webapps-applications removes package installation prompt

Bug #1061734 reported by Marc Deslauriers
276
This bug affects 5 people
Affects Status Importance Assigned to Milestone
webapps-applications (Ubuntu)
Won't Fix
Critical
Unassigned
Quantal
Won't Fix
Critical
Unassigned

Bug Description

In bug 1035207, the security team was asked for permission to install webapps scripts without prompting the user for their password. Since this has a high impact on security, permission was granted if the following restrictions were adhered to:

1- Installing without a password is limited to users in the "admin" group.
2- The repository whitelist for aptdaemon is shipped in a separate "webapps"-named package, and not part of the aptdaemon package.
3- Up-to-date documentation for the exact steps required for auditing the security of contributed webapp scripts. This needs to be written by someone familiar with the intricacies of how the scripts are integrated in the browser security model and how the webapps functionality was implemented.
4- An webapp script security scanning tool that can detect basic security flaws, and can be updated with new flaws as they are discovered.
5- A policy in place to systematically audit new webapp scripts and improvements to existing webapp scripts using the documentation and the scanning tool before they are accepted into the repository.
6- Tracking of a "sign-off" procedure to determine when the security auditing of contributed scripts was performed, by who, and with what revision of the auditing documentation and script.

webapps-applications (2.4.7-0ubuntu2) has been uploaded to Quantal, to permit a passwordless installation of webapps script, but I cannot find the location of requirements 3 to 6.

This change needs to be reverted until the proper requirements are put in place.

Changed in webapps-applications (Ubuntu Quantal):
importance: Undecided → Critical
Revision history for this message
Alexandre Abreu (abreu-alexandre) wrote :

- For point 3: here is the base of a document that is to be used for that, it needs a bit of cleaning up and improvement (based on some feedback I had) but it is a start

https://docs.google.com/a/canonical.com/document/d/1Ny_W8LKfv_jFqh3UiBdvdpSoEdIc2HoEbCSr6C2XxKA/edit

- For point 4: we have a basic script that I will commit (and we can improve upon),

Revision history for this message
Robert Carr (robertcarr) wrote :

5 and 6 will be addressed through an autolanding scheme.

Movement of webapps from webapps-applications (or other) source tree to packaging branch (prior to upload) will only be allowed via an autolanding daemon which requires a security sign off + an automated run of the script. This will be logged. I'll get this scheme in to place over the 24 hours or so.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

OK, since the requirements are on track to be addressed, the change can be left in Quantal. Thanks!

Changed in webapps-applications (Ubuntu Quantal):
status: New → Confirmed
Changed in webapps-applications (Ubuntu Quantal):
status: Confirmed → Won't Fix
summary: - webapps-applications removes package installation prompt
+ What is Tramadol and how it works?
description: updated
Colin Watson (cjwatson)
summary: - What is Tramadol and how it works?
+ webapps-applications removes package installation prompt
description: updated
priyam0 (priyam00)
summary: - webapps-applications removes package installation prompt
+ Buy Tramadol Online Cheap For Treating Pain:: YourRxPills
description: updated
Colin Watson (cjwatson)
summary: - Buy Tramadol Online Cheap For Treating Pain:: YourRxPills
+ webapps-applications removes package installation prompt
description: updated
summary: - webapps-applications removes package installation prompt
+ Buy Soma Online :: webapps-applications removes package installation
+ prompt
summary: - Buy Soma Online :: webapps-applications removes package installation
- prompt
+ webapps-applications removes package installation prompt
description: updated
Colin Watson (cjwatson)
description: updated
summary: - webapps-applications removes package installation prompt
+ Can you buy Tramadol without a script in Miami?
description: updated
Colin Watson (cjwatson)
summary: - Can you buy Tramadol without a script in Miami?
+ webapps-applications removes package installation prompt
description: updated
Changed in webapps-applications (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.