15

I have Ubuntu 14.04 LTS

I have downloaded Telegram from here. The file was compressed with the extension tar.xz.

I have unpacked this file and run the file Telegram (without extension) using common user (not admin). The application started and worked OK.

But why does Ubuntu not tell me, "Don't run this app, because it is not safe"?

Is it really safe to run such applications, which do not need installation, which run easily when double clicked?

And what are apps like this called? What name do they have? “Portable”?

dessert
  • 39,982
D. Ktt
  • 337

2 Answers2

26

The file is a binary executable. It has already been compiled from its source code into a form your CPU can execute and you only have to ask for it to be executed for it to run.

The software you download when you run a package manager such as APT in general also includes pre-compiled binaries, so there's nothing peculiar about this type of file. The packaging of the files does helpful things like telling the package manager where in the filesystem the binaries need to be copied to, and provides scripts that make sure the program can find any shared libraries and other programs it depends on and the environment it requires is set up if needed.

The reason you might consider this program unsafe is that it comes from an unknown source, whereas packages from Ubuntu repositories are from a known source and protected by a signature verification process that ensures they haven't been tampered with on their way to your system.

Basically, downloading and running executables from unknown sources is insecure, unless you trust the provider and you can verify that the download reached you intact. To the latter end, distributors may provide some kind of checksum you can use to check that the file they uploaded has the same content as the one you downloaded.

One encouraging thing about Telegram in particular is that it is open source:

This software is available under GPL v3 license.
Source code is available on GitHub.

This means anyone can read the program's source code to make sure it won't do anything undesirable to your system. In practice, reading the source code to make sure the program is safe isn't something most end users want to spend time doing or learning how to do. Still, I have some faith in the involved community to find security vulnerabilities and bugs in open source software.

As for why Ubuntu doesn't complain that the program is unsafe, well, badgering the user about their questionable decisions isn't the Linux tradition. A Linux system is typically designed to do what you ask it to, and nothing else. The user is considered responsible for having awareness of security issues and other potential pitfalls and will rarely be warned that they are about to compromise or damage their system.

I use a PPA for Telegram see this answer for all the ways to install Telegram. PPAs use APT's signature verification mechanism, but they still have some risks because you are putting your trust in the maintainer. PPAs do provide some convenience, updating when you run updates (if the maintainer updates the PPA), making the package manager aware that you have the software and so on.

Zanna
  • 70,465
  • 6
    "A Linux system is typically designed to do what you ask it to, and nothing else." Two words: Lennart Poettering. – RonJohn Mar 19 '18 at 15:15
  • 6
    Whereas Telegram source is on Github, it doesn't mean the compiled binary you downloaded was generated using exactly the same source. So in the end, the actual problem here is trust in the whole chain, which is better handled by your OS packages. – jjmontes Mar 19 '18 at 17:51
  • Of course he could ditch this binary, take that source, and compile it himself, and use that, or compare it with the binary he has if he compiles it in exactly the same way (though that is potentially difficult to replicate). – ttbek Mar 19 '18 at 21:25
  • 1
    @RonJohn, I can't find anything that clarifies why you're mentioning him in connection with (in contrast with?) that sentence. Are you talking about some obscure PulseAudio expectation breakage, or something else? – Wildcard Mar 19 '18 at 21:35
  • @Wildcard systemd – RonJohn Mar 19 '18 at 21:52
  • 2
    "verify that the download reached you intact. To the latter end, distributors may provide some kind of checksum you can use to check that the file they uploaded has the same content as the one you downloaded." - note that this doesn't add any additional security if the checksum has travelled to you down the same channel as the download, as it could have been tampered with too. – Jon Bentley Mar 20 '18 at 02:21
11

Locally installed software

Software, downloaded (or copied locally in any way) and run locally (from your user) can potentially do anything you do not require admin permissions for. That includes removing your (personal) files, which most of us would find harmful.

If you are logged into anything, and the software runs as your user, ditto, but also think of scripts or commands you might have added to the sudoers file.

In case you have an admin account, and the software asks for your password and you accidentally give it, anything could happen.

Warning?

Without giving your password, the potential damage will be limited to your own account. You wouldn't want Ubuntu warn you for each and every command you run, deliberately or not.

That's why you simply should not run code from sources you don't know if you can trust them, unless you fully understand the code.

Community
  • 1
Jacob Vlijm
  • 83,767
  • 7
    "potential damage will be limited to your own account" - not that I disagree with main principle, but to be honest, I can't think of any valuable data on my machine that is NOT on my own account. – Mirek Długosz Mar 19 '18 at 09:41
  • 11
    @MirosławZalewski obligatory xkcd: https://xkcd.com/1200/ – Olorin Mar 19 '18 at 09:49
  • In addition to the xkcd: A malware could try to spam or hack other servers (I already saw this in action). This is not only annoying for others but can get you on blacklists as well. – allo Mar 19 '18 at 12:51