or equivalent to install an external USB hard drive.
  • Might understand the impact of monopolies such as MS, but would never do anything about it.

I have limited interest in catering to this person.
 
Old 10-05-2007, 09:13 AM   #10
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Original Poster
Rep: Reputation: 33
Quote:
If the user is a "regular Joe" as you put it, they probably do not know if the file is safe to run. In which case, they shouldn't be running it from the Web Browser in the first place. The poor implementations of Microsoft Windows security is hardly an argument here; if Windows lets an "average Joe" user do this, then it's broken. (Incidentally, a senior spokesman recently apologized for "letting users down" with the level of security in Windows XP while promoting Windows Vista).

I have read your blog post and think it's a very bad idea. Consider what would happen if someone put up a web-site with a script like "rm -rf $HOME/", and linked to it with something like "critical linux security fix; all users should download and run this now!". An average Joe would not be expected to read the script (you wouldn't do that on Windows, and anyway it could easily be an executable that you would have to disassemble to read).
I'm not sure I see your point. Are you saying users shouldn't be able to download and run programs at all? Or unless they are knowledgeable enough to... what?

I'm sure you didn't read the last configure script that you ran, or disassembled the last .deb/.rpm file you downloaded.

Quote:
Another problem is that file types are supposed to be determined by the contents of the file, not the last part of the filename (which is another limitation of Windows).
Hm.. good point. I'll have to investigate and find out how many file managers have this.. feature.

Quote:
I still don't know why you want to do this, but a better solution would be to add an option like "Run program" to the icon's right-click menu, displaying a security warning to the user and offering them the chance of setting the execute bit on the file.
I'm writing a virus muwhaha No, i have a project in mind that would need this to work and I'm still not sure if that project makes much sense; but regardless I think this is something that needs to be done.

As to the warning - indeed why not? The esh program in my blog doesn't have to be just a line of C, it can have a dialog in there that asks the user if they're sure. Would this be acceptable to the naysayers?

Quote:
If I abuse and twist the definition, "Regular Joe" has one or more of the following attributes:

* Does not know or care what an operating system is.
* Thinks "computer" means Windows.
* Regards anyone with a Mac or Linux as some kind of geek fringe.
* Would never trust free software.
* Would hire the "Geek Squad" or equivalent to install an external USB hard drive.
* Might understand the impact of monopolies such as MS, but would never do anything about it.
Except for the 'never trust' bullet that's the kind of user I'm talking about.

Quote:
I have limited interest in catering to this person.
That's fair, but I have a lot of interest in it since I'm looking for ways to significantly expand the Linux userbase - and that's not going to work if education in computer science is a requirement.
 
Old 10-05-2007, 09:43 AM   #11
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
In the days of the Apple-II, the machine starts up (very quickly) and then the rectangular cursor blinks at you. If you want to--eg--run the word processor, you have to know to type "write". This does not require an education in computer science--only the ability to follow instructions.

For 99% of all Linux usage, your "Joe Sixpack" will only have to follow instructions as to where to find the package manager. On rare occassions, he might have to download and set execution privileges.

I really worry about someone who cannot follow a simple instruction such as:
open a terminal
type su
enter your password
type chmod +ux filename

To be sure, there are many in the world that won't do this, but don't tell me they can't Most people who say they can't learn something are really saying they don't want to. I can't help them.....
 
Old 10-06-2007, 08:22 PM   #12
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
You are right about one thing. Double clicking on a debian or rpm package will install a precompiled binary.

You still need to be careful about where you obtain your software. Behavior on the web is the most important thing a user can do to prevent malware.

I still don't agree that Joe six pack can't understand the the idea of permissions. If they share files in windows, they deal with with ownerships and permissions. On a mac, you need to give permission to install a file. Also, an OS X mac is bsd based and so scripts need the same permissions changed as in Linux. A package manager in Linux will set the permissions for Joe six pack.
 
Old 10-06-2007, 11:36 PM   #13
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Original Poster
Rep: Reputation: 33
I don't have a mac but I've been assured that one does not need to open a terminal to run a downloaded application on OSX.

Quote:
I still don't agree that Joe six pack can't understand the the idea of permissions. If they share files in windows, they deal with with ownerships and permissions.
I'm not talking about users who know how to share files on a network

I condensed what I found so far and put it on a webpage. I also made a prototype program to run shell scripts. Please see http://littlesvr.ca/uli/esh/
 
Old 10-07-2007, 12:58 AM   #14
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671Reputation: 671
Quote:
Originally Posted by Mig21 View Post
I don't have a mac but I've been assured that one does not need to open a terminal to run a downloaded application on OSX.


I'm not talking about users who know how to share files on a network

I condensed what I found so far and put it on a webpage. I also made a prototype program to run shell scripts. Please see http://littlesvr.ca/uli/esh/
If you use the package manager that comes with your distro, you don't need to open a terminal to download an application in Linux.

Some of the same source packages you might install for Linux will test for BSD in the configure phase. Some are cross platform and will install on windows as well. You may have the same "./configure", "make", "make install" steps. The difference being that the configure script produced a version of a makefile for the platform you have.

Often, there will be prepackaged debian or rpm packages prepared for packages that the distro doesn't provide. Such as mp3 enabled xmms or Audacity.

Last edited by jschiwal; 10-07-2007 at 01:05 AM.
 
Old 10-07-2007, 01:34 AM   #15
Mig21
Member
 
Registered: Jan 2005
Posts: 218

Original Poster
Rep: Reputation: 33
Quote:
If you use the package manager that comes with your distro, you don't need to open a terminal to download an application in Linux.

Some of the same source packages you might install for Linux will test for BSD in the configure phase. Some are cross platform and will install on windows as well. You may have the same "./configure", "make", "make install" steps. The difference being that the configure script produced a version of a makefile for the platform you have.

Often, there will be prepackaged debian or rpm packages prepared for packages that the distro doesn't provide. Such as mp3 enabled xmms or Audacity.
Yep - but like I say on the webpage the developer needs to learn to make a couple of .deb format packages, half a dozen .rpm formats, and another dozen random packages used by less popular distros. And then update all those packages for every release of the program.

esh is not for the popular software - it's for new software that didn't yet make it into the proper package format and into the distros' repositories.

Last edited by Mig21; 10-07-2007 at 01:59 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
gdb "not in executable format: File format not recognized" tcma Programming 9 07-18-2007 07:02 AM
Exec format error. binary file not executable. kaz2100 Linux - General 2 08-19-2006 06:26 PM
executable format... shifter Programming 9 05-15-2006 01:05 PM
executable file format arunka Programming 2 03-15-2006 06:24 AM
Executable format on Linux and FreeBSD llama_meme *BSD 1 10-02-2002 12:24 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration