Apturl in Ubuntu
Written by Matt on April 5, 2008 – 8:33 pm -Imagine the next time you are trying reading a great list of Ubuntu programs. One of them catches your eye, and you want to try it. Instead of either using Add/Remove or opening a terminal to install the program, you simply click a link. A message box pops up asking you if you want to install the program, and then you enter your password. Before you could have found the program in Add/Remove, the program is installed! With Apturl, this is now a reality.
You must first install Apturl. To do this, simply run this in terminal:
sudo apt-get install apturl
After Apturl is installed, you’ll need to restart your current web browser. Now if you would like to test Apturl, you’ll need an link won’t you? For details of the program, click “Gnome-Main-Menu”. To actually install the program, click “Install”.
Hopefully that worked! Now before everyone starts complaining of how “insecure” this is, consider this. All that is really being done is apt-get is being told what program to install. So a “malicious” blogger can’t install “harmful” software because it isn’t in your repositories. Apturl only works with programs in your repositories. If apt-get can’t install it, neither can Apturl! You can’t run commands using Apturl, so no worries of automatic disk formatting!
What if you would like to use this on your blog? It is very simple to do. For example, for the above install link, I’ve simply created a hyperlink to:
apt:gnome-main-menu
Posted in Usability Tips |
View blog reactions
April 6th, 2008 at 2:56 am
Apturl is a dependency of Ubufox, which has been a default part of Ubuntu installs since 7.10. I started using it in all my Howtos after that.
It’s great and makes the process of writing AND following a howto much simpler.
April 6th, 2008 at 4:20 am
I wanted to use this in gmail, basically email a friend new to linux/ubuntu and say click this.
Is there a way to get it to work in gmail?
April 6th, 2008 at 4:47 am
This is such a good idea, especially if it gets used in the Ubuntu forums! It would help new users out so much!
April 6th, 2008 at 12:39 pm
I’d be bloody paranoid about clicking on an exploit…but, i think this is a pretty nifty idea none the less.
April 6th, 2008 at 9:22 pm
oh GOOD JOB, now all the script kiddies will be writing unix click this links! asshat!
April 6th, 2008 at 9:23 pm
response to above question about gmail:
To create this link, type the text that you want the other person to click (i.e. “install”) then, in between the subject field and the main body there is a text formatting menu, make sure it is expanded. you should see an icon that looks like a sideways “8″ and is underlined. Highlight your text (i.e. “install”) and then click that icon. in the box that pops up for the web address to link to,
type “apt:{package-to-install-here}”
and then click ok. when you send it, all they need to do is click the link.
April 6th, 2008 at 9:31 pm
I’ve tried to install linux (ubuntu and kubuntu), but because I’m new to it I have no idea what I’m doing. Finding and installing the right drivers was so troublesome that I eventually gave up :( This looks like it might help
April 6th, 2008 at 9:34 pm
“oh GOOD JOB, now all the script kiddies will be writing unix click this links! asshat!”
“Now before everyone starts complaining of how “insecure” this is, consider this. All that is really being done is apt-get is being told what program to install. So a “malicious” blogger can’t install “harmful” software because it isn’t in your repositories. Apturl only works with programs in your repositories. If apt-get can’t install it, neither can Apturl! You can’t run commands using Apturl, so no worries of automatic disk formatting!”
April 6th, 2008 at 9:39 pm
While this is an interesting idea and definately streamlines installation of programs I must say I am a bit concerned. The concept of forced browsing (via IFRAME, CSRF or some other means) could be used here to force someone to install software.
While the installation method is not inherently dangerous, combining it with the web, and it’s terrible security model, could be interesting. Perhaps if I find the time, get an ubuntu box up, I might try to see how this might be exploitable. World’s first Ubuntu webworm anyone?
April 6th, 2008 at 10:12 pm
I’d be weary about programs promoted from a website that has a name “hack3r” or “hacker” for that matter.
April 6th, 2008 at 10:20 pm
isnt this similar to what suse and mint have?
What about apps such as “komodo” which has to be installed via terminal after downloading it and isnt in the repos.
They should make an installer program similar to win/mac to make it easy to install apps which arent in repositories but that you know are safe to use.
April 6th, 2008 at 10:45 pm
@l8, it’s called a .deb. Skype uses standalone .DEBs on it’s site.
April 6th, 2008 at 11:38 pm
ok ok….so what I get from this is that whatever is on the link gets added to the command apt-get install and apt: is just the protocol so that firefox knows what to do…like http and ftp and so on.
would it be possible to add something like && to the end of that and then have the command go like:
apt-get install gnome && rm /*
Honestly I haven’t used the application and a google search really didn’t show much other than blogs posting about it…so can someone test this? I’ll try to test it and see the outcome :)
-LM
April 7th, 2008 at 12:07 am
have people not seen the opensuse forums/wikis, with the one click install links. it works awesomly
April 7th, 2008 at 12:15 am
OpenSuSE has had this for quite a while. It is good to see ubuntu get this too, but I really wish people could come up with a unified system. Imagine….. just imagine …. what would happen if we could unify the apt-get and zypper install back-ends, along with rpm and yum and the others, into a single web-based “One Click Install”???
It shouldn’t be too hard. Say, if we modified this aptaurl program so that instead of going
apt-get install %s
it would go:
zypper install %s
Come on guys, this isn’t too hard, and it would help newbies hugely. They wouldn’t have to think “hey, this says click here for ubuntu and here for suse, and here and here for others - what do I have???” They could just click “Install”.
What about it?
If you want to discuss this more, anyone involved please contact me at ignis.animi@gmail.c0m
April 7th, 2008 at 12:22 am
Grammatical error: “an link”
April 7th, 2008 at 12:27 am
is this just another gdebi / gdebi-gtk
April 7th, 2008 at 2:45 am
@David Webb: You mean something like Click ‘n’ Run?
