Klik to Zero Install

I've tried installing Klik twice in the past, but the site was down both times. A osnews.com article prompted me to try it again and this time I got it installed.

Klik's main advantage over Zero Install is the large number of packages available for it. Its main disadvantage is that it's totally insecure. However, I've written klik2zero, a little Python script that creates Zero Install packages automatically from Klik ones.

Introduction to Klik

When Klik is installed, following links of the form klik://prog in your browser triggers the Klik software to install and run the named program. Here is how it works (based on an Ethereal trace):

1. User clicks on a link like klik://cuyo.
2. Firefox runs Klik software automatically.
3. Klik contacts central Klik server and requests a shell script using a plain HTTP connection.
4. Server returns a shell script, possibly tailored for the requesting system, as identified by the user agent string.
5. Klik executes the script.
6. Script confirms the download with the user, creates a temporary directory, and fetches all required (binary) archives. Archives are unpacked into the temporary directory.
7. Searches all unpacked files for ones that look like programs. Searches each one for pathnames starting with /usr. Links any found path into the new directory. So, if a program seems to want /usr/lib/libfoo, then Klik will link /tmp/klik/.../usr/lib/libfoo to /usr/lib/libfoo. It then changes all paths starting with /usr to start with ./// (which works, because it's the same length).
8. Does various other things if required; seems to assume sudo is available if it needs it.
9. It then creates a wrapper script that changes to the script's directory, sets of load of environment variables (PATH, LD_LIBRARY_PATH, etc) and executes the program.
10. Finally, it bundles the whole thing up into either a ROX application directory or a .cmg disk image and stores it in the user's home directory.
11. During this process, it contacts the Klik server a couple more times; once near the start (to count the attempt) and once at the end (to record success).

To run the program, the .cmg image is mounted under /tmp and the wrapper script executed. This is possible because Klik adds a load of entries to /etc/fstab letting users mount loopback devices.

Security

Why is this totally insecure? For many reasons:

• The connection to the Klik server is not authenticated. Anyone on the same network can respond before the server, and send any script they like.
• Installation happens by following a link, which doesn't require user interaction.
• Key directories are made world-writeable during the install, so all users on a single machine can subvert it.

To make this more concrete, say you and I are in the same room ...

[ 2006-04-15: Description removed at the request of Klik's author; they're thinking about possible solutions. ]

To launch this attack, I don't need to know anything about you specifically. I can just walk around letting my laptop take control of the accounts of any nearby klik users who happen to be browsing the web at the time.

You could do something similar with Zero Install, but there are some key differences:

• You can't trigger something to run via Zero Install just by looking at a web page. You have to drag a link to the installer.
• If the software isn't signed with a trusted key, Zero Install will tell you that you don't trust the key and ask you to confirm it (NB: for naive users, we might need a 'kiosk' mode where only the admin can approve new keys)

Converting to Zero Install

However, we might be able to take advantage of Klik's automatic wrapper generation for Zero Install. The application directories it creates are self-contained and are supposed to be portable between systems. So, we can bundle them up and distribute using Zero Install if we're not too worried about the security risks of getting them in the first place (and, judging by the popularity of Klik, most people don't care). To use the klik2zero script, just give it the name of the package to get (from the klik:// URL). E.g. (Warning: run this in a sandbox!):

$ ./klik2zero gnubik

This generates three files:

• gnubik.tar.bz2 - archive with the files
• gnubik.xml - injector interface
• gnubik.png - icon

To make the software available through Zero Install:

1. Upload the icon and archive somewhere.
2. Edit gnubik.xml to give correct locations for them.
3. Test with:
   

   $ 0launch ./gnubik.xml

4. Set the uri attribute on the root to the interface's name and sign and upload, as described in the packaging guide:
   

   $ 0publish --gpgsign gnubik.xml
   $ mv gnubik.xml gnubik
   

I've put up a couple for you to play with (don't know how well they'll work on other systems; these were the first two I tried): Cuyo and Gnubik.