Re: [Qgis-user] QGIS and Computer Security (Windows)
Richard Males wrote > Please note that, in some cases, the users I am trying to convince are > in government agencies that have very specific and stringent policies > about software installation. In one case, only authorized IT > personnel are permitted to install any software on employee computers. > I am not sure that these policies have come up against the world of > open-source, plug-in based architecture. Hi Richard, this is a very common situation. You have several technical options to deal with it as stated by other answers. From my knowledge, many defence or police agencies use QGIS in the world. As it is totally open and fully customizable, you can make your own install package and user profile policies to adress all those concerns As far as I remember, it was proposed that the plugin installer could be integrated with the auth manager [0] If your customer does not want to make its own package, it could be an optio to sponsor that feature. [0] https://github.com/qgis/QGIS-Enhancement-Proposals/issues/35 Regards -- Sent from: http://osgeo-org.1560.x6.nabble.com/QGIS-User-f4125267.html ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
will this protect from users running plugins by unpacking a archived plugin into their profiles .qgis/python/ folder? (never tried this) Marco Am 23.02.2012 17:25, schrieb Zirneklitis: Hi, You can remove C:\OSGeo4W\apps\qgis\python\plugins\plugin_installer (or make unreadable for particular user group) Best regards, Karlis Richard Males wrote: .. I don't know if it goes totally against the philosophy of QGIS, but maybe there could be a feature to allow an admin option within QGIS to require password protection before being able to fetch plugins or activate plugins. I expect that it could be defeated, but might help to allay some concerns. Under this scenario, a QGIS administrator who could get at a QGIS security options screen where various features such as downloading plugins could be enabled/disabled for a particular user installation. .. ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
My suggestion was protection against ordinary users' „initiatives”, not against hackers. ;) Karlis Marco Lechner - FOSSGIS e.V. wrote: will this protect from users running plugins by unpacking a archived plugin into their profiles .qgis/python/ folder? (never tried this) .. Am 23.02.2012 17:25, schrieb Zirneklitis: .. You can remove C:\OSGeo4W\apps\qgis\python\plugins\plugin_installer (or make unreadable for particular user group) .. ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
Thank you and to all others who have posted replies. I did not expect that this issue would call forth so many responses. There have been a number of helpful suggestions. Please note that, in some cases, the users I am trying to convince are in government agencies that have very specific and stringent policies about software installation. In one case, only authorized IT personnel are permitted to install any software on employee computers. I am not sure that these policies have come up against the world of open-source, plug-in based architecture. I don't know if it goes totally against the philosophy of QGIS, but maybe there could be a feature to allow an admin option within QGIS to require password protection before being able to fetch plugins or activate plugins. I expect that it could be defeated, but might help to allay some concerns. Under this scenario, a QGIS administrator who could get at a QGIS security options screen where various features such as downloading plugins could be enabled/disabled for a particular user installation. If anyone is interested, the project I am working on involves estimating delay on transportation networks when roads are flooded. The architecture has the road network represented in QGIS, which is then exported to a Spatialite database via a contributed plugin. From there, a C# program reads the database and does the needed shortest path and delay cost estimation calculations. Choosing this architecture has made things very modular and workable. QGIS is wonderful software, this is a terrific community. I introduced QGIS to a professor who is working on my project and uses ArcGIS, showing him the line direction decoration capability and Nathan W's lineswitch plugin, and he responded: That's interesting about QGIS, because we have had much difficulty do the same thing in ArcGIS.. Thanks again to all who have responded. Dick On Wed, Feb 22, 2012 at 5:59 PM, Martin Dobias wonder...@gmail.com wrote: On Sat, Feb 18, 2012 at 5:08 PM, Richard Males rbma...@gmail.com wrote: I would very much appreciate any thoughts on if/how QGIS currently deals with this, or references to documentation or postings on the issue. Hi Richard Contributed QGIS python plugins have similar security issues like any other extension code that can be downloaded. It is important to note that with _any_ python plugin downloaded from repository you cannot be 100% sure that no malicious code is inside. The server could have been hacked, an author's credentials could be stolen or even a previously trusted author could put on his black hat (and add some malicious code intentionally)... In case you are aiming for maximum security I would recommend to use one of following approaches: 1. host a local repository within your organization with known and safe plugins. It is really easy to set up one (a web server + repository xml file + plugin archives). A customized installation of QGIS would use this repository by default. This is a flexible approach and allows upgrading/adding plugins quickly by the admin and it is convenient for users. 2. disable python plugin installer completely in a customized installation, put there only chosen plugins. Less flexible, but more secure - no new plugins, no updates to plugins. (But still possible to add plugin installer or other plugins manually) 3. provide an installation without qgispython library - that effectively disables running python code within QGIS. Most secure, least flexible. Anyway, AFAIK qgis itself should never try to do anything where it would need admin rights. So another piece of security (for users with some admin privileges) would be to disable qgis to escalate its rights. Regards Martin ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
