Re: Rise of the Plugins

Sex, 2007-05-18 às 12:54 +0200, Martin Soto escreveu:
> Hi Andrew,
> On Fri, 2007-05-18 at 11:28 +0100, Andrew Sobala wrote:
> > Martin Soto wrote:
> > 
> > >An additional point that nobody has mentioned so far is security. Most
> > >(if not all) plugin implementations already available for Gnome programs
> > >seem to allow for installing plugins in some user-owned directory. This
> > >means that by gaining access to the user's home directory, an attacker
> > >will be able to install code that gets run every time the user logs in:
> > >
> > 
> > Yes, you can do that already. It's what the session's for.

However, while /home/ can be mounted without any execution
permissions, /usr not, and thus applications started by the session
manager are supposedly blessed by the admins (distro maintainers, and
what not) while those installed in ~/ *aren't*.

> > I'm not saying there aren't security implications of plugins, but being 
> > able to run code on login is much easier to do without bothering with them!
> The fact that we already have some security holes to plug doesn't mean
> we should open new ones, though.



+ No matter how much you do, you never do enough -- unknown
+ Whatever you do will be insignificant,
| but it is very important that you do it -- Gandhi
+ So let's do it...?

Attachment: signature.asc
Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]