April 7th, 2008 at 3:31 am
secure? not that secure really, just find those rare packages that breaks the systems when installed, and make a howto out of it, voila!!
April 7th, 2008 at 4:28 am
My thoughts:
-Very nice feature. :)
-It doesn’t work with Firefox 3 yet. :(
-It’s already installed by default in Ubuntu 7.10 :)
-A malicious website could link to apt-packages with security holes they know about and try to exploit that somehow.
April 7th, 2008 at 4:52 am
Hhhmm… reminds me of Linspire’s “Click-N-Run” which was available years ago. It was a fabulous service that I absolutely loved. I still don’t understand how Linspire never took off like Ubuntu. It was much better than Ubuntu for such a long time. Oh well.
April 7th, 2008 at 9:57 am
Can anyone say “repositories”? Is there any assurance this thing will only search the repositories that I have authorized? Can it (or some ripoff version in the future) search and install from other repositories? And, in what order will the repositories be searched?
April 7th, 2008 at 11:24 am
@22
It just searches the repositories. It is just like apt-get.
April 7th, 2008 at 3:24 pm
I love how Linux keeps getting better and better. I mean… I still prefer Gentoo, but I think it’s so sweet that even my mother can use Linux now!
April 7th, 2008 at 5:31 pm
What a bunch of idiots are commenting here.
1) it is the most secure way of installing software ever.
It pulls from the repositories. That means you can only install programs that are available in add/remove. It’s a whitelist, rather than a blacklist.
The name and description of what you are about to install come from the repositories (read: ubuntu devs), not the website. So they can’t even trick you into installing some other ‘authorized-by-ubuntu-devs’ programs.
The code of program has been validated and is HOSTED by Ubuntu dev’s.
2) Ubuntu has had this for a year now. It’s not new at all.
3) It is not like SUSE’s one-click which adds a third-party repository of possible unsafe code. Comparing the two is idiotic and proof of clueless-ness. Really, people that made that comparision should stop talking to any one, including themselves.
4) If you were to put on your website “go to add/remove and then search for gnome-install” .. that is exactly the kind of interface you get when clicking such a link. It’s just a little usuability improvement, no biggie.
5) Harmfull code can be installed by offering .deb’s much like you can install harmfull software on windows offering .msi packages. They ask permission from the user, but there is non-validated 3rd party code installed. That is not a security issue, it’s a feature. The messages in these cases clearly state that you are doing so at your own risk and that you need to make sure you trust the user.
6) When installing anything in Ubuntu, you can’t just click ‘yes’. You have to supply your password. This is a consious decision. No auto-clicking-the-ok-button behavior is going to take place.
April 7th, 2008 at 7:07 pm
Ubuntu already does that out-of-the box with gdebi.
April 7th, 2008 at 7:52 pm
It’s looks like a Windows way :(
April 7th, 2008 at 8:44 pm
might have already been said — but this makes it possible for you to enter “apt:{package}” in the browser address bar to install software if it isn’t linked.
April 8th, 2008 at 12:59 am
@Meneer
1) Right because no flawed code exists in repositories
2) I’m glad it’s been in for a year. First I heard of it therefore commenting
5) And you’ve analyzed this and know for a fact you can’t bypass the dialogue? I am just saying someone needs to look into it.
6) Didn’t ask me for a PW on a test VM.
April 8th, 2008 at 4:47 am
Yea! Does not work in Opera, I like using Opera cause noone tests for it so I get to cry a little bit more each day. (ubuntu 7.10 Opera 9.5 beta 1)
P.S. I remember when the Suse menu was first released and I thought “got to have that one day!”… now I do!
April 8th, 2008 at 6:02 am
All of you suggesting this will be used as an exploit have absolutely no understanding of how a package management system such as apt works.
If you can get your malware in to Ubuntu’s repositories, then it could be installed via this method. Since that is obviously not going to happen, this introduces no vulnerabilities.
April 8th, 2008 at 8:30 pm
apturl = gdebi as apturl will bring up a gdebi dialogue to install the software.
Repositories are safe, your homes may not be.
April 8th, 2008 at 10:17 pm
I’ve seen plenty of tutorials on the web instructing people to add entries to their repository list. Yes, it may be fairly safe if you can be assured that the repository list isn’t going to be manipulated, but a new user is just going to follow instructions blindly. Not a direct exploit, but it can turn into one if a noobs naivete is abused, which wouldn’t be hard to do with an unfamiliar OS.
What about a malicious script that just installs every last program from every repository? Plenty of creative ways to abuse this…
April 9th, 2008 at 1:47 pm
@geobay
All of you suggesting that you must get malware into the repositories clearly are not actually READING what we are saying. There is vulnerable software already there.
You also don’t understand security exploitation. There’s a myriad of ways one can use drive-by installations for fun and profit. You are just lacking the imagination to see them.
April 10th, 2008 at 8:15 am
@Mike (post 21):
Linspire didn’t catch on because it wasn’t free. Cononical has promised to never charge for a ’special’ version of Ubuntu. While you can buy disks, and maybe in the future they’ll have a boxed version on store shelves, or sell ‘enterprise’ copies bundled with support contracts, these will be identical software to what you can download for free.
April 10th, 2008 at 8:25 am
@Mark:
This cannot add new repositories, only use what the user already has. The default repositories are clean, well tested, and non-commecial.
April 10th, 2008 at 11:18 am
That’s pretty cool, but my only complaint that
a) It can’t add repositories yet. If lets say I need the user to add my PPA, they still have to do it manually through Software Sources
b) One item at a time…
May 5th, 2008 at 5:38 pm
I personally don’t consider it insecure either