On Wed, Nov 23, 2016 at 2:58 PM, Andrew Lutomirski <l...@mit.edu> wrote: > >> >> > >> > I would go even farther and argue that Fedora should not, by default, >> > ever >> > enable a miner that isn't running in *strict* seccomp mode. If that >> > means >> > that cat pictures aren't identified as such, so be it. And if it means >> > that several Fedora releases go by with a less functional search, that's >> > fine too. >> >> *points to the written above*, you're talking about rendering entire >> applications useless based on... not exactly sure what. > > The applications that depend on tracker-extract are depending on wildly > insecure code that exposes a huge attack surface. This is IMO not okay.
Fixing this shouldn't even be hard. It could be done like this: Version A: Instead of having tracker-extract be a dbus service that extracts directly, have it run tracker-extract once per file. Rather than passing in the file by name, though, pass it as an fd and run tracker-extract in a context in which it has read-only access to /usr and /etc and has nothing else in its namespace. Version B: Have tracker-extract fork and open the file. Before reading it at all, though, it heavily sandboxes itself such that it can't use the filesystem. Then it extracts the file and exits. It may be that tracker-extract the service is already forking once per file, in which case these reduce to more or less the same thing. And I really would argue that Fedora should turn off tracker-extract by default until something like this gets done. The current state of affairs is, in my opinion, unacceptably dangerous. _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
