Sex, 2007-05-18 às 12:54 +0200, Martin Soto escreveu: > Hi Andrew, > > On Fri, 2007-05-18 at 11:28 +0100, Andrew Sobala wrote: > > Martin Soto wrote: > > > > >An additional point that nobody has mentioned so far is security. Most > > >(if not all) plugin implementations already available for Gnome programs > > >seem to allow for installing plugins in some user-owned directory. This > > >means that by gaining access to the user's home directory, an attacker > > >will be able to install code that gets run every time the user logs in: > > > > > > > Yes, you can do that already. It's what the session's for. However, while /home/ can be mounted without any execution permissions, /usr not, and thus applications started by the session manager are supposedly blessed by the admins (distro maintainers, and what not) while those installed in ~/ *aren't*. > > I'm not saying there aren't security implications of plugins, but being > > able to run code on login is much easier to do without bothering with them! > > The fact that we already have some security holes to plug doesn't mean > we should open new ones, though. Indeed. Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...?
Attachment:
signature.asc
Description: Esta =?ISO-8859-1?Q?=E9?= uma parte de mensagem assinada digitalmente