Re: [Evolution] Evolution Signature Scripts Backdoor



On Sun, 2005-11-27 at 07:12, guenther wrote:
On Thu, 2005-11-24 at 13:18 +0800, Murray Trainer wrote:
On Wed, 2005-11-23 at 23:08, guenther wrote:
I have been looking at trying to prevent command-line access to our
users and found the link below that applies to Gnome:
  
http://www.gnome.org/learn/admin-guide/latest/ch10s03.html

Evolution has the ability to run any script as a signature file which
gets around the lock-down features above.  Is there any way of turning
off Evolution's ability to run a script.  If not it seems like a needed
security feature.

Ho hum. I don't know of any way to prevent this, sorry.

Indeed it seems, the feature to run signature scripts should listen to
this key. Please file a bug report in bugzilla.gnome.org and don't
hesitate to set some higher priority and security related keywords.

On a side note: I never had a look at the lockdown mechanisms in GNOME,
but I wonder if this actually is used all over the place. As an example,
'gnome-default-applications-properties' does not allow the user to
choose a custom application, does it?

Or even worse, does the feature to enable double click on executables in
Nautilus listen to this lockdown setting?

This whole topic in general really seems to be appropriate for general
GNOME related mailing lists, as there are other ways, which are not
mentioned in that link...

Mailing lists on gnome.org:
  http://mail.gnome.org/mailman/listinfo/

General GNOME mailing list:
  http://mail.gnome.org/mailman/listinfo/gnome-list


Thanks for the quick response.  I will submit the bug when I get a
chance - do you have a link I can go to to do that?

Hope you're asking for this one. Otherwise I don't get the question.

  http://bugzilla.gnome.org/


My immediate issue
is a fix for the signature script backdoor but perhaps the bug should be
phrased something like "Lack of Compliance to Gnome lockdown
architecture".  Perhaps that will encourage my particular issue to be
fixed in a Gnome compliant manner and maybe other potential security
issues - ie. maybe kill several birds with one stone. 

I only found out about the Gnome lockdown stuff last night so I know
about as much as you about it.  It looks pretty new as I hadn't come
across it before, so I doubt that the majority of Gnome apps are
compliant.  Evolution is the main one I am interested in at the moment.

Well, I guess there are easier ways for the average user to discover
than this... :/

...guenther

Hi Guenther,

I have logged the issue in bugzilla as shown below: 

Bug 322553: Evolution can run scripts to create signatures - this
feature can't be disabled.

Regards

Murray




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]