#289 Add safety to PackMan

open
nobody
None
5
2012-09-26
2004-08-09
No

The PackMan is IMHO quite dangerous tool: it places
files to system directories (I mean the <win> and <sys>
DevPackage rules) without asking user, it even rewrites
files there without asking user. And when the devpak is
uninstalled, it can delete the files from system
directory without asking. The PackMan should asks user
e.g. 'Do you want to install these files: .... into the
Windows system directory?'

Discussion

  • Marek Januszewski

    Logged In: YES
    user_id=609236

    that can be easily solved by running as a user that cannot
    write to arbitrary directories. packman will just fail to
    write. Otherwise we would have to hardcode list of names of
    directories to be warned about.

     
  • Michal Molhanec

    Michal Molhanec - 2004-10-08

    Logged In: YES
    user_id=828749

    "that can be easily solved by running as a user that cannot
    write to arbitrary directories. packman will just fail to
    write."

    99% of home users works with administrator privileges

    "Otherwise we would have to hardcode list of names of
    directories to be warned about."

    no. we should simply warn about any files installed outside
    dev-c++ directory

     
  • Nobody/Anonymous

    Logged In: NO

    morons
    that suck

     
  • Nobody/Anonymous

    Logged In: NO

    no

     
  • Nobody/Anonymous

    Logged In: NO

    HAllo du you schwul

     
  • Nobody/Anonymous

    Logged In: NO

    Dev-C++ should not install any file outside of its folder. It should be able to run on its own, without requiring or adding files outside the base folder.

     
  • Nobody/Anonymous

    This is a moot point...

    An attacker could just write an executable so that when you execute it as part of compiling it does something malicious. Or even write something in a library that appears to the programmer as if it performs some useful function but instead installs the latest and greatest Internet worm. Heck, they could put it in code form, bury the virus or worm in the source code somewhere, and then when you go to compile and test you're screwed.

    I'm afraid the original person is correct, the best way to do updates is by non-Admin user, but also all compilation, testing, and other tasks should be performed by non-Admin user. In the case of writing software that requires Admin access, use the "Run-As" command on your end-product.

    The implications of compiling with Administrator access by a large portion of the user population is that the update option should detect Administrator access and provide a warning message to get the user to agree, and advise them of recommended coding practices before entering the update screens.

    Otherwise, what this implies is that a member or members of the dev team or other qualified individuals should be required to review all dev packs before they are released. This is a question of professional ethics.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks