- This topic has 6 replies, 2 voices, and was last updated Nov 6-3:09 pm by RobK88.
-
Posts
-
RobK88
I just did a “sudo apt-get update” and “sudo apt-get upgrade”.
AntiX-19 now wants to install for the first time the package “bubblewrap” and a dependency “xdg-dbus-proxy”.
bubblewrap is described as a “setuid wrapper for unprivileged chroot and namespace manipulation.”
Does anyone know why AntiX-19 wants to install bubblewrap?
Aren’t there security issues with bubblewrap?
- This topic was modified 3 years, 6 months ago by RobK88.
Anonymous
I just tested and, on a stock antiX 19 system, neither “sudo apt-get upgrade” nor “sudo apt dist-upgrade” attempts to install bubblewrap.
On your system, bubblewrap is perhaps required because you have installed nautilus file manager?
Aside from flatpak-packaged programs, very few packages (nautilus and only 2 or 3 others) depend on bubblewrap.“Aren’t there security issues with bubblewrap?”
What specific issues? Did you read something about issues last year, seen in Ubuntu? in Manjaro?
Visit & read the issue tracker for the bubblewrap project, and the debian bugtracker for the bubblewrap package. That way you can determine for yourself whether any worrisome current issues exist for the as-packaged-for-debian-buster version.related issue:
For each flatpack’ed program that you choose to install, you should investigate whether its packaging config makes use of (enables) the available bubblewrap security features.I found the culprit.
Debian / AntiX-19 wants to upgrade libwebkit2gtk-4.0-37. Unfortunately, libwebkit2gtk-4.0-37 now depends on bubblewrap..
So apt-get wants to install bubblewrap for the first time.It is now hard to avoid bubblewrap since libwebkit2gtk-4.0-37 is a dependency for many packages including yelp.
It my view, bubblewrap does reduce the security of a Linux PC. bubblewrap lets unprivileged users use certain features not normally available to them. The developers of bubblewrap claim that unprivileged users are not able to open and use a root shell, unlike other similar programs.
According to the developers of bubblewrap (at https://github.com/containers/bubblewrap ):
Security
The maintainers of this tool believe that it does not, even when used in combination with typical software installed on that distribution, allow privilege escalation. It may increase the ability of a logged in user to perform denial of service attacks, however.
In particular, bubblewrap uses PR_SET_NO_NEW_PRIVS to turn off setuid binaries, which is the traditional way to get out of things like chroots.
- This reply was modified 3 years, 6 months ago by RobK88.
Debian / AntiX-19 wants to upgrade libwebkit2gtk-4.0-37. Unfortunately, libwebkit2gtk-4.0-37 now depends on bubblewrap..
So apt-get wants to install bubblewrap for the first time.Reiterating what I mentioned earlier, ZERO pre-installed antiX 19 programs depend on libwebkit2gtk. On YOUR system, would you please test “What would happen if I were to purge libwebkit2gtk? which other installed packages would be removed due to their dependency on libwebkit2gtk?” (I’m curious to hear the result of your test)
Yes, I see that yelp has a hard dependency on libwebkit2gtk. How many programs actually DEPEND on yelp, though? A couple that I’m familiar with (meld, swell-foop), their packages RECOMMEND yelp but do not actually depend on it. So, unless someone changes away from the default Install-Recommends=0 antiX apt policy, their system isn’t gonna wind up with yelp + webkitgtk2 + bubblewrap.
Infrequently, I have advocated appimage + firejail (rather than flatpak + bubblewrap) but their comparative track record of CVEs speaks otherwise:
CVEs for Firejail-Project
vs
CVEs for Projectatomic-BubblewrapI’ll just suggest “look at it this way”:
Whatever libwebkit2gtk -dependent program(s) you have prior to the apt upgrade operation, although they may gain zero actual benefit from the newly introduced bubblewrap dependency, having it in the mix probably adds mimimal additional risk.bubblewrap uses PR_SET_NO_NEW_PRIVS to turn off setuid binaries
We can certainly continue the discussion. I’ve attempted to ease your mind; I’m not “giving you the brushoff“.
How “technical” do you wanna get?
For now, I’ll just mention that while researching security practices “prior art” related to this commit
gitlab.com/skidoo/antix-viewer/commit/f85b4e…
I did carefully read through bubblewrap’s open+closed issue tickets and gained respect for the acumen reflected in the bubblewrap devs’ comments as well as within their code. Here’s one which is somewhat illustrative: github.com/…/bubblewrap/issues/312Skidoo, many thanks for your comments and taking the time to even look at open/closed tickets of bubblewrap!
