On Thu, Dec 07, 2017 at 01:59:16PM +0000, Holger Levsen wrote: > On Thu, Dec 07, 2017 at 01:52:07PM +0000, Ian Jackson wrote: > > Furthermore, this "file is dangerous" attribute ought to be copied > > much more. > > no, it ought to be the default. all files should be considered harmful, > unless tagged otherwise.
All files _should_ be considered potentially harmful. Even if tagged safe. A previously-safe file might become harmful because it happens to trigger a newly found security bug. Possibly a newly found security bug that did not exist when the file was tagged safe. In my opinion, tagging files safe or harmful is not a winning strategy. I don't think it gives enough benefit to be worth it, and it doesn't seem to me it actually protects our users very much. An xattrs tag, in particular, gets lost so very easily, and having it applied inconsistently means there's a lot of ways in which any protection based on such a tag gets accidentally or intentionally circumvented. If we have a "this is safe" tag, instead of "this may be harmful", then that's also going to get lost often, leading to users getting annoyed by unintended security warnings all the time. Obviously it's possible to handle this by treating it as a by every time a file is copied without its xattr flag. But even from limited experience, that's going to be a very large number of bugs. If my security depends on all programs individually doing all the right things, I won't be feeling very secure. I don't have a good solution, but I suspect something like QubesOS may be the way forward. In other worse, isolate all processes into containers (or virtual machines) of some sort and arrange it so that this doesn't become too cumbersome to the user. (Disclaimer: I haven't had time to actually try QubesOS myself, yet.) The advantage of that approach is that the security gets centralised into fewer system components. It's less important that, say, Firefox is secure, if it can't be exploited to do bad things, if the container stops Firefox from deleting or modifying local files, or making unexpected network connections, or using too much RAM or CPU or other local resources. (I'm describing an ideal here, not the state of current technology.) -- I want to build worthwhile things that might last. --joeyh