Re: Lockdown... Take 2

From: Alexander Larsson <alexl redhat com>
To: Matt Keenan <Matt Keenan sun com>
Cc: Andrew Sobala <as583 cam ac uk>, Havoc Pennington <hp redhat com>, GNOME Desktop Hackers <desktop-devel-list gnome org>
Subject: Re: Lockdown... Take 2
Date: 15 Oct 2003 17:23:36 +0200

On Wed, 2003-10-15 at 14:19, Matt Keenan wrote:
> Alexander Larsson wrote:
> > On Wed, 2003-10-15 at 13:49, Alexander Larsson wrote:
> > 
> >>On Wed, 2003-10-15 at 12:13, Andrew Sobala wrote:
> >>
> >>>On Wed, 2003-10-15 at 10:35, Alexander Larsson wrote:
> >>>
> >>>>That said, even if one uses ACLS to do the actual lockdown, there is
> >>>>some some use in keys like this. When in locked down mode we want to
> >>>>avoid presenting the locked down things from the ui. Having "open
> >>>>terminal" in the menu, but giving a "permission denied" dialog isn't
> >>>>very nice. However, we need to point this out so people don't think
> >>>>enabling the disable_terminal key makes their system safe.
> >>>
> >>>Are gconf keys absolutely necessary? Can't we check for exec permissions
> >>>before showing the menu item, and simply not show it if it wouldn't
> >>>work?
> >>
> >>Sometimes we can, sometimes its not always that simple. For instance,
> >>the open terminal menu item in the nautilus desktop menu *could* look
> >>for all the different terminals it tries to start and check permissions.
> >>However, that would be a) pretty slow, and b) a pain in the ass.
> > 
> > 
> > Of course, it would be a lot cooler if it did, so maybe we should try
> > these sorts of things before going to gconf keys.
> 
> Sounds like a nightmare, trying to figure out all possible filenames that
> launch a terminal and then restrict these from the menu's...

Depends on what you mean of course. For the nautilus terminal menu item
there is a list of apps that it tries to launch. Figuring out which
would be chosen for your system and if it can be executed would be
simple. 

> List of what's is allowed in the menu is far neater approach, that way
> if someone simply :
> 	cp /usr/bin/gnome-terminal ~/my_backdoor
> They still will not be able to see my_backdoor appear in a menu item..
> 
> Then again they need CLI access to perform the "cp" in the first place :)

Not necessary, you could copy the file with nautilus, or open/save as
with gedit.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
                   alexl redhat com    alla lysator liu se 
He's a gun-slinging voodoo vagrant on a search for his missing sister. She's a 
brilliant Bolivian college professor in the witness protection program. They 
fight crime!

References:
- Lockdown... Take 2
  - From: Matt Keenan
- Re: Lockdown... Take 2
  - From: Alexander Larsson
- Re: Lockdown... Take 2
  - From: Havoc Pennington
- Re: Lockdown... Take 2
  - From: Alexander Larsson
- Re: Lockdown... Take 2
  - From: Andrew Sobala
- Re: Lockdown... Take 2
  - From: Alexander Larsson
- Re: Lockdown... Take 2
  - From: Alexander Larsson
- Re: Lockdown... Take 2
  - From: Matt Keenan

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]