Hi, You can remove C:\OSGeo4W\apps\qgis\python\plugins\plugin_installer (or make unreadable for particular user group) Best regards, Karlis Richard Males wrote: .. I don't know if it goes totally against the philosophy of QGIS, but maybe there could be a feature to allow an admin option within QGIS to require password protection before being able to fetch plugins or activate plugins. I expect that it could be defeated, but might help to allay some concerns. Under this scenario, a QGIS administrator who could get at a QGIS security options screen where various features such as downloading plugins could be enabled/disabled for a particular user installation. .. ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
Hi, You can remove C:\OSGeo4W\apps\qgis\python\plugins\plugin_installer (or make unreadable for particular user group) Best regards, Karlis Richard Males wrote: .. I don't know if it goes totally against the philosophy of QGIS, but maybe there could be a feature to allow an admin option within QGIS to require password protection before being able to fetch plugins or activate plugins. I expect that it could be defeated, but might help to allay some concerns. Under this scenario, a QGIS administrator who could get at a QGIS security options screen where various features such as downloading plugins could be enabled/disabled for a particular user installation. .. ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
On Sat, Feb 18, 2012 at 5:08 PM, Richard Males rbma...@gmail.com wrote: I would very much appreciate any thoughts on if/how QGIS currently deals with this, or references to documentation or postings on the issue. Hi Richard Contributed QGIS python plugins have similar security issues like any other extension code that can be downloaded. It is important to note that with _any_ python plugin downloaded from repository you cannot be 100% sure that no malicious code is inside. The server could have been hacked, an author's credentials could be stolen or even a previously trusted author could put on his black hat (and add some malicious code intentionally)... In case you are aiming for maximum security I would recommend to use one of following approaches: 1. host a local repository within your organization with known and safe plugins. It is really easy to set up one (a web server + repository xml file + plugin archives). A customized installation of QGIS would use this repository by default. This is a flexible approach and allows upgrading/adding plugins quickly by the admin and it is convenient for users. 2. disable python plugin installer completely in a customized installation, put there only chosen plugins. Less flexible, but more secure - no new plugins, no updates to plugins. (But still possible to add plugin installer or other plugins manually) 3. provide an installation without qgispython library - that effectively disables running python code within QGIS. Most secure, least flexible. Anyway, AFAIK qgis itself should never try to do anything where it would need admin rights. So another piece of security (for users with some admin privileges) would be to disable qgis to escalate its rights. Regards Martin ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] QGIS and Computer Security (Windows)
Hey Richard, On Sun, Feb 19, 2012 at 2:08 AM, Richard Males rbma...@gmail.com wrote: I am interested in promoting the use of QGIS, but some users have expressed concern about computer security issues, particularly in respect to the use of plug-ins. The concern is that a downloaded plugin may contain malware, activate malicious code, etc. I don't know if there is any innate protection within QGIS or python against bad behavior on the part of plugins, or if this is a trust issue. While I understand their concerns I do think it is over worrying. Can QGIS be used to download and run malicious code? Yes, but so can any non closed system (living behind Apples Iron Garden Wall is the exception). Ultimately it does come down to trust but there a few levels where there is protection. - Python: Python, like any good programming language, provides no protection against malware or malicious code. It's job is not to care, and nor should it try and stop me. People can write malicious code in any language. - The QGIS plugin system has a line of defense when the user uploads a plugin to plugins.qgis.org. All plugins, when uploaded by a new user, are by default unapproved. They have to be approved by an admin (there are a hand full of us around) before it will be publicly available to all QGIS users. However we don't normally check the code as the chance of something bad happening is low and we don't have the man power to check over everything. Plugins can also be unapproved if it does turn out something was bad, once unapproved it is no longer downloadable within QGIS via the Pluign Installer. - OS level protection. Most good operating systems these days have password protection for anything that is try to do something in a area it normally shouldn't, but if QGIS is run with elevated permissions it will have access to everything. - Open source. As QGIS, all its plugins, and components are open source there is nothing stopping the users (or IT) having a look over the code to make sure that it does what it says it does. However you still need to understand what you are looking for. I have seen the it's open source, therefore it is a security risk (or is less secure) card played many times before I have always strongly disagreed. The fact that open source by design is open, everything is view-able by the outside user. Every time you download a Python plugin for QGIS you also get the source code, nothing is hidden, little trust needed. Compare this with other closed systems where it is impossible to tell what something is doing, you have to give full trust that the programmer and program no what they are doing. Example: I used to be a big user of MapInfo. MapInfo has its own programming language called MapBasic which is complied into a binary executable and run inside the MapInfo environment. I can ship a MapBasic app as a binary file without the need to give you the source code so you can see what I am doing. As MapBasic can access lower lever windows APIs I can do all sorts of damage to the users computer with no way of them checking before hand. If I can get the users to run MapInfo with admin rights (which it normally has to be in order for things to work right) I now have access to your systems32 or program files folder and can nuke them pretty easily (or mess with screen savers, install key loggers). What makes it worse it that MapBasic can call a C or C++ lib, so if I need more power I can create a C lib and just call that from MapBasic. - Nathan ___ Qgis-user mailing list Qgis-user@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-user
