Adobe Air on Linux - A Security Nightmare
Adobe Air is an application platform/framework which received some buzz recently. One of the most popular Twitter clients was written using Adobe Air. Air seems to make it relatively simple to write nice looking cross platform applications.
Two weeks ago, Adobe Air was released for Linux and I gave it a try on my Debian Etch system. The results were not very satisfying.
Installing Air
First you need to download the installer from the Air for Linux website. then make it executable and run it.
$> wget http://download.macromedia.com/pub/labs/air/linux/adobeair_linux_a1_033108.bin $> chmod +x adobeair_linux_a1_033108.bin $> ./adobeair_linux_a1_033108.bin
So far, so nice.
What's not so nice is that the installer will ask you for your root password. It won't tell you what it will do with your system, where it installs anything or what scripts will be run. There seems to be no way to install with user permissions only.
I was brave and let it do its magic anyway. It turned out that it installed itself as a Debian package called adobeair-enu. That's really nice – but why not giving me a Debian package from the start?
Paths are not Debian-like though, everything is installed to /opt/Adobe AIR. Yes, there's a blank in that path 
.
Installing an Application
The next thing needed is an Air application to install of course. I was most interested in the much praised FriendFeed client AlertThingy.
Installing Air applications is supposed to be very simple. On Windows and Mac, Air integrates with Flash. Application providers just need to put up some special flash file and user can enjoy a one-click install. Of course the one-click installer didn't work for me.
So I had a look at the HTML source of the AlertThingy site and got the download URL from there:
$> wget http://www.howardbaines.com/alertthingy/AlertThingy.air
Now how to run this? The Adobe Air installer is not added to the PATH so you need to give the full path your self:
$> /opt/Adobe\ AIR/Versions/1.0/airappinstaller
This will open a file browser where you can choose the just downloaded file.
Next: a scary warning.
Not helpful, eh? Just scary. Click install if you dare.
Okay, the next dialog asks you where to install the application. I did choose some place in my home directory and hit “Continue”.
Guess what came next. I had to enter the root password to install the application 
.
Seriously, why on earth do I need to give the root password to install some application in my own home directory?
Handling the Application
Yes, I continued installing the application. AlertThingy started right after finishing the installation. I configured my FriendFeed account and it works as promised.
The tool is nice but not exactly what I what I was hoping for - but that's another story.
While it ran, I noticed that there is no icon for it in my XFCE icon box. I don't know if this is Air problem or an AlertThingy problem.
Then I hit the little X icon to close the application. It vanished from my sight. No window. No icon in the icon box. No icon in the system tray. Until an alert popped up in the middle of my screen.
So AlertThingy was still running somewhere in the background. But without any obvious way to bring it back into sight. So I killed it and restarted it again.
Oh, did I mention the spaces in the installation path and binary name? 
$> /home/andi/programs/Alert\ Thingy/Alert\ Thingy
So AlertThingy does not integrate well in my desktop environment. Additionally it felt very sluggish when scrolling or changing tabs – and my PC is quite powerful.
Summary
Adobe Air for Linux is still alpha and this shows. Performance and desktop integration have to improved.
Unfortunately Adobe Air for Linux also shows a huge lack of understanding of the “Unix way”. Forcing users to install applications as superuser might be a common practice on other operating systems, for a Linux system this is unacceptable!
Posted on Friday April the 18th, 2008 (3 weeks ago).
Comments
2Even more so, though, there should never be a plugin (and that's what downloadable applications are, really: they're plugins into the framework) that requires root to install. Look at the logical analogs: Firefox plugins (install in ~), Java Web Start (install in ~ or JDK root, your choice), even ClickOnce for .net on Windows. They all only require admin access for a downloaded application if you decide to. The moment a downloaded application asked me for root password is the moment I would cancel.
Spaces in a path name? Who cares. Get with the 80s. :-)
3I blame windows for making security an afterthought if it's a consideration at all.
4When I install a Debian package I usually install a peer reviewed open source package so that's quite different already. But I guess that's more than I could expect ever from Adobe.
