Add safety to PackMan

Open Source C & C++ IDE for Windows

Brought to you by: claplace

#289 Add safety to PackMan

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2012-09-26

Created: 2004-08-09

Creator: Michal Molhanec

Private: No

The PackMan is IMHO quite dangerous tool: it places
files to system directories (I mean the <win> and <sys>
DevPackage rules) without asking user, it even rewrites
files there without asking user. And when the devpak is
uninstalled, it can delete the files from system
directory without asking. The PackMan should asks user
e.g. 'Do you want to install these files: .... into the
Windows system directory?'

Discussion

Marek Januszewski - 2004-10-08

Logged In: YES
user_id=609236

that can be easily solved by running as a user that cannot
write to arbitrary directories. packman will just fail to
write. Otherwise we would have to hardcode list of names of
directories to be warned about.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michal Molhanec - 2004-10-08

Logged In: YES
user_id=828749

"that can be easily solved by running as a user that cannot
write to arbitrary directories. packman will just fail to
write."

99% of home users works with administrator privileges

"Otherwise we would have to hardcode list of names of
directories to be warned about."

no. we should simply warn about any files installed outside
dev-c++ directory

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2005-06-26

Logged In: NO

morons
that suck

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2006-06-07

Logged In: NO

no

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2007-04-19

Logged In: NO

HAllo du you schwul

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2007-05-07

Logged In: NO

Dev-C++ should not install any file outside of its folder. It should be able to run on its own, without requiring or adding files outside the base folder.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Nobody/Anonymous - 2009-03-17

This is a moot point...

An attacker could just write an executable so that when you execute it as part of compiling it does something malicious. Or even write something in a library that appears to the programmer as if it performs some useful function but instead installs the latest and greatest Internet worm. Heck, they could put it in code form, bury the virus or worm in the source code somewhere, and then when you go to compile and test you're screwed.

I'm afraid the original person is correct, the best way to do updates is by non-Admin user, but also all compilation, testing, and other tasks should be performed by non-Admin user. In the case of writing software that requires Admin access, use the "Run-As" command on your end-product.

The implications of compiling with Administrator access by a large portion of the user population is that the update option should detect Administrator access and provide a warning message to get the user to agree, and advise them of recommended coding practices before entering the update screens.

Otherwise, what this implies is that a member or members of the dev team or other qualified individuals should be required to review all dev packs before they are released. This is a question of professional ethics.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.