Re: Rise of the Plugins

From: Andrew Sobala <aes gnome org>
To: Rui Miguel Silva Seabra <rms 1407 org>
Cc: Martin Soto <soto informatik uni-kl de>, desktop-devel-list gnome org
Subject: Re: Rise of the Plugins
Date: Fri, 18 May 2007 12:50:05 +0100

Rui Miguel Silva Seabra wrote:

Sex, 2007-05-18 �12:54 +0200, Martin Soto escreveu:

Hi Andrew,

On Fri, 2007-05-18 at 11:28 +0100, Andrew Sobala wrote:

Martin Soto wrote:

An additional point that nobody has mentioned so far is security. Most
(if not all) plugin implementations already available for Gnome programs
seem to allow for installing plugins in some user-owned directory. This
means that by gaining access to the user's home directory, an attacker
will be able to install code that gets run every time the user logs in:

Yes, you can do that already. It's what the session's for.


However, while /home/ can be mounted without any execution
permissions, /usr not, and thus applications started by the session
manager are supposedly blessed by the admins (distro maintainers, and
what not) while those installed in ~/ *aren't*.

It's a good point. So we can solve this by requiring plugins to have +xin order to be loaded? Seems quite elegant to me.


--
Andrew

Follow-Ups:
- Re: Rise of the Plugins
  - From: Rui Miguel Silva Seabra

References:
- Rise of the Plugins
  - From: Vincent Untz
- Re: Rise of the Plugins
  - From: Martin Soto
- Re: Rise of the Plugins
  - From: Andrew Sobala
- Re: Rise of the Plugins
  - From: Martin Soto
- Re: Rise of the Plugins
  - From: Rui Miguel Silva Seabra

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]