But if Adobe would deliver a Debian package then I'd have documented package format at least. I could unpack it and have a look at the directory structure. I could see what scripts are run and what startup scripts will be modified. I could check for suid bits.
Currently all I get is a complete blackbox.
Others might not have a problem to trust a big company like Adobe, so that might be okay for some (after all I risked it too - out of curiosity).
But having to trust *any* Air based application I download from the internet? That's just plain stupid.
And there's no reason for it. I can install stuff perfectly well in my home directory. There is no need at all for superuser privileges.
With user privileges, if something goes wrong, a malicious application still might wipe my home directory but at least it couldn't take over the whole system. This strict separation of user and superuser permissions is the very base of Unix security and Adobe should know better than to violate it for no reason.
5Very nice Adobe...
And when I read your post and read the "root password" stuff, I thought you're talking about "sudo" which is what every application which install itself into system need. But that it doesn't support sudo is a bit tedious, what will Ubuntu users do? Most of them ain't got a root password.
6I am going to stand firm about saying requiring root for installing AIR itself though is something that is mostly a non-issue. Although yes, you can open a .deb archive, look through the source and decipher what's going on, does anybody actually do that? I guess it's nice to know one has the ability to do it, I doubt anyone actually takes advantage of it. It seems like it would be a lot less trouble to set up a virtual machine (or old computer lying around), install the software there, and see what it does.
7
8And no, granting admin capabilities to any random application is not OK, it doesn't matter what your no-multiuser OS/UAC nag screens have made you to believe.
And apt/dpkg works with a chain of trust from the repositories and uses signed packages
We are in Linux because the next,next,finish and implied blind trust was not OK in the first place, this alien approach to Linux is doomed to failure
9I don't understand why they can't hire a single person who is comfortable with Linux to spend the two or three days it would take, and make proper packages for the three or four Linux that comprise 95% or users, and a reasonable fallback for the others.
I find it unacceptable, and won't install their software until some thought is put into it.
10>>your issues you bring up are not a "Security Nightmare",
They don't make as interesting blog post without FAR OUT headlines. "Potential Security Holes in Adobe AIR, and my thoughts on plugging them" wouldn't be as catchy.
http://www.adobe.com/cfusion/m … e=wishform
Did you submit the bugs or your requests for the release version, or are you just another drive by complainer?
11It would be very interesting to have a go wich strace and look at what it does with the password.
Btw. I'm quite sure that the filesystem path specs that debian follows lists /opt/ as a valid place for foreign applications to install.
12(I'm not sure whether to treat you seriously, but for the benefit of others, I will.)
When a concept as fundamental to security as giving out permissions only on an as-needed basis is violated, yes, that is considered a "security nightmare". Very few applications actually need the superuser set of permissions -- even fewer that are non-system.
The mindset that many have seen in Microsoft environments is "give everything the power to do everything," usually because "it will only work that way". This mindset is a product of laziness on the developers' part, and in Adobe AIR, we see it bleeding into Linux. The correct (and more difficult!) solution is to find out what permissions your application truly needs in order to function properly, and then ask for only those permissions.
Please note that I am not trying to say that bad security practices are unique to Microsoft environments or developers; this is merely a well-known example.
Finally, whether the author submitted the problem directly to Adobe is irrelevant -- he has contributed plenty to the world already by saving others the time and effort necessary to discover what is, indeed, a security nightmare.
13
15
16-> Performance and desktop integration have to _be_ improved.
17Blog
Older Weblog articles are available in the Archive, subscribe to the
Full Content RSS Feed
to stay tuned. (learn more)
Recent Blog Entries
This is the personal web site of Andreas Gohr
- human being, blogger and web geek from Berlin, Germany.
This page was last updated at
2008/04/18 13:07.
Imprint/Impressum
Most popular:
Elsewhere:
Recent readers:
When installing an application that uses air, it isn't all that out of line for it to ask you for your root password. Once again, how would you like to install it? Through apt? Once again, apt asks you for your root password.
Overall, your issues you bring up are not a "Security Nightmare", albeit maybe a bit excessive to _require_ a root password, this day and age it's not out of the ordinary to ask for it even on Linux.