Scary Appimage Permissions


#1

Scary Appimage Behaviour

I just downloaded latest version of etcher.io (now balenaEtcher ), which is great for blasting sd cards with ubuntuMate for Rpi. This normally comes as an .appimage file and needs to be made executable before launching.

low and behold, the file was showing up in an ls -la listing as already executable:
-rwxr-xr-x 1 user user 112833959 Apr 8 19:18 balenaEtcher-1.5.24-x64.AppImage
As far as Im aware, I haven't done anything with groups or parent dir to allow this to happen.
I haven't heard of Appimages being made executable by default on ubuntu based distros, and seems highly unlikely in any case.

Has anyone seen this before?
Should I freak out?
Doesn't seem right to download and execute direct from internet.

( i have not used the application, have an older version which i trust)


#2

I'm guessing this is because it had the execute flag before being added to the .zip archive in which it comes. Notice the Defl:X section of the archive listing in the method column:

[email protected]:~/Downloads$ unzip -vl balena-etcher-electron-1.5.24-linux-x64.zip
Archive:  balena-etcher-electron-1.5.24-linux-x64.zip
 Length   Method    Size  Cmpr    Date    Time   CRC-32   Name
--------  ------  ------- ---- ---------- ----- --------  ----
112833959  Defl:X 112457448   0% 2019-04-08 11:18 f270e219  balenaEtcher-1.5.24-x64.AppImage
--------          -------  ---                            -------
112833959         112457448   0%

Edit: hmm not quite that simple to obtain that X flag in the Method columns actually, I'm trying a few other things.


#3

Awesome, thanks ouromov. That'll teach me for not digging deeper.


#4

Yo so I was actually wrong about that Defl:X thing though.
I'm right that the zip archive stores the execute flag when you create it, but that method column probably has more to do with compression.

Edit: looks like the zipinfo command is the one you want to check archives for stuff like that before extracting them.


#5

I've poked my nose into the balenaEtcher forum. I'll post any relevant info here.


#6

The balenaEtcher guys said they are distributing via zip file to allow them to ship executable code.