Re: gnome-panel menu lockdown proposal

There is another type of gocha type of against lock down.
Some dialog allows you to specify the command that you want to run (exec)
So user can simply change that to something like gnome-terminal and
hence open up a hole in the intended lockdown.

An example in point is
One  way to lock this down is to remove the applet in point from
the Add to panel list, and that will requires special point patch
or not to install that package completely.


guenther wrote:
On Mon, 2007-01-08 at 19:18 +0100, Vincent Untz wrote:
Le lundi 08 janvier 2007, �6:07, guenther a �it :
* deskbar-applet
Just disallow use of the deskbar-applet completely, via disabled_applets.
So there is a third part involved the admin needs to take care of in
order to lock down anything...
We can make things easier with pessulus: if this lockdown setting is
enabled, then we can also automatically add deskbar-applet to

However, my main goal remains: I want to raise hacker's and admin's
awareness of this issue. There are lots of ways to escape this
limitation, which should be addressed to seriously lock down as
advertised. Admins need to understand this might not be as complete as
expected and the name promises.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]