Web start sandboxing and security

Jacob Wisor gitne at gmx.de
Sat Dec 7 08:25:12 PST 2013 

Hello!

Andy Lutomirski wrote:
> This is an attempt to turn bug #1264
> (http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1264) into a
> real discussion.
> 
> When I start a Java Web Start app, I get asked "Do you want to run the
> application?" means.  It is far from obvious what that means.  I
> researched it a bit, and AFAICT it means: if the application is signed
> (by anyone at all), then run it with full permissions; if the
> application is unsigned, then run it sandboxed.
> 
> This is an awful state of affairs.  For one thing, it means that I'd
> rather run an unsigned app than a signed app -- just because I believe
> that a certain company wrote the app does *not* mean that I want to
> trust that app with full rights to my computer.
> 
> There are several improvements that could be made:
> 
> 1. The dialog box could be much clearer.  It could say "Do you want to
> grant this application unrestricted access to your computer?" in the
> signed case and "Do you want to run this application?  It will not
> have access to your data." in the unsigned case.

Indeed, the text has some rather unfortunate wording (like many other messages 
in IceTea-Web). But, as mentioned in an other thread I am uncomfortable with 
"unrestricted access to your computer" because it scares users away instead of 
actually helping them to assess the risk.

> 2. Even if the app is signed, there should still be a way to run it in
> the sandbox.  I've yet to encounter a JNLP app in the wild that has
> any legitimate reason to do anything other than access the internet,
> create some temporary files, and occasionally use the file picker.
> Let me run it in the sandbox, please.

I guess what you are asking for is a policytool. In fact, OpenJDK has a tool 
called "policytool" that lets you setup policies based e.g. on its codebase or 
its signature that works for apps as well as applets. But, that is just one part 
of the story...

I have never comprehended why Sun has put all that fancy permissions framework 
into Java but has not made it conveniently accessible to the average user just 
like Android does. Not only that Sun's and now Oracle's JRE policytool has not 
changed ever since but it also lacks commercial grade quality. It is a pain to 
use, even for admins.
What I have always dreamed of for Java apps and applets is something similar 
like Android does. The user starts an app or applet, gets a dialog box with all 
permission the app or applet requests to check or uncheck, saves it and the app 
or applet is ready to go. Saved permission settings could be reconfigured in 
Java's system control panel. That's it! I cannot think of a simpler work flow. 
Oh, and of course admins could also setup permissions that users are able to 
setup in order to prevent users just giving the AllPermissions permission to all 
apps. Really, Sun and now Oracle are here to blame because this has been on the 
list to be fixed for decades. It is a product design problem indeed.

Well, IcedTea-Web could provide such a workflow, at least for applets. Question 
is whether IcedTea-Web devs want to work on that. ;-)

Jacob

More information about the distro-pkg-dev mailing list