Why does AntiX-19 want to Install "bubblewrap"?

Forum Forums Official Releases antiX-19 “Marielle Franco” Why does AntiX-19 want to Install "bubblewrap"?

This topic contains 6 replies, has 2 voices, and was last updated by RobK88 Nov 6-3:09 pm.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #28965
    Member
    Avatar
    RobK88

    I just did a “sudo apt-get update” and “sudo apt-get upgrade”.

    AntiX-19 now wants to install for the first time the package “bubblewrap” and a dependency “xdg-dbus-proxy”.

    bubblewrap is described as a “setuid wrapper for unprivileged chroot and namespace manipulation.”

    Does anyone know why AntiX-19 wants to install bubblewrap?

    Aren’t there security issues with bubblewrap?

    • This topic was modified 1 week, 2 days ago by RobK88.
    #28978
    Member
    Avatar
    skidoo

    I just tested and, on a stock antiX 19 system, neither “sudo apt-get upgrade” nor “sudo apt dist-upgrade” attempts to install bubblewrap.

    On your system, bubblewrap is perhaps required because you have installed nautilus file manager?
    Aside from flatpak-packaged programs, very few packages (nautilus and only 2 or 3 others) depend on bubblewrap.

    “Aren’t there security issues with bubblewrap?”
    What specific issues? Did you read something about issues last year, seen in Ubuntu? in Manjaro?
    Visit & read the issue tracker for the bubblewrap project, and the debian bugtracker for the bubblewrap package. That way you can determine for yourself whether any worrisome current issues exist for the as-packaged-for-debian-buster version.

    related issue:
    For each flatpack’ed program that you choose to install, you should investigate whether its packaging config makes use of (enables) the available bubblewrap security features.

    #29022
    Member
    Avatar
    RobK88

    I found the culprit.

    Debian / AntiX-19 wants to upgrade libwebkit2gtk-4.0-37. Unfortunately, libwebkit2gtk-4.0-37 now depends on bubblewrap..
    So apt-get wants to install bubblewrap for the first time.

    It is now hard to avoid bubblewrap since libwebkit2gtk-4.0-37 is a dependency for many packages including yelp.

    It my view, bubblewrap does reduce the security of a Linux PC. bubblewrap lets unprivileged users use certain features not normally available to them. The developers of bubblewrap claim that unprivileged users are not able to open and use a root shell, unlike other similar programs.

    According to the developers of bubblewrap (at https://github.com/containers/bubblewrap ):

    Security

    The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation. It may increase the ability of a logged in user to perform denial of service attacks, however.

    In particular, bubblewrap uses PR_SET_NO_NEW_PRIVS to turn off setuid binaries, which is the traditional way to get out of things like chroots.

    • This reply was modified 1 week, 1 day ago by RobK88.
    #29026
    Member
    Avatar
    skidoo

    Debian / AntiX-19 wants to upgrade libwebkit2gtk-4.0-37. Unfortunately, libwebkit2gtk-4.0-37 now depends on bubblewrap..
    So apt-get wants to install bubblewrap for the first time.

    Reiterating what I mentioned earlier, ZERO pre-installed antiX 19 programs depend on libwebkit2gtk. On YOUR system, would you please test “What would happen if I were to purge libwebkit2gtk? which other installed packages would be removed due to their dependency on libwebkit2gtk?” (I’m curious to hear the result of your test)

    Yes, I see that yelp has a hard dependency on libwebkit2gtk. How many programs actually DEPEND on yelp, though? A couple that I’m familiar with (meld, swell-foop), their packages RECOMMEND yelp but do not actually depend on it. So, unless someone changes away from the default Install-Recommends=0 antiX apt policy, their system isn’t gonna wind up with yelp + webkitgtk2 + bubblewrap.

    Infrequently, I have advocated appimage + firejail (rather than flatpak + bubblewrap) but their comparative track record of CVEs speaks otherwise:
    CVEs for Firejail-Project
    vs
    CVEs for Projectatomic-Bubblewrap

    I’ll just suggest “look at it this way”:
    Whatever libwebkit2gtk -dependent program(s) you have prior to the apt upgrade operation, although they may gain zero actual benefit from the newly introduced bubblewrap dependency, having it in the mix probably adds mimimal additional risk.

    bubblewrap uses PR_SET_NO_NEW_PRIVS to turn off setuid binaries

    We can certainly continue the discussion. I’ve attempted to ease your mind; I’m not “giving you the brushoff“.
    How “technical” do you wanna get?
    For now, I’ll just mention that while researching security practices “prior art” related to this commit
    gitlab.com/skidoo/antix-viewer/commit/f85b4e…
    I did carefully read through bubblewrap’s open+closed issue tickets and gained respect for the acumen reflected in the bubblewrap devs’ comments as well as within their code. Here’s one which is somewhat illustrative: github.com/…/bubblewrap/issues/312

    #29036
    Member
    Avatar
    RobK88

    Skidoo, many thanks for your comments and taking the time to even look at open/closed tickets of bubblewrap!

