it's been on my radar since back before the project was rebranded from xdgurl
. Reading Stevo's post prompted me to audit the code.
1) We have no assurance (and opendesktop.org offers no such claim) that apps listed on the site have been vetted.
2) Any pseudonymous person, using a disposable (e.g YahooMail) email, can register and upload an ocs -packaged item.
3) The source code associated with any ocs-url -packaged binary/executable is not required (and is often NOT easily accessible)
4) The installer does not perform a precautionary chmod -x for any "expected to be non-executable" files (e.g. when a pkg reputedly contains only "wallpaper")
5) Installed packages are not "sandboxed" and, once installed, nothing prevents an app from presenting a popup (inducing a naive user to "sudo auth")
With the above in mind, on a system configured for "passwordless sudo
" (e.g. LinuxMint, Ubuntu),
the ocs-url mechanism, along with apt-url, arguably represents a exploitable vector ~~ a trainwreck waiting to happenFrom a sysadmin perspective, I would install (and pin) a dummy package toward precluding use of ocs-url on any machines I'm responsible for managing.
Installation of ocs-url packages does not require elevated permissions. Items are installed to subdirectories of the user performing an install.
In order to be accessible by various users, an item (e.g. "theme", "plasmoid", "wallpaper", "yakuake skin", etc.) must be redundantly installed by each user.
Currently, the ocs-url install mechanism provides no facility for an author/packager to request or otherwise trigger an install-time "autorun".
Therefore, a cautious user has opportunity to setup a firejail (or other) sandboxing rule prior to first run.Upon discovering any incorrect/outdated detail in the above, please send me a PM so that I can update this post.