Home / ubuntu / Questions / 533
Accepted
Aviah Laor
Asked: 2010-07-31 17:17:59 +0800 CST

Why is the tree command not included in Ubuntu server?

  • 772

Is installing the tree command line utility on Ubuntu server has security issues? It's not included by default on the server.

server

2 Answers

  1. I suspect tree is not installed by default because it is in universe (applications have to be in main before they can be installed as default).

    A quick look through the changelog doesn't show a record of security issues, and there are no bug reports in Ubuntu, even going back as far as Dapper.

    So my advice would be to just go ahead and install tree on your server, it's probably safer than a lot of popular server applications.

    • 10
  2. Best Answer

    What I will be describing now is most likely a very hypothetical situation.

    1. Assume you are running tree on a part of the filesystem where any user can create files, such as under /tmp or /var/tmp.
    2. Assume that a malicious user has created very explicitly special file names in that location. That could either have been done by having an actual user account on the system or by "tricking" a slightly vulnerable and publicly available server daemon.
    3. Assume there is a actual vulnerability/weakness in tree regarding how it deals with "odd" file names.

    Under such circumstances it is possible that tree could be tricked into running unintended instructions with the privileges on your user account. Obviously that damage would be far worse assuming tree had been called with root privileges.

    Yet, this is nothing different from what you expose yourself to every time you use any application to handle data created by an external/unknown party. No matter if you viewing a web page in your browser, listening to a mp3 file in your music player or editing a document in your word processor you still need to trust your application to handle incoming data in a sane manner.

    This is by the way why security vulnerabilities in a web browsers are such a big deal, since they are constantly exposed to input from external/unknown parties. The same, even more, goes for server daemons, where a potential attacker has a constant opportunity to feed you "bad" input data. Compare this to your calculator, where you yourself are the one inputing all the data as you feed it numbers.

    Summarize:

    Yes, there is a theoretical security consideration in installing and running tree, just like with pretty much any other software.

    That being said, the majority of applications you find in the Ubuntu repositories will be reasonable safe to install and to use. As long as we are talking about regular user applications I don't think you should worry to much.

    (Save your worries for publicly reachable server daemons.)

    • 5