Autostart and MAC security

Mike Hearn mike at plan99.net
Tue Feb 28 17:54:09 EET 2006 

On Tue, 2006-02-28 at 15:11 +0100, Francois Gouget wrote:
> It seems like there is no need to even mandate going through a specific 
> application. Couldn't this system intercept 
> "open(~/.config/autostart/foo.desktop, O_WRONLY)", invoke an application 
> that would ask for the user permission just like firewalls do on 
> Windows, and then only let the open proceed if the user gave the green 
> light?

Not with the current infrastructure. The permissions check happen at the
kernel level, so there's no easy way to display a GUI from that point in
the code. There are also a bunch of icky issues to do with suspending an
application when it's not expecting it (so it won't redraw correctly
etc).

It's better to have an explicit interface IMHO, and it may as well be a
simple shell program. That way desktops can provide their own
implementation of register-autostart which pops up a GUI that is
customised for the task of autostart programs (for instance it can give
the user information on how to remove it again in future). And it can be
launched asynchronously by the app.

> Such a scheme looks like a it is needed anyway to deal with all the 
> other issues that were mentioned previously.

Yeah, in future, it might be necessary. But it has to be done very
carefully. Programs like ZoneAlarm are a good example of how quickly
warning fatigue takes hold when the computer constantly prompts the user
to authorise 'obvious' things (and ZA isn't even effective).

There are still a lot of unanswered questions about how such a desktop
might operate. But people /are/ working on this, and:

* Requiring register-autostart is a simple change to the spec
* If the research doesn't pan out, it's no real loss
* If it does, it's a step forward towards a more secure and less
  obnoxious desktop for everyone

So I think it's worth doing. Especially as it's starting to look like
user inconvenience/interaction can be kept to a minimum.

> Keeping a separate list of items you added to autostart is the best way 
> for your list to get out of sync or even lost altogether, after which 
> you are unable to recover. The only robust solution is to tag the 
> entries themselves but this requires being able to look at them.

OK then, I guess read access is no problem. So register-autostart would
actually only be needed to [un]register and not to read the list itself.

Does anybody else here have some thoughts?

thanks -mike

More information about the xdg mailing list