RFC: Autostart spec, first draft
seventh guardian
seventhguardian_ at hotmail.com
Sat Jul 9 15:53:28 EEST 2005
>From: Perry Lorier <perry at coders.net>
>CC: xdg at lists.freedesktop.org
>Subject: Re: RFC: Autostart spec, first draft
>Date: Sat, 09 Jul 2005 15:33:01 +1200
>
> > Again, I ask; give us clear, obvious situations where this requirement
> > would stop an attack.
>
>I'm using a computer in a computer lab. I go to fetch a printout of my
>finished assignment, and lock my screen and leave for 5 minutes.
>Another student wants a copy of my assignment so they can cheat. They
>wander up to my locked PC and plug in their usb memory stick that
>contains an autorun that emails them my assignment.
>
>A) It shouldn't automatically run as me (because it's not my usb memory
>stick plugged in)
>B) It shouldn't run as me because the screensaver is locked which means
>I have implicitly said that any I/O from that session should be ignored
>until my password is entered.
>C) It shouldn't run off the FAT filesystem because the administrator has
>deliberately set filesystems that don't contain +x permission flags to
>not mount with files +x.
>D) It shouldn't run even if the filesystem does support execute
>permissions because the filesystem is mounted nosuid,noexec.
>
>I come back to my computer, there is no longer any usb devices plugged
>in, my computer is still locked and logged in as me, what evidence do I
>have that my assignment has been stolen?
>
Don't see how the -x thingy helps in this case.. Please find another one.
>_______________________________________________
>xdg mailing list
>xdg at lists.freedesktop.org
>http://lists.freedesktop.org/mailman/listinfo/xdg
_________________________________________________________________
MSN Busca: fácil, rápido, direto ao ponto. http://search.msn.com.br
More information about the xdg
mailing list