Skip navigation.

Klik to Zero Install

I've tried installing Klik twice in the past, but the site was down both times. A article prompted me to try it again and this time I got it installed.

Klik's main advantage over Zero Install is the large number of packages available for it. Its main disadvantage is that it's totally insecure. However, I've written klik2zero, a little Python script that creates Zero Install packages automatically from Klik ones.

Introduction to Klik

When Klik is installed, following links of the form klik://prog in your browser triggers the Klik software to install and run the named program. Here is how it works (based on an Ethereal trace):

  1. User clicks on a link like klik://cuyo.
  2. Firefox runs Klik software automatically.
  3. Klik contacts central Klik server and requests a shell script using a plain HTTP connection.
  4. Server returns a shell script, possibly tailored for the requesting system, as identified by the user agent string.
  5. Klik executes the script.
  6. Script confirms the download with the user, creates a temporary directory, and fetches all required (binary) archives. Archives are unpacked into the temporary directory.
  7. Searches all unpacked files for ones that look like programs. Searches each one for pathnames starting with /usr. Links any found path into the new directory. So, if a program seems to want /usr/lib/libfoo, then Klik will link /tmp/klik/.../usr/lib/libfoo to /usr/lib/libfoo. It then changes all paths starting with /usr to start with ./// (which works, because it's the same length).
  8. Does various other things if required; seems to assume sudo is available if it needs it.
  9. It then creates a wrapper script that changes to the script's directory, sets of load of environment variables (PATH, LD_LIBRARY_PATH, etc) and executes the program.
  10. Finally, it bundles the whole thing up into either a ROX application directory or a .cmg disk image and stores it in the user's home directory.
  11. During this process, it contacts the Klik server a couple more times; once near the start (to count the attempt) and once at the end (to record success).

To run the program, the .cmg image is mounted under /tmp and the wrapper script executed. This is possible because Klik adds a load of entries to /etc/fstab letting users mount loopback devices.


Why is this totally insecure? For many reasons:

  • The connection to the Klik server is not authenticated. Anyone on the same network can respond before the server, and send any script they like.
  • Installation happens by following a link, which doesn't require user interaction.
  • Key directories are made world-writeable during the install, so all users on a single machine can subvert it.

To make this more concrete, say you and I are in the same room ...

[ 2006-04-15: Description removed at the request of Klik's author; they're thinking about possible solutions. ]

To launch this attack, I don't need to know anything about you specifically. I can just walk around letting my laptop take control of the accounts of any nearby klik users who happen to be browsing the web at the time.

You could do something similar with Zero Install, but there are some key differences:

  • You can't trigger something to run via Zero Install just by looking at a web page. You have to drag a link to the installer.
  • If the software isn't signed with a trusted key, Zero Install will tell you that you don't trust the key and ask you to confirm it (NB: for naive users, we might need a 'kiosk' mode where only the admin can approve new keys)

Converting to Zero Install

However, we might be able to take advantage of Klik's automatic wrapper generation for Zero Install. The application directories it creates are self-contained and are supposed to be portable between systems. So, we can bundle them up and distribute using Zero Install if we're not too worried about the security risks of getting them in the first place (and, judging by the popularity of Klik, most people don't care). To use the klik2zero script, just give it the name of the package to get (from the klik:// URL). E.g. (Warning: run this in a sandbox!):

$ ./klik2zero gnubik

This generates three files:

  • gnubik.tar.bz2 - archive with the files
  • gnubik.xml - injector interface
  • gnubik.png - icon

To make the software available through Zero Install:

  1. Upload the icon and archive somewhere.
  2. Edit gnubik.xml to give correct locations for them.
  3. Test with:
    $ 0launch ./gnubik.xml
  4. Set the uri attribute on the root to the interface's name and sign and upload, as described in the packaging guide:
    $ 0publish --gpgsign gnubik.xml
    $ mv gnubik.xml gnubik

I've put up a couple for you to play with (don't know how well they'll work on other systems; these were the first two I tried): Cuyo and Gnubik.

great work!

That is very interesting, like the 0install concept itself, i can't wait for an '0buntu' distro, using 0install instead of apt...
For this it would be neccesary (i think) to automate conversion from .deb to 'zero', like what you have already done with klik2zero.
Is this possible? Seems that if so, a 0install debian/ubuntu will be very easy to make.

thanks again for your work, and greetings from Valencia-Spain!

what needed to run it?

i tried to use klik2zero but have the following message:-
Xlib: connection to ":0.0" refused by server
Xlib: No protocol specified

kdialog: cannot connect to X server :0.0
Traceback (most recent call last):
File "/root/klik20install/klik2zero", line 32, in ?
appdirname = os.listdir('Apps')[0]
IndexError: list index out of range

Seem to me that i needed a system with klik installed?

BTW, nice work you got and i really love 0install thus love to have klik2zero working.

klik2zero requires X

The script returned by the klik server is trying to display a dialog box confirming that you want to install it, but it can't connect to an X server.

any fix?

hmm...i tested in X with a virtual-console "kdialog --sorry "test" the dialog do popup in the X.

Do you have any idea to go about it? Thanks.

Fixed - know the answer.

The reason being is the linux system needed to have "KLIK" install inorder for klik2zero to work :)

I had gotten a copy of kanotix and make use of it...wonderful now i can convert most of the apps in klik to 0install!

Thanks for this kool tool, cheers!

hi you need to disable the

hi you need to disable the access control for x by typing "xhost +" without the quotes then when done remember to set it back with
"xhost -" (again without the quotes) then should work fine


Interesting... I like you application very similar end result to klik.

I'm guessing the autoinstall problem could be blocked by doing something like FF does with its extension install with it's "cool down" period.

Plash ( + FUSE is looking promising as well as it would sandbox the entire thing ensuring your entire system is safe.

Syndicate content