Bug 36019 - Security: Add some way to dynamically enable/disable extension installation.
Summary: Security: Add some way to dynamically enable/disable extension installation.
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: UI (show other bugs)
Version:
(earliest affected)
unspecified
Hardware: All All
: medium enhancement
Assignee: Muhammet Kara
URL:
Whiteboard: target:5.4.0 target:5.5.0 target:5.4.0.1
Keywords:
Depends on:
Blocks: Extension-Manager
  Show dependency treegraph
 
Reported: 2011-04-06 00:49 UTC by Manuel Reimer
Modified: 2017-06-09 08:25 UTC (History)
9 users (show)

See Also:
Crash report or crash signature:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Manuel Reimer 2011-04-06 00:49:29 UTC
It should be possible to disable the whole extension installation feature (Extension manager, File->Open of oxt file, Doubleclick in file manager).

Firefox has a preference for this, which is not accessible from GUI (only about:config). Would be nice to have something like this for LibreOffice, too, so I may disable extension installation most of the time, only enable it for a short time to, for example, install a new dictionary and then disable it, again.
Comment 1 Björn Michaelsen 2011-12-23 12:06:53 UTC Comment hidden (obsolete)
Comment 2 Florian Reisinger 2012-08-14 14:04:06 UTC Comment hidden (obsolete)
Comment 3 Florian Reisinger 2012-08-14 14:04:59 UTC Comment hidden (obsolete)
Comment 4 Florian Reisinger 2012-08-14 14:09:27 UTC Comment hidden (obsolete)
Comment 5 Florian Reisinger 2012-08-14 14:11:27 UTC Comment hidden (obsolete)
Comment 6 sasha.libreoffice 2012-08-31 08:10:25 UTC
it is RFE
Comment 7 Jorendc 2013-01-29 21:37:33 UTC
Thanks for reporting!

I think this is a pretty good enhancement request :-). I see this is initially reported in 2011 ... we do feel sorry about that. But we're trying to reduce our outstanding 'unconfirmed' list as best as possible.

Kind regards,
Joren
Comment 8 Muhammet Kara 2016-12-07 12:42:12 UTC
Do we have something like Mozilla's "about:config" which is not accessible through regular GUI? (A central config file directly accessible within cpp?)

And I am not against it but IMHO, this doesn't seem to be a security feature to me. It just makes the option harder to access.
Comment 9 Samuel Mehrbrodt (CIB) 2016-12-08 09:01:31 UTC
(In reply to Muhammet Kara from comment #8)
> Do we have something like Mozilla's "about:config" which is not accessible
> through regular GUI? (A central config file directly accessible within cpp?)

We have the expert config in Settings->Advanced. That should be used for something like this. See https://cgit.freedesktop.org/libreoffice/core/commit/?id=1a032dcfebc2702f0612c470d6b9c3e3cf4fb637 for how to add such an option.

I'm not sure how exactly this should be implemented. Maybe we can just disable the buttons (Add, Remove, Enable, Disable) in the extension manager dialog if this setting is set. 
And display a message like "Extension management has been disabled. Please contact your administrator for more information." or something like that.

Of course users would still be able to install via the command line using unopkg. I'd limit the scope here only to the GUI.
Comment 10 Muhammet Kara 2016-12-08 13:59:58 UTC
(In reply to Samuel Mehrbrodt (CIB) from comment #9)
> (In reply to Muhammet Kara from comment #8)
> > Do we have something like Mozilla's "about:config" which is not accessible
> > through regular GUI? (A central config file directly accessible within cpp?)
> 
> We have the expert config in Settings->Advanced. That should be used for
> something like this. See
> https://cgit.freedesktop.org/libreoffice/core/commit/
> ?id=1a032dcfebc2702f0612c470d6b9c3e3cf4fb637 for how to add such an option.

Sweet. I guess we can add an options like AllowExtensionInstallation under .Office.Security, or AllowInstallation under .Office.ExtensionManager

> 
> I'm not sure how exactly this should be implemented. Maybe we can just
> disable the buttons (Add, Remove, Enable, Disable) in the extension manager
> dialog if this setting is set. 
> And display a message like "Extension management has been disabled. Please
> contact your administrator for more information." or something like that.
> 
> Of course users would still be able to install via the command line using
> unopkg. I'd limit the scope here only to the GUI.

I agree with you on keeping the scope only to the GUI. If we disable the buttons, we can add a notice somewhere on the extension manager. Or we leave the buttons clickable, and show a message whenever the user clicks on them.
Comment 11 Yousuf Philips (jay) 2016-12-12 18:18:11 UTC
(In reply to Muhammet Kara from comment #10)
> I agree with you on keeping the scope only to the GUI. If we disable the
> buttons, we can add a notice somewhere on the extension manager. Or we leave
> the buttons clickable, and show a message whenever the user clicks on them.