I agree with you that the developers of bubblewrap are very aware of the security issues surrounding bubblewrap and do focus a lot of effort at reducing them.
As requested, below is the output of “sudo apt-get purge bubblewrap”:
sudo apt-get purge bubblewrap Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: libgstreamer-gl1.0-0 libjavascriptcoregtk-4.0-18 python3-distro xdg-dbus-proxy yelp-xsl Use 'sudo apt autoremove' to remove them. The following packages will be REMOVED: bubblewrap* gnumeric-doc* libwebkit2gtk-4.0-37* libyelp0* yelp* 0 upgraded, 0 newly installed, 5 to remove and 0 not upgraded. After this operation, 76.7 MB disk space will be freed. Do you want to continue? [Y/n] n Abort.It looks like gnumeric-doc is the real reason that I need bubblewrap. see below:
sudo apt-get purge yelp Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: bubblewrap libgstreamer-gl1.0-0 libjavascriptcoregtk-4.0-18 libwebkit2gtk-4.0-37 libyelp0 python3-distro xdg-dbus-proxy yelp-xsl Use 'sudo apt autoremove' to remove them. The following packages will be REMOVED: gnumeric-doc* yelp* 0 upgraded, 0 newly installed, 2 to remove and 0 not upgraded. After this operation, 24.0 MB disk space will be freed. Do you want to continue? [Y/n] n Abort.So I will need to decide to either live without gnumeric-doc or live with gnumeric-doc / bubblewrap etc.
- This reply was modified 3 years, 6 months ago by RobK88.
Here’s a workaround (tested in antiX 19):
The following script will create and install a “dummy” package for yelp.
Afterward, you can install gnumeric and the *only loss is availability of its helpdocs via toolbar button.
( user manual is available online anyhow: https://help.gnome.org/users/gnumeric/stable/gnumeric.html )* I didn’t check ~~ does the gnumeric UI have context-sensitive (jump to specific manual section) helplinks?
If so, those would also be non-functional.
)#!/bin/bash hash equivs-build || sudo apt install equivs if [ ! $? -eq 0 ]; then echo -e "\n(perform apt update and)" \ "install 'equivs' pkg, then rerun this script"; exit 1 fi mkdir -p /tmp/bwow && cd /tmp/bwow cat << EOF > yelp Source: yelp-bogus Section: misc Priority: optional Homepage: Standards-Version: 3.9.2 Package: yelp-bogus Version: 99.9 Maintainer: me <email@redact.ed> Provides: yelp Conflicts: yelp Architecture: all Description: baddabing baddaboom EOF equivs-build yelp # >/dev/null 2>&1 sudo dpkg -i yelp-bogus_99.9_all.deb # >/dev/null 2>&1 cd .. && rm -Rf /tmp/bwow && echo -e "\n" read -s -p "cleanup? (purge 8MB buildhelper pkgs) [Y/n]" wantclean case $wantclean in Y|y) ### This all-or-nothing commandstring is brittle ~~ ### in the future it may fail if deps of 'equivs' pkg ever change sudo apt purge -y autoconf automake autopoint autotools-dev debhelper \ dh-autoreconf dh-strip-nondeterminism dwz equivs fakeroot libtool m4 \ libarchive-zip-perl libfakeroot libfile-stripnondeterminism-perl ;; esac exit 0skidoo — many thanks for taking the time to create a dummy package for “yelp”. (I will use this dummy package as a template in case I need to create dummy packages for other situations).
Unfortunately, I will not need to use it. gnumeric-doc is not a dependency of gnumeric. It is an optional package.
I just purged gnuneric-doc and gnumeric runs just fine. But when one clicks on “help — Contents”, one gets this message:Document Not Found
The URI ‘help:gnumeric/index’ does not point to a valid page.So now I can purge yelp, bubblewrap etc.
(If one purges yelp, one will get the message you posted when one clicks “Help — Contents” in gnumeric).And as you said, if I need help, all the gnumeric help is available online via my web browser.
And I forgot to mention in my last post that I did not intend to imply that a stock antiX-19 installation required the bubblewrap package. I was just surprised that out of the blue, apt-get wanted to install it during a routine “apt-get upgrade”. Now I know why. The developers of one of the libraries being upgraded added a new dependency which ultimately required bubblewrap to be installed for the first time.
Again, thanks for all your help and understanding.
- This reply was modified 3 years, 6 months ago by RobK88.
- You must be logged in to reply to this topic.
