Re: Question and project

George wrote:
a bit worried about the scripting and "evil" (trojan horse) themes.  Though
the commands are run as the gdm user, [...]

It took quite a bit of time to understand what you meant by trojan horse themes. I was assuming that somebody would not use a theme they would not trust in the first place... But if the theme is static, there is no such problem :) To prevent any "bad" thing from happening, would it be possible to just change the id to a hypersage user (nobody?), chroot the executable somewhere safe (inside gdm data dir). Then we don't really need to be extra-paranoid as the trojan would be able to get to nothing but what was installed with the theme?
The only thing which is not so good there:
-> the trojan could open a hole through sockets and be controlled by an external bad guy to become part of a giant DDOS. (Imagine the title in the news: GDM-Love-DDOS)

At the end of the day, it will still be a matter of trust or not.

What is the difference between a theme and a normal program (such as gdm)? For me, none, they still must be installed and it is the sysadmin
work to verify that they are no danger to stability, etc...
Of course, I recognize that we should have a GUI to warn the sysadmin
that a particular theme has exe in it. But this should not be necessary
if we could have signed theme packages.

All those discussion led me to think about two new possible features:
- keep themes in tarballs (easier to manage!) and gdm opens the tarball itself to get its content. - Have a new part of the theme change interface that can connect directly to the themes repository ( or...) and get thumbnails of all themes available to download them and install them directly from the admin console.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]