Disable the buttons and add a text label notice above the buttons in red (which of course is hidden when extension installation is enabled) stating that the feature has been disabled in expert configuration.

@Dave: Any thoughts?
Comment 12 Heiko Tietze 2016-12-13 09:49:51 UTC
First we should verify the use case. I guess we talk about an enterprise scenario where employees must not install unsafe extensions or unbranded templates. In this case I would expect that the extension manager links to a local repository instead of the official with full control from the admins. For downloaded extensions when it lacks on a certain value, e.g. description.xml: RequiredOrigin=Foobar.org, the installation is _temporarily_ not possible. Otherwise, when the installation is permanently disallowed, access to the dialog should be disabled (hide the menu item) and unopkg should fail with a clear message.

What I wouldn't do is to explain the UI with static text. Either it's clear from the workflow why a control is disabled or the tooltip gives further hints. The red text is a very strong error message pointing to a dangerous situation like data loss.
Comment 13 Muhammet Kara 2017-03-06 06:47:09 UTC
(In reply to Heiko Tietze from comment #12)
> First we should verify the use case. I guess we talk about an enterprise
> scenario where employees must not install unsafe extensions or unbranded
> templates. In this case I would expect that the extension manager links to a
> local repository instead of the official with full control from the admins.
> For downloaded extensions when it lacks on a certain value, e.g.
> description.xml: RequiredOrigin=Foobar.org, the installation is
> _temporarily_ not possible. Otherwise, when the installation is permanently
> disallowed, access to the dialog should be disabled (hide the menu item) and
> unopkg should fail with a clear message.
> 
> What I wouldn't do is to explain the UI with static text. Either it's clear
> from the workflow why a control is disabled or the tooltip gives further
> hints. The red text is a very strong error message pointing to a dangerous
> situation like data loss.

I have looking around, and consulting others, it looks like disabling the menu item would be very complicated (if possible).

From the original description, it seems like that this is not necessarily an enterprise scenario. Regular users may also want to prevent "easy" (or accidental) installation of new extensions.

And here is my proposal:
- Disable the "add" button on the extension manager when a certain boolean value is set in the expert configuration, and give info via a tooltip message.
- Also disable installation by double clicking an extension in the file manager, and give a clear message about why it cannot be installed.

This way, the installation is temporarily disabled, user is informed about the situation, and the user also is able to monitor the current status of the installed extensions.

Furthermore, we can do the same for other buttons/functionalities (removing extensions, altering extensions (via 'options') etc.)

What do you think?
Comment 14 Heiko Tietze 2017-04-02 10:43:44 UTC
(In reply to Muhammet Kara from comment #13)
> And here is my proposal:
> - Disable the "add" button on the extension manager when a certain boolean
> value is set in the expert configuration, and give info via a tooltip
> message.
> - Also disable installation by double clicking an extension in the file
> manager, and give a clear message about why it cannot be installed.
> 
> This way, the installation is temporarily disabled, user is informed about
> the situation, and the user also is able to monitor the current status of
> the installed extensions.
> 
> Furthermore, we can do the same for other buttons/functionalities (removing
> extensions, altering extensions (via 'options') etc.)
> 
> What do you think?

Sounds good. But don't forget the unopkg command-line option to add, validate, remove, reinstall, and list extensions.
Comment 15 Yousuf Philips (jay) 2017-04-03 12:00:52 UTC
(In reply to Muhammet Kara from comment #13)
> What do you think?

+1
Comment 16 Muhammet Kara 2017-05-22 07:24:38 UTC
(In reply to Heiko Tietze from comment #14)
> (In reply to Muhammet Kara from comment #13)
> > And here is my proposal:
> > - Disable the "add" button on the extension manager when a certain boolean
> > value is set in the expert configuration, and give info via a tooltip
> > message.
> > - Also disable installation by double clicking an extension in the file
> > manager, and give a clear message about why it cannot be installed.
> > 
> > This way, the installation is temporarily disabled, user is informed about
> > the situation, and the user also is able to monitor the current status of
> > the installed extensions.
> > 
> > Furthermore, we can do the same for other buttons/functionalities (removing
> > extensions, altering extensions (via 'options') etc.)
> > 
> > What do you think?
> 
> Sounds good. But don't forget the unopkg command-line option to add,
> validate, remove, reinstall, and list extensions.

