UPKG and dumb ideas...

freezr

freezr

A friend of mine, which is an hardcore OpenBSD user, it is also, among other stuff, a Windows Enterprise Fleet Administrator... Speaking about security he was explaining to me that, about security, Windows is the only (main) OS that allows user to install software into their users space without touching the whole system and without requiring, therefore, a privilege escalation.

We had terrific flame between us, more for fun than for the sake of the truth, actually I am the ignorant without proper educational background nor professional experience...

However I wonder if, since FreeBSD is technologically superior, it would be possible having a UPKG as alternative to PKG, where U stands for "User", and where, with a simple configuration file, the admin authorize specific user to install software locally in their home; at the end of the day storage is cheaper these days than ever before...

So I can tell to my friend that FreeBSD is superior as much as Windows... ?

p.s. please do not suspend my account... ? ?
 
I guess it heavily depends on what "allow user to install software to their user space" means.
Any operating system (including FreeBSD) allows a user to just "install" something into their home directory and running an executable that way. Installation boils down to copying some files from somewhere to somewhere else and potentially modifying some config, registry, environment variables or similar.
As long as the installed executable does not require some functionality for which the user doesn't have the necessary permissions this will work just fine.
From a purist point-of-view there is no difference between installing something to /usr/local/bin or to ~/bin.

The pkg(8) utility already allows installation to different locations via different options such as -r, -c or even to a jail with -j.

Whether this makes sense or not is of course a different discussion. My point is: In general, nothing prevents a user from just installing something "in their user space". And from this simplified point-of-view this applies to pretty much any OS.
 
You can do this on macOS.

You could probably do it on FreeBSD but I don't understand why anybody would spend any time to develop such a system. FreeBSD doesn't seem to care as much as macOS and Windows do about sealing the OS against user modification.
 
jbo said:
The pkg(8) utility already allows installation to different locations via different options such as -r, -c or even to a jail with -j.
Click to expand...
Yes. But to run an unmodified binary installed in a different prefix, you would need at least chroot(8) there, as most stuff will have paths hardcoded.

What should always work OTOH is build/install what you want from ports, setting PREFIX and LOCALBASE e.g. to /home/joe/ports and then add /home/joe/ports/bin to your PATH.

But yep, I don't really see the point either...
 
freezr said:
Speaking about security he was explaining to me that, about security, Windows is the only (main) OS that allows user to install software into their users space without touching the whole system and without requiring, therefore, a privilege escalation.
Click to expand...
You generally disable this in enterprise environments. Because it will allow users to install old and vulnerable versions of software. It will also allow the execution of 'unvetted' software, which, in a security conscious environment, you do not want to happen. Great that it's possible but a security nightmare from the start.

I can write a whole bunch of stuff in my Windows home directory at $DAYJOB. Can't execute a single thing though.

freezr said:
So I can tell to my friend that FreeBSD is superior as much as Windows...
Click to expand...
Maybe start by not seeing one as being 'superior' to the other. Different, yes, but that doesn't mean one is better than the other. You have to secure both systems and have to do this from the ground up.
 
zirias@ said:
Yes. But to run an unmodified binary installed in a different prefix, you would need at least chroot(8) there, as most stuff will have paths hardcoded.

What should always work OTOH is build/install what you want from ports, setting PREFIX and LOCALBASE e.g. to /home/joe/ports and then add /home/joe/ports/bin to your PATH.

But yep, I don't really see the point either...
Click to expand...

The point would be, as profane, that you don't touch the system, and if you want install anything else that is not already installed, simply you type without any special privileges: upkg install gimp packages, dependencies related, and bugs only lie on your home without affecting the whole system.
 
jbo said:
Hence I pointed to the -c parameter :)
Click to expand...
That's for how pkg carries out the installation (and is currently the safer choice as there are still package scripts not aware of a different installation root).

Still, to run the software, you'll need to do so in a chroot(8) as well in most cases.

freezr said:
The point would be, as profane, that you don't touch the system, and if you want install anything else that is not already installed, simply you type without any special privileges: upkg install gimp packages, dependencies related, and bugs only lie on your home without affecting the whole system.
Click to expand...
Don't worry, I perfectly understood what you want. And something like that would be "technically possible" for sure. The thing is, you can already install software to your home directory (as long as the admin didn't force it non-executable), you just have to do so manually, including building it in many cases.

I don't see much use for such a feature, so I certainly don't want to work on it, that's all.
 
jbo said:
I guess it heavily depends on what "allow user to install software to their user space" means.
[...]
Whether this makes sense or not is of course a different discussion. My point is: In general, nothing prevents a user from just installing something "in their user space". And from this simplified point-of-view this applies to pretty much any OS.
Click to expand...

I can't run pkg install without being root, can I? ?
 
SirDice said:
You generally disable this in enterprise environments. [...]
Click to expand...

Clearly this is something that even me can understand... ?

In some corps I used to work to have software I needed I used to work with portable apps... ?
 
zirias@ said:
Sure you can. -o INSTALL_AS_USER=true
Click to expand...

Cool!

So actually FreeBSD can already let user install software locally without invoking SU, therefore basically UPKG might be hypothetically a simple wrapper/alias to pkg -o INSTALL_AS_USER=true -c $path where a simple configuration file in home avoids you to write anytime that long command!

By they way thanks to all to allow me to ignite again the flame war with my friend!!! ?
 
I don't know if this is relevant.
www.geeksforgeeks.org

Fork() Bomb - GeeksforGeeks

A Computer Science portal for geeks. It contains well written, well thought and well explained computer science and programming articles, quizzes and practice/competitive programming/company interview Questions.
www.geeksforgeeks.org www.geeksforgeeks.org
 
freezr said:
By they way thanks to all to allow me to ignite again the flame war with my friend!!! ?
Click to expand...
That is your own takeaway/choosing. We're just here to answer questions.
Flamewars are not worth it. I'd recommend a constructive discussion instead. That also work well in an informal setting with a beer.
 
jbo said:
That is your own takeaway/choosing. We're just here to answer questions.
Flamewars are not worth it. I'd recommend a constructive discussion instead. That also work well in an informal setting with a beer.
Click to expand...

He asserted that only windows... But it wasn't true and as true friend I must let him know... ?
 
Anyway today I learned something very useful from a desktop perspective that is not mentioned in the handbook, and perhaps it is worthy to get a paragraph instead.
 
Brew, the main open source package manager on macOS and available on other platforms, operates that way. The install tree is owned by the user, not root.

It has several disadvantages that make me prefer the root install method.
 
People need general purpose computer to do general things and asking for permission takes too long or the answer is no, but you still need the "thing to do the thing", so...
 
You must log in or register to reply here.
Back
Top