Re: Rise of the Plugins

Rui Miguel Silva Seabra wrote:
Sex, 2007-05-18 �12:54 +0200, Martin Soto escreveu:
Hi Andrew,

On Fri, 2007-05-18 at 11:28 +0100, Andrew Sobala wrote:
Martin Soto wrote:

An additional point that nobody has mentioned so far is security. Most
(if not all) plugin implementations already available for Gnome programs
seem to allow for installing plugins in some user-owned directory. This
means that by gaining access to the user's home directory, an attacker
will be able to install code that gets run every time the user logs in:

Yes, you can do that already. It's what the session's for.

However, while /home/ can be mounted without any execution
permissions, /usr not, and thus applications started by the session
manager are supposedly blessed by the admins (distro maintainers, and
what not) while those installed in ~/ *aren't*.

It's a good point. So we can solve this by requiring plugins to have +x in order to be loaded? Seems quite elegant to me.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]