"Name" key value in desk. entry spec collides with file names, could misguide users?
Robert Wittams
robert at wittams.com
Wed Mar 16 01:24:28 EET 2005
Diego Calleja wrote:
>
> Yesterday a friend got a worm, the worm itself don't uses *any* vulnerability. It just
> uses your open messenger account to autosend itself as verysexy.pif. Your
> contacts *trust* you and so they get the .pif file, as soon as it downloads they
> try to open it and boom - they're infected and the chain starts again. This worms
> can spread itself regardless of the privileges, and microsoft can't do much about
> it: sending files is legal, and they can't stop them clicking on a .pif file (I bet that
> in future releases of messenger they'll modify the client so that it doesn't accepts
> .pif/.exe/.scr/etc files, it's the one thing they can do). If .pif files weren't always
> executables like currently .desktop files are, this worm wouldn't have worked.
The way to solve this in general is to seperate the concept of a
principal from the set of priveledges that a process has. A process on
unix or windows currently starts out with a horrificly large set of
ambient priveledges.
There are various approaches to this : Capability systems like KeyKOS or
Eros are the purest. Unfortunately, this means throwing out the whole of
posix...
SELinux is the leading candidate for the near future: binaries
downloaded from your instant messenger, browser, or mail client would
not run with the same priviledges as a program that is part of your
distribution ( eg they would not be able to contact the instant
messenger, or even detect it running.) Unfortunately it seems that
SELinux is extremely hard to manage without a whole bunch of new tools
that have yet to be designed or written. There are a bunch of other
approaches : easy to create throw away accounts which drop posix caps (
very coarse grained), loading attachments in a virtual machine with
access controls, etc, etc. All of these solutions require unspoofable
gui tools to grant fine grained access while the execution is in
progress - so you never end up giving access to your office docs or
gnucash database without knowing it. This needs X server and
window/composite manager help.
So there are things that can be done. I hope they will be done.
More information about the xdg
mailing list