Re: multiroot-filechooser ready for merging

From: Federico Mena Quintero <federico ximian com>
To: Bastien Nocera <hadess hadess net>
Cc: gtk-devel-list <gtk-devel-list gnome org>
Subject: Re: multiroot-filechooser ready for merging
Date: Wed, 06 Oct 2010 16:24:21 -0500

On Wed, 2010-10-06 at 21:01 +0100, Bastien Nocera wrote:

> Symbolic links? To both the filesystem itself, and to directories under
> ~/.gvfs/. Are those blocked as expected?

Looks like we have different expectations ;)

Nope, we don't try to resolve symlinks to see if they point to allowed
hierarchies.  This is not hard security; it's about simple lockdown, or
about letting people implement a "pick a file in the USB stick" kind of
thing.

It would be interesting to desensitize symlinks to places outside the
roots.  I don't have enough brain cycles left today to implement this,
but patches welcome, etc.

I'm not sure it's worth the effort to resolve stuff inside .gvfs - if
you created a mount and if your $HOME is allowed, then I see no reason
to block the mount.

(If your ~ is not allowed, then *probably* your lockdown scheme is
highly weird anyway.)

(Since the file chooser now basically has all the "is this file allowed"
machinery internally, it would be interesting to hook it up to a real
security system with really enforceable policies.  I hereby declare the
can of worms opened.)

  Federico

Follow-Ups:
- Re: multiroot-filechooser ready for merging
  - From: Bastien Nocera

References:
- multiroot-filechooser ready for merging
  - From: Federico Mena Quintero
- Re: multiroot-filechooser ready for merging
  - From: Bastien Nocera

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]