The "Security Approval Required" dialog is inflexible and misses the point

Andrew Lutomirski andy at luto.us
Tue Jan 22 11:18:24 PST 2013 

This is moved from Bug 1264
(http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1264).  The
original bug is:

> It is not at all obvious what "Do you want to run the application?"
> means.  I researched it a bit, and AFAICT it means: if the application
> is signed (by anyone at all), then run it with full permissions; if the
> application is unsigned, then run it sandboxed.
>
> If this is correct, then:
>
> 1. The dialog box should say so.  If the app is signed, then it should
> ask if you want to give the app full, unrestricted access to your
> computer.  If the app is unsigned, it should ask you if you want to run
> the app in the sandbox.
>
> 2. Even if the app is signed, there should still be a way to run it in
> the sandbox.  I've yet to encounter a JNLP app in the wild that has any
> legitimate reason to do anything other than access the internet, create
> some temporary files, and occasionally use the file picker.  Let me run
> it in the sandbox, please.

Here's a mockup of a possible improvement (as plain text):

--------------------------------------------------------

Title: Security Approval Required

Big box on top: This application is requesting unrestricted access to
your computer.  Do you want to grant this access?

Name: <name of app>

Publisher: <publisher>

This application is digitally signed by the publisher.  The signature
has been validated by a trusted source.  [More Information...]

From: <url>

Checkbox: Always grant unrestricted access to applications by this publisher

Button: Run with unrestricted access
Button: Run without unrestricted access
Button: Do not run

Note: If you run without unrestricted access, the application may
malfunction or crash.

--------------------------------------------------------

The two major improvements over the current dialog box are:

1. With the current dialog box, there's no indication that the mere
presence of the signature means that the application would run outside
the sandbox.  This is even worse than the old ActiveX crud.  I used to
have illusions that java applets and JWS applications were supposed to
be safe (assuming there are no security bugs involved).  This is
simply not true for signed JWS apps.

2. The apps I use the most have no legitimate reasons at all to have
any access to my local machine, other than the kind of access allowed
within the sandbox.  I'd like to try running them inside the sandbox.

Thoughts?

--Andy

More information about the distro-pkg-dev mailing list