El mar, 04-11-2003 a las 13:16, Fabio Gomes de Souza escribió: > Carlos Perelló Marín wrote: > > > > > The main difference between Linux and Windows is that you must give the > > execution flag to that file so it will never be executed until you allow > > it. > > Hmm. When we untar an archive, its files may already come with the > executable flag set. True, but you should untar it before you can execute it. "The GNOME way" to open that tar (file-roller) will not let you execute it, only view the files. We should help the user, but prevent for execute files that he/she wants to execute... > > IMHO, what we should do about GNOME desktop security is make sure it > ALWAYS behaves this way. > > Some important things to mention in future development are: > > - Default (factory) file associations: Nautilus should never come with > built-in file associations to script interpreters, say: > - .pl to /usr/bin/perl > - .php to /usr/bin/php > - .sh to /bin/bash > - .py to /usr/bin/python > and so on. This list should be extended to every file association that > could lead to execution of arbitrary commands. The work of choosing an > interpreter must be left to the kernel and the shell. While this not > kills the entire problem (ie.: some apps have buffer overflows when > processing documents), it's a nice beginning. Of course, nautilus should not open an script but the applications buffer overflows are applications bugs (and they should be fixed instead of add nautilus "hacks" to workaround those bugs), we cannot prevent it without removing the nautilus application launch feature... > > If the user wants to make these associations by hand, it's his problem. > > Additionaly, some security audits could be done in applications such as > file-roller to avoid social engineering by introducing some warnings. I agree. > > Maybe GNOME needed a security team. Any toughts? > > Steven, do you want to discuss this a bit more? :-) Cheers. > > -- > Fabio Gomes de Souza <fabio gs2 com br> (+55 81 9127-0597) > > .- GS2 TECNOLOGIA DA INFORMACAO LTDA :: www.gs2.com.br > |- IT Infrastructure :: Security :: Embedded systems :: Linux > `- Olinda, Brazil - +55 81 3492-7777 - negocios gs2 com br -- Carlos Perelló Marín Debian GNU/Linux Sid (PowerPC) Linux Registered User #121232 mailto:carlos pemas net || mailto:carlos gnome org http://carlos.pemas.net Valencia - Spain
Attachment:
signature.asc
Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente