Re: Lockdown... Take 2
- From: Havoc Pennington <hp redhat com>
- To: Alexander Larsson <alexl redhat com>
- Cc: Matt Keenan <Matt Keenan sun com>, "desktop-devel-list gnome org" <desktop-devel-list gnome org>
- Subject: Re: Lockdown... Take 2
- Date: Tue, 14 Oct 2003 12:57:22 -0400
Hi,
Comment on one tiny piece - the means of prohibiting access to certain
binaries seems pretty messy, but I'm not sure how to clean up.
- we have both executables and .desktop files without 1-to-1 mapping
- should some executables/desktop files be special-cased as in
"disable terminal"?
- do we disable .desktop files based on whether the executable they
launch is disabled? Is this based on a string compare or filesystem
search?
- there are lots of apps that won't honor the executable restrictions
- what code validates whether an executable is allowed and when?
- to validate an Exec line or command line do we have to do complicated
shell code analysis?
- how are we going to integrate all this into Mozilla, OpenOffice,
etc.?
It feels to me like:
- the restrictions on a given executable should be provided by
and enforced by the OS in some way
- the desktop should have some call executable_allowed() that can
be used to check with the OS about whether an executable can be used,
and we should automatically hide/show UI based on this when possible
- if we had that, what keys would we still want? disable_command_line
probably to whack all manual access to executables.
Also menu editing and thus .desktop file removal probably.
I don't know, I just see there could be piles of complexity and an
endless job trying to make all apps honor a list of allowed executables,
and it's not secure anyway. The right place for this architecturally
really seems like the exec() syscall.
To me any lockdown setting that won't be reasonably easy for app authors
to implement properly is kind of scary.
Havoc
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
