Covered in Scorpions -

Apr. 17th, 2013

05:24 pm

Previous Entry Share Next Entry

I just noticed a really obviously stupid thing about operating system design, mostly Windows but partly true in others as well. There's the concept of the "administrator account", that enables installing software, to prevent things from secretly installing malicious software. But here's the problem - every time we intentionally install something, we give someone's arbitrary program the permission to run as an administrator.

So basically every piece of software we ever use, at the very first point in its life cycle has administrator privilege. At that point, what good is that barrier even doing? I suppose it's useful for preventing buffer overflows and things from giving system-invading access, but those things are a tiny minority of infections - the usual vector is people installing something that has a malicious thing piggybacked on it. That malicious thing now has administrator privileges if it wants them, because it can grant itself them during the install!

It would make much more sense to have a single operating-system-owned "installer" program, and only install packages, globs of files with coded installation instructions. There would still be an annoying "are you sure you want to install this?" popup, and there would still be the possibility of installing malicious software that you might run at the user level, but there would only be an "are you sure you want to give an arbitrary thing administrator privileges?" warning if the installation package was specifically requesting that. The installer program could also have a separate warning for "are you sure you want to install a thing that will run at startup / immediately?" which would vastly reduce the risk of malicious software infections, since there isn't a lot malicious software can do if you have to actively elect to run it every time.

As an added bonus, this would warn you about Adobe and Sun's auto-updaters being jerks before you installed them, too.

(7 comments | Leave a comment)

Comments:

From:nikborton
Date:April 17th, 2013 07:04 pm (UTC)
(Link)
Windows Installer was almost this - it's (bizarrely) an Access database of instructions with an archive tacked on the end. Then they ruined it. And everyone still uses the InstallShield wrapper on it anyway.

I hate InstallShield.
(Reply) (Thread)
[User Picture]
From:dancinglights
Date:April 17th, 2013 07:42 pm (UTC)
(Link)
Aha!

Maintaining an automated build process involving early incarnations of InstallShield's scripting system is the project I have hated most in my entire career. Learning that the bizarre relational table structure InstallShield's IDE would repeatedly corrupt was Access-based shines new light on an old and frustrating mystery. One which I hope will continue to be personally irrelevant for the rest of my days.
(Reply) (Parent) (Thread)
From:nikborton
Date:April 17th, 2013 08:05 pm (UTC)
(Link)
Installshield was way pre-Installer, but when MS decided enough was enough, they just wrapped their cruft around it and carried on. There's no need for it - a .msi is plenty enough for most things - but company after company keeps it alive.

Our "build system" annoyed me one too many times so I started fixing it. It's now a surprisingly capable system considering it's entirely constructed from batch scripts, but InstallShield still being binary meant using its COM interface to update paths, version numbers and things, and therefore a piece of VBscript to tie the ends together.

Despite the savagery and barbarism it's by far the more interesting, entertaining and rewarding of it, the other project I own and our flagship product.
(Reply) (Parent) (Thread)
[User Picture]
From:ravenblack
Date:April 17th, 2013 08:08 pm (UTC)
(Link)
Mm, I thought maybe 'msi' files were something like that. If only they'd made it not complete shit with a shit interface that nobody wanted to use!

It should have been as easy as drag and drop your files, name your one root registry key and use a regedit-style interface for setting that (or drag and drop a .reg file), and right-clicking your executables to get a special privileges menu per file if you want to grant firewall holes, admin privileges, auto-run or the ability to auto-update (via some sort of system call to point the installer at a new [partial] package file [to download] that does not escalate privileges).

It could actually make it easier to implement all those things, which are currently all a pain in the arse!

And yes, I too hate InstallShield. Both as a programmer and as a user.

Also! If installers were done that way then you could flag Microsoft dependencies as simple flags in the install file rather than everyone wastefully including the whole of DirectX, .NET and those bloody C# game runtimes in every game's installer!
(Reply) (Parent) (Thread)
[User Picture]
From:notthebuddha
Date:April 18th, 2013 12:58 am (UTC)
(Link)
I'm not sure what you mean. Unix-like systems allow apps to be installed by users and run without root access, and I'm using a non-installed .exe of TeamViewer right now on Windows 7.
(Reply) (Thread)
[User Picture]
From:ravenblack
Date:April 18th, 2013 03:19 am (UTC)
(Link)
You can work around it on a Unix OS, but generally the only people who do are people who don't have root access to the machine so they have no choice. Much more common is to follow instructions on how to add an apt-repository and then sudo apt-get whatever.

And the vast majority of Windows software doesn't run if it's not installed. You can't even get most things in a non-installer form. Are you really not sure what I mean, or are you just deliberately being obtuse about Windows by mentioning the one piece of software you're running that didn't require an installer? I assume you're running something else too, like maybe a browser for instance, that did require installing.
(Reply) (Parent) (Thread)
[User Picture]
From:notthebuddha
Date:September 10th, 2013 12:20 am (UTC)
(Link)
sigh. once more....

"Sorry for the lagged response.

I was replying in earnest. There's whole little genre of installess apps at portableapps dot com among other places.
(Reply) (Parent) (Thread)