1

Is it possible to burn an Ubuntu app on a CD/DVD, and make an autorun for it, just like Windows?

If yes:

  1. How to do it with a Snap application? Consider I have downloaded an app from Software Center by using snap download; in other words, I have a .snap file, and maybe a .assert one.
  2. How to do it with a .deb file?
  3. How to do it with a .AppImage file?
  4. How to make an autorun for it? Do I need a Shell script or something else?

And if no, why isn't it possible? How do you say it isn't possible while this Ubuntu help page states that you can start a removable media that is a software?

Lastly, is it totally a good idea to create an Ubuntu application CD/DVD?

Thanks!

Edit 1: There is a similar question on Stack Overflow. The answers here and in the link shows that this way is not recommended, due to security considerations. However, I would appreciate others to post new answers.

Edit 2: I found a question asked for USB sticks on Ask Ubuntu. As I tried, in an Ubuntu-based OS, it works on CDs, also. However, it shows "Unable to locate the program" error after accepting to run the autorun, even if the autorun file has a valid syntax and it's executable.

MAChitgarha
  • 374
  • Say, this would be a great way to distribute malware! – user535733 Aug 22 '19 at 12:56
  • @user535733 You're right, but isn't there a way of checking the software security online? Then the user would install the application with no worries. – MAChitgarha Aug 22 '19 at 13:05
  • 1
    There is indeed a way of checking..but online checking is easily defeated/faked/bypassed for a local poisoned-package or a local tampered-apt. – user535733 Aug 22 '19 at 13:15
  • Check VBoxGuestAdditions.iso from VirtualBox - autorun.sh file. It's working in Gnome similar as Windows way. – adasiko Aug 23 '19 at 15:23
  • It's look like this while mounting VirtualBox ISO image (dialog showing by itself) https://imgur.com/a/vOaa0c1 – adasiko Aug 23 '19 at 15:35
  • 1
    There are freedektop standard for autostart https://standards.freedesktop.org/autostart-spec/latest/ar01s03.html But this is draft document. It's work in Ubuntu+GNOME (for example VBoxGuestAdditions.iso). But in other Desktop Environments it can does not work. Of course the are confirmation dialog for run software. Or do you want autorun without any confirmation? The are not solution for it (it's unsafe). Same thing for Windows where automatic autorun is disabled since Vista. – adasiko Aug 24 '19 at 01:36
  • @adasiko Yes, it works. Someone posted your comment as an answer before, but it was removed. I don't to run the autorun without confirmation. Now, the problem is the autorun file just doesn't work; it generates an error, always, as I added as an edit in my question. – MAChitgarha Aug 24 '19 at 12:10

1 Answers1

1

In short, not really. Apps are not installed the same way they are in Windows, and autorun should be disabled by default, due to the security implications of having something run automatically and do things, possibly with elevated privileges (one needs root to install system software), when connecting a device.

Also, there's no real authentication of packages if you just put them on a disc, as snap expects packages to come from the store, and be signed by the store, while dpkg expects deb files to come from trusted archives with appropriate signatures. There's no good way to do it securely, as nothing already in the system is designed for this method of distribution, and so doesn't have a way to validate what's being installed.

dobey
  • 40,982
  • Good description. I agree it totally, however, about what you said about permissions, system should alert user that a software is going to be installed, and maybe get user's password for root privileges. Notwithstanding, this does not make this way of distribution secure, as you said. – MAChitgarha Aug 22 '19 at 13:30
  • 1
    The problem is autorun doesn't have to install software as root. I could make a disk which simply copies a binary/script somewhere into your home directory, modifies some stuff, and installs a keylogger or other malware, which collects your passwords/info/data and uploads it to some remote server, too. All without root or normal software install methods. – dobey Aug 22 '19 at 14:36