    I agree with you that the developers of bubblewrap are very aware of the security issues surrounding bubblewrap and do focus a lot of effort at reducing them.

    As requested, below is the output of “sudo apt-get purge bubblewrap”:

    sudo apt-get purge bubblewrap
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following packages were automatically installed and are no longer required:
      libgstreamer-gl1.0-0 libjavascriptcoregtk-4.0-18 python3-distro xdg-dbus-proxy yelp-xsl
    Use 'sudo apt autoremove' to remove them.
    The following packages will be REMOVED:
      bubblewrap* gnumeric-doc* libwebkit2gtk-4.0-37* libyelp0* yelp*
    0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded.
    After this operation, 76.7 MB disk space will be freed.
    Do you want to continue? [Y/n] n
    Abort.

    It looks like gnumeric-doc is the real reason that I need bubblewrap. see below:

    sudo apt-get purge yelp
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    The following packages were automatically installed and are no longer required:
      bubblewrap libgstreamer-gl1.0-0 libjavascriptcoregtk-4.0-18 libwebkit2gtk-4.0-37 libyelp0 python3-distro
      xdg-dbus-proxy yelp-xsl
    Use 'sudo apt autoremove' to remove them.
    The following packages will be REMOVED:
      gnumeric-doc* yelp*
    0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded.
    After this operation, 24.0 MB disk space will be freed.
    Do you want to continue? [Y/n] n
    Abort.

    So I will need to decide to either live without gnumeric-doc or live with gnumeric-doc / bubblewrap etc.

    • This reply was modified 1 week ago by RobK88.
    #29041
    Member
    Avatar
    skidoo

    Here’s a workaround (tested in antiX 19):

    The following script will create and install a “dummy” package for yelp.

    Afterward, you can install gnumeric and the *only loss is availability of its helpdocs via toolbar button.
    ( user manual is available online anyhow: https://help.gnome.org/users/gnumeric/stable/gnumeric.html )

    * I didn’t check ~~ does the gnumeric UI have context-sensitive (jump to specific manual section) helplinks?
    If so, those would also be non-functional.

    . )

    #!/bin/bash
    hash equivs-build || sudo apt install equivs
    if [ ! $? -eq 0 ]; then echo -e "\n(perform apt update and)" \
      "install 'equivs' pkg, then rerun this script"; exit 1
    fi
    
    mkdir -p /tmp/bwow && cd /tmp/bwow
    cat << EOF > yelp
    Source: yelp-bogus
    Section: misc
    Priority: optional
    Homepage:
    Standards-Version: 3.9.2
    
    Package: yelp-bogus
    Version: 99.9
    Maintainer: me <email@redact.ed>
    Provides: yelp
    Conflicts: yelp
    Architecture: all
    Description: baddabing baddaboom
    EOF
    
    equivs-build yelp # >/dev/null 2>&1
    sudo dpkg -i yelp-bogus_99.9_all.deb # >/dev/null 2>&1
    cd .. && rm -Rf /tmp/bwow && echo -e "\n"
    
    read -s -p "cleanup? (purge 8MB buildhelper pkgs) [Y/n]" wantclean
    case $wantclean in Y|y)
      ###  This all-or-nothing commandstring is brittle ~~
      ###    in the future it may fail if deps of 'equivs' pkg ever change
      sudo apt purge -y autoconf automake autopoint autotools-dev debhelper \
       dh-autoreconf dh-strip-nondeterminism dwz equivs fakeroot libtool m4 \
       libarchive-zip-perl libfakeroot libfile-stripnondeterminism-perl ;;
    esac
    exit 0
    #29045
    Member
    Avatar
    RobK88

    skidoo — many thanks for taking the time to create a dummy package for “yelp”. (I will use this dummy package as a template in case I need to create dummy packages for other situations).

    Unfortunately, I will not need to use it. gnumeric-doc is not a dependency of gnumeric. It is an optional package.
    I just purged gnuneric-doc and gnumeric runs just fine. But when one clicks on “help — Contents”, one gets this message:

    Document Not Found
    The URI ‘help:gnumeric/index’ does not point to a valid page.

    So now I can purge yelp, bubblewrap etc.
    (If one purges yelp, one will get the message you posted when one clicks “Help — Contents” in gnumeric).

    And as you said, if I need help, all the gnumeric help is available online via my web browser.

    And I forgot to mention in my last post that I did not intend to imply that a stock antiX-19 installation required the bubblewrap package. I was just surprised that out of the blue, apt-get wanted to install it during a routine “apt-get upgrade”. Now I know why. The developers of one of the libraries being upgraded added a new dependency which ultimately required bubblewrap to be installed for the first time.

    Again, thanks for all your help and understanding.

    • This reply was modified 1 week ago by RobK88.
Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.