tauri icon indicating copy to clipboard operation
tauri copied to clipboard
verified publisher icon tauri-apps

[bug] Debian packages are not compliant and dangerous

Open debug-richard opened this issue 2 years ago • 0 comments

Describe the bug

I used the tool lintian, the offical debian linter, to check the compliance of the tauri generated deb archives. Unfortunately, they contain not only some trivial issues, but also some security problems.

$ lintian target/release/bundle/deb/tauri-app_0.0.0_amd64.deb 
E: tauri-app: control-file-has-bad-owner md5sums 1000/1000 != root/root (or 0/0)
E: tauri-app: control-file-has-bad-permissions md5sums 0664 != 0644
E: tauri-app: malformed-contact Maintainer you
E: tauri-app: missing-dependency-on-libc needed by usr/bin/tauri-app
E: tauri-app: no-changelog usr/share/doc/tauri-app/changelog.gz (native package)
E: tauri-app: no-copyright-file
E: tauri-app: unstripped-binary-or-object usr/bin/tauri-app
E: tauri-app: wrong-file-owner-uid-or-gid usr/ 1000/1000
E: tauri-app: wrong-file-owner-uid-or-gid usr/bin/ 1000/1000
E: tauri-app: wrong-file-owner-uid-or-gid usr/bin/tauri-app 1000/1000
E: tauri-app: wrong-file-owner-uid-or-gid ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: tauri-app: description-synopsis-starts-with-article
W: tauri-app: desktop-entry-lacks-main-category usr/share/applications/tauri-app.desktop
W: tauri-app: no-manual-page usr/bin/tauri-app
W: tauri-app: non-standard-dir-perm usr/ 0775 != 0755
W: tauri-app: non-standard-dir-perm usr/bin/ 0775 != 0755
W: tauri-app: non-standard-dir-perm usr/share/ 0775 != 0755
W: tauri-app: non-standard-dir-perm ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: tauri-app: non-standard-executable-perm usr/bin/tauri-app 0775 != 0755
W: tauri-app: non-standard-file-perm usr/share/applications/tauri-app.desktop 0664 != 0644
W: tauri-app: non-standard-file-perm usr/share/icons/hicolor/128x128/apps/tauri-app.png 0664 != 0644
W: tauri-app: non-standard-file-perm usr/share/icons/hicolor/256x256@2/apps/tauri-app.png 0664 != 0644
W: tauri-app: non-standard-file-perm ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: tauri-app: recommended-field tauri-app_0.0.0_amd64.deb Section

The security problem is that the binary installed in /usr/bin/ belongs to the id 1000 user, which is a normal user. This means that the user can replace the binary /usr/bin/, and if it is run by root, we have a classic privilege escalation.

There created package is also no official debian package so installing it to /usr/local/ would be much better to avoid overwriting other binaries. The sidecar binaries should be stored under /usr/local/lib/tauri-app/ anyway.

The list of system library dependencies is also incomplete, not only because of "E: tauri-app: missing-dependency-on-libc needed by usr/bin/tauri-app", there are many more undeclared dependencies. If I quickly insert the binary into an existing package built with the official tools (which automatically detected the libraries used), I get this list: Depends: libc6 (>= 2.34), libcairo-gobject2 (>= 1.10.0), libcairo2 (>= 1.10.0), libgcc-s1 (>= 4.2), libgdk-pixbuf-2.0-0 (>= 2.36.9), libglib2.0-0 (>= 2.35.8), libgtk-3-0 (>= 3.21.4), libjavascriptcoregtk-4.0-18 (>= 2.38.6), libpango-1.0-0 (>= 1.14.0), libsoup2.4-1 (>= 2.4.0), libwebkit2gtk-4.0-37 (>= 2.21.1)

Most of these problems can be easily fixed, however I'm not sure how much the effort is worth in the long run. For example, until there is a library written by Rust that recognizes library dependencies and converts them to Debian dependencies, Tauri will never achieve full compatibility.

From my point of view it would be much smarter to build a Debian configuration generator using all the Debian tricks (like "Depends: ${misc:Depends}, ${shlibs:Depends}" or #DEBHELPER#) and build the packages with the official tools. Of course this means that .deb packages can only be built on Debian based systems, but I've seen the same problems in other projects (Java, Python...) and it never becomes compliant otherwise.

Reproduction

No response

Expected behavior

No response

Platform and versions

[✔] Environment
    - OS: Linux 22.04 X64
    ✔ webkit2gtk-4.0: 2.38.6
    ✔ rsvg2: 2.52.5
    ✔ rustc: 1.69.0 (84c898d65 2023-04-16)
    ✔ Cargo: 1.69.0 (6e9a83356 2023-04-12)
    ✔ rustup: 1.26.0 (5af9b9484 2023-04-05)
    ✔ Rust toolchain: stable-x86_64-unknown-linux-gnu (environment override by RUSTUP_TOOLCHAIN)
    - node: 12.22.9
    - npm: 8.5.1

[-] Packages
    - tauri [RUST]: 1.3.0
    - tauri-build [RUST]: 1.3.0
    - wry [RUST]: 0.24.3
    - tao [RUST]: 0.16.2
    - @tauri-apps/api [NPM]: not installed!
    - @tauri-apps/cli [NPM]: 1.3.1

[-] App
    - build-type: bundle
    - CSP: unset
    - distDir: ../src
    - devPath: ../src

Stack trace

No response

Additional context

No response

debug-richard avatar May 27 '23 14:05 debug-richard