Re: Question and project
- From: Guillaume Proux <gproux acesoliton com>
- To: George <jirka 5z com>
- Cc: gdm sunsite dk
- Subject: Re: Question and project
- Date: Tue, 11 Feb 2003 22:58:31 +0900
a bit worried about the scripting and "evil" (trojan horse) themes. Though
the commands are run as the gdm user, [...]
It took quite a bit of time to understand what you meant by trojan horse
themes. I was assuming that somebody would not use a theme they would
not trust in the first place... But if the theme is static, there is no
such problem :)
To prevent any "bad" thing from happening, would it be possible to just
change the id to a hypersage user (nobody?), chroot the executable
somewhere safe (inside gdm data dir). Then we don't really need to be
extra-paranoid as the trojan would be able to get to nothing but what
was installed with the theme?
The only thing which is not so good there:
-> the trojan could open a hole through sockets and be controlled by an
external bad guy to become part of a giant DDOS. (Imagine the title in
the news: GDM-Love-DDOS)
At the end of the day, it will still be a matter of trust or not.
What is the difference between a theme and a normal program (such as
gdm)? For me, none, they still must be installed and it is the sysadmin
work to verify that they are no danger to stability, etc...
Of course, I recognize that we should have a GUI to warn the sysadmin
that a particular theme has exe in it. But this should not be necessary
if we could have signed theme packages.
All those discussion led me to think about two new possible features:
- keep themes in tarballs (easier to manage!) and gdm opens the tarball
itself to get its content.
- Have a new part of the theme change interface that can connect
directly to the themes repository (www.art-gnome.org or...) and get
thumbnails of all themes available to download them and install them
directly from the admin console.
] [Thread Prev