search

GitSquared / edex-ui

A cross-platform, customizable science fiction terminal emulator with advanced monitoring & touchscreen support.
GNU General Public License v3.0
40.49k stars 2.55k forks source link

Installing to Program Files doesn't work #994

Closed SamusAranX closed 3 years ago

SamusAranX commented 3 years ago

Technical information

Using version:

Running on:

How comfortable you are with your system and/or IT in general:

Problem

Hiya! I was trying to run the setup, but it seems that like so many other Electron apps, it installs itself into AppData instead of Program Files. This is a bad idea for various security-relevant reasons and should be changed sooner rather than later, but the reason I'm filing this issue is because manually setting it to install to Program Files makes the installer fail with this error message: image

I don't know what installer software you're using, but this is the point where it should ask for elevated privileges to proceed with the installation instead of failing.

SamusAranX commented 3 years ago

I should add that while I haven't tried this on macOS yet, in case the setup installs this anywhere other than /Applications, it should be changed as well to put all actual program files into /Applications.

3203234030 commented 3 years ago

Forgive my ignorance if I understand you are referring to my Sony computer with Windows 8 system? This computer is blocked due to (in my opinion) by a bad faith technician who probably stole the necessary Windows updates. Today I own and use two android 6 and android 10 phones. I wonder if we can recover my computer.

From: Peter Wunder notifications@github.com Sent: Monday, December 28, 2020 4:17:31 AM To: GitSquared/edex-ui edex-ui@noreply.github.com Cc: Subscribed subscribed@noreply.github.com Subject: Re: [GitSquared/edex-ui] Installing to Program Files doesn't work (#994)

I should add that while I haven't tried this on macOS yet, in case the setup installs this anywhere other than /Applications, it should be changed as well to put all actual program files into /Applications.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/GitSquared/edex-ui/issues/994#issuecomment-751559606, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AKLPOWGDJHPG7LTHFBBMT3LSW72EXANCNFSM4VLOLMEA.

GitSquared commented 3 years ago

Hi @3203234030, you're receiving notifications for an open-source project on GitHub, not your tech support. If you'd like to unsubscribe from these emails you can click the unsubscribe link that should appear just below this text on your inbox.

GitSquared commented 3 years ago

it seems that like so many other Electron apps, it installs itself into AppData instead of Program Files. This is a bad idea for various security-relevant reasons and should be changed sooner rather than later

Could you expand on this, for my own curiosity? Installing internal app files to AppData is indeed the convention for Electron apps. Note that I don't use Windows so I may be missing some context here as to why it's not a good idea - all I know is that most regular "machine-wide" programs are installed in C:\Program Files.

I don't know what installer software you're using, but this is the point where it should ask for elevated privileges to proceed with the installation instead of failing.

Indeed. We rely on electron-builder for making binaries & installers across platforms.

From doing a quick search in their issues board it seems that a possible solution would be to configure all installers to prefer the Program Files folder by setting perMachine to true( https://github.com/electron-userland/electron-builder/issues/2227 ), but this would mean no freedom of choice and requiring administrator privileges for everyone willing to install this. Could you simply right click on the current installer and run it as admin? This ain't ideal but it may work.

I should add that while I haven't tried this on macOS yet

On macOS and Linux systems, this dialog does not exist. Customizing a program's installation path is really a Windows thing.

SamusAranX commented 3 years ago

Could you expand on this, for my own curiosity?

Of course: Basically, files in the Program Files directories enjoy a greater level of protection by the OS. To modify files under Program Files, you need elevated privileges, which is a good thing because it means malware has an additional hurdle to clear when attempting to modify program executables. A good example of this would be Discord, which has been the target of spyware multiple times because its source code is de facto open and you can modify it without elevated privileges: the user never notices until it's too late.

all I know is that most regular "machine-wide" programs are installed in C:\Program Files.

User-specific installations are actually supposed to put the program into Program Files as well, they just put their shortcuts into user-specific folders and config files into %LocalAppData% or %AppData% instead of %ProgramData%.

Also, I just noticed that selecting "all users" during the setup actually does ask for elevated privileges and installs to Program Files by default. I must've forgotten to change it back from "only for me" before filing this issue, my bad. Still, the per-user setup shouldn't install the actual program into AppData for the reasons I gave above. AppData exists for user-specific configs, caches and the like, not for actual executables. Simply change the default install path for both machine-wide and user-specific installs to C:\Program Files\eDEX-UI and only change the config location depending on the path taken. This might require elevated privileges, but this is normal and expected in setups for Windows apps. If you want to offer a way to run the program without elevating privileges at any point, consider offering a standalone version without a setup.

Customizing a program's installation path is really a Windows thing.

This is neither here nor there because this is a Windows-specific issue, but macOS's installer packages actually have options to change where program data is installed:

image

GitSquared commented 3 years ago

Thanks for the insights. Indeed, the permissions aren't the same in Program Files and appData, but... that's the whole point, and "per-user" install should really be named "no privileges" install. Edex, unlike Discord, handles no sensitive data and so the risks associated with malware rewriting its source code archive are not greater than what the malware itself might have been able to do with user-level filesystem access.

If you want to offer a way to run the program without elevating privileges at any point, consider offering a standalone version without a setup.

At the very beginning this was a portable app, but since it now needs to store configs, themes, geoip database caches and the like, having an install-uninstall lifecycle makes more sense, and ensures that users are aware we need to store some files, and that they are correctly cleaned up on uninstall.

I agree with you that the Electron world's (maybe only electron-builder's?) conventions are flawed, but I don't think here is the right place to solve that. You may want to escalate this upstairs, but... good luck trying to make those boys move a muscle, they don't iterate quickly unless it's a macOS compat issue.

I'm more of an architecture than a desktop guy but as far as I'm concerned Electron is in dire need of a new contender, and will probably go away fast once we find a better paradigm. I'll bet my money on tighter PWA integrations, but the code-signing mafia would disagree.

Thanks again, for reporting this, and making me learn a few bits.