As this feature is for use of advanced users (or admins), disabling the unopkg commands seems unnecessary since it can be enabled/disabled via the expert configurations. Moreover, advanced users (or admins) might want to be able to add/remove extensions while preventing the regular users from installing/removing extensions.
Comment 17 Commit Notification 2017-05-24 14:10:59 UTC
Muhammet Kara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=99b7c4f57d7fe3cac772cce38e2dd6879e128315

tdf#36019: Dynamically enable/disable extension installation via GUI

It will be available in 5.4.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 18 Commit Notification 2017-05-26 08:47:27 UTC
Muhammet Kara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=f09be32d0fcb176527b41cedc37814d5ed7ccad5

tdf#36019: Dynamically enable/disable extension removal via GUI

It will be available in 5.5.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 19 Muhammet Kara 2017-05-26 11:56:27 UTC
It is now possible to enable/disable extension installation and removal via GUI by using the corresponding properties of the reference "ExtensionSecurity" in the expert configurations.
Comment 20 Heiko Tietze 2017-05-26 12:13:36 UTC
(In reply to Muhammet Kara from comment #19)
> It is now possible to enable/disable extension installation and removal via
> GUI by using the corresponding properties of the reference
> "ExtensionSecurity" in the expert configurations.

Cannot confirm the removal. Self compiled after pull. Add is disabled ("unopkg add <file>" still works), the tooltips says why, but Remove is still enabled and possible.

Version: 5.5.0.0.alpha0+
Build ID: e558edc24f593d9ef2905adb8ab7677c1dab1fac
CPU threads: 8; OS: Linux 4.10; UI render: default; VCL: kde4; 
Locale: en-US (en_US.UTF-8); Calc: group

Adding also Olivier for documentation.
Comment 21 Muhammet Kara 2017-05-26 12:28:44 UTC
(In reply to Heiko Tietze from comment #20)
> (In reply to Muhammet Kara from comment #19)
> > It is now possible to enable/disable extension installation and removal via
> > GUI by using the corresponding properties of the reference
> > "ExtensionSecurity" in the expert configurations.
> 
> Cannot confirm the removal. Self compiled after pull. Add is disabled
> ("unopkg add <file>" still works), the tooltips says why, but Remove is
> still enabled and possible.
> 
> Version: 5.5.0.0.alpha0+
> Build ID: e558edc24f593d9ef2905adb8ab7677c1dab1fac
> CPU threads: 8; OS: Linux 4.10; UI render: default; VCL: kde4; 
> Locale: en-US (en_US.UTF-8); Calc: group
> 
> Adding also Olivier for documentation.

I have tested again and "removal" seems okay (disabled/enabled properly) after application restart (just like installation). Could you please test again?

Version: 5.5.0.0.alpha0+
Build ID: 0f2981329c6b2cf409a506ad10f1485a8fc7d686
CPU threads: 8; OS: Linux 4.9; UI render: default; VCL: gtk3; 
Locale: en-US (en_US.UTF-8); Calc: group
Comment 22 Heiko Tietze 2017-05-28 10:40:32 UTC
(In reply to Muhammet Kara from comment #21)
> I have tested again and "removal" seems okay (disabled/enabled properly)
> after application restart (just like installation). Could you please test
> again?

Fresh pull, new compilation, same result. The button is enabled while the tooltip says removal wouldn't be possible and I should contact the admin. And when I click the button the extension is removed.

Version: 5.5.0.0.alpha0+
Build ID: 2a3e763e99207b1354ed349bcbbf439721f08c14
CPU threads: 8; OS: Linux 4.11; UI render: default; VCL: kde4; 
Locale: en-US (en_US.UTF-8); Calc: group
Comment 23 Heiko Tietze 2017-05-29 14:11:17 UTC
Tested again and successfully this time. Add/remove have different entries in the advanced options, both should be set to true in order to prevent changes to extensions. The user can still disable/enable the installed extension what might be appreciated for some users. The buttons are disabled with specific tooltips, unopkg works independ from the setting.

Version: 5.5.0.0.alpha0+
Build ID: 0bebf37bac076a56801ef7d1c113f729b12b9f46
CPU threads: 2; OS: Linux 4.11; UI render: default; VCL: gtk2; 
Locale: de-DE (en_US.UTF-8); Calc: group
Comment 24 Commit Notification 2017-05-31 15:17:58 UTC
Muhammet Kara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=99841f1fd2bf22bca7dcc7e05fc1f91d612d5343

tdf#36019: Fix tooltip

It will be available in 5.5.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 25 Commit Notification 2017-06-06 08:38:36 UTC
Muhammet Kara committed a patch related to this issue.
It has been pushed to "master":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=18cf49580846c176f2c93d0072ee9de96b129a26

tdf#36019: Disable context menu entry for extension removal properly

It will be available in 5.5.0.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 26 Commit Notification 2017-06-09 08:25:27 UTC
Muhammet Kara committed a patch related to this issue.
It has been pushed to "libreoffice-5-4":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=5cae6a08a13ab0842826989eb5b840746be494a2&h=libreoffice-5-4

tdf#36019: Enable/disable extension installation and removal via GUI

It will be available in 5.4.0.1.

The patch should be included in the daily builds available at
http://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
http://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.