--- Daniel Kasak <[EMAIL PROTECTED]> wrote: > Chad Smith wrote: > > > Remember, we are talking about OpenOffice.org - not Linux. Remember, the > > problem that he article brings up about OpenOffice.org is that macros, > > which > > can be set up to activate merely by opening a document, can control your > > system. > > CAN BE set up to automatically run macros. This is not the default. Get > over yourself. >
Has had at least one recent bug in which a macro could be run at document load time with no input from the user and no feedback. Correction - had a long-running and but recently fixed bug that allowed such to happen. > > Now, I'll admit it's been a couple months since I've used > > OpenOffice.org on > > Linux (I use OOo on Windows, NeoOffice on Mac primarily), but I don't > > recall > > having to enter in a root password to open a document. Please correct > > me if > > I'm wrong on that. > > OK then. You're wrong. You can only open & modify files that you, as the > current user, have access to. I can't log in as myself and modify files > that only root has permission to modify. I don't remember how Apple has > set things up, but I do know that OpenOffice runs with the current > user's permissions, and not root's, so please try to stick to the facts. > So what? Why does this provide any useful data protection on a single user machine? It doesn't protect the user from themselves or any malicious pieces of code they may be running. It is in fact not designed to do that. Most unix machnes these days are single user machines - once you are running as that user, you have access to all the useful data that exists on the machine. [snip] > At this point I should bring another topic of recent discussion into the > mix. Aren't you Chad - the same Chad that always argues for integrating > everything under the sun in one package? So are you now saying you want > everything under the sun, apart from scripting, because some user might > be running OpenOffice as root, and receive an OpenOffice attachment with > a macro virus, and they might have either disabled macro security > completely, or have hit 'run macro' when the security dialog appears, > and this oh-so-remote possibility is such an affront to common decency > that clearly OpenOffice shouldn't have scripting capability? > Running or not running as root is not relevant to the discussion. Neither is integration of more components, at least not unless you can bring a