touch-packages team mailing list archive

Thread
Date

[Bug 1358294] Re: App .config not removed when app uninstalled

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Wed, 20 Aug 2014 17:40:08 -0000
Reply-to: Bug 1358294 <1358294@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The data directories can be found here:
http://developer.ubuntu.com/publish/apps/security-policy-for-click-
packages/ (see 'Runtime Environment' at the bottom of the page). That
page does not cover scopes though-- probably best to review the apparmor
policy in /usr/share/apparmor/easyprof/{templates,policy_groups}/*/* for
writable areas.

Note, I acknowledge the bug but I think the counter argument is that
users would be surprised to see their data deleted which is why we have
the current functionality. Consider any application which contains
'precious' data that cannot be easily restored, such as pictures,
recorded audio, recorded video, documents, etc, etc. If we were to do
this properly, I think it should be configurable. One idea is to have a
check box to delete associated user data that the app created.

There are other questions too: what happens with trust-store
permissions, with online account information, and online account cached
accesses? There is probably more to consider.

Finally, deleting user data is fraught with danger. The attached patch
does drop privileges, but I think we need to be very careful that the
directory to be deleted is actually the one that the package created/is
using (ie, we need to guarantee that Environment.get_user_config_dir()
is the same as what UAL/aa-exec-click is giving to the app at runtime).
We need to be sure not to follow symlinks on the toplevel directory
being deleted and for files inside the to be deleted directory, not to
follow symlinks outside of the app's writable areas. We have application
isolation in place to protect the user and the system from malicious
applications, but the proposed click removal process is unconfined-- it
would be a shame if a malicious app author decided to delete the user's
files as part of its removal process.

In addition to defensive coding, we could in theory have a click user
data remover helper which click would run under the apparmor profile of
the app. This gets fairly complicated with click packages that ship
multiple applications and hooks.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1358294

Title:
  App .config not removed when app uninstalled

Status in “click” package in Ubuntu:
  Triaged

Bug description:
  If an app uses ~/.config/foo (say, uses Qt.labs.settings), and the
  user uninstalls the app, ~/.config/foo is not removed. It should be
  deleted when the app is uninstalled.

  Using latest utopic on the phone.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1358294/+subscriptions

References

[Bug 1358294] [NEW] App .config not removed when app uninstalled
From: Michał Karnicki, 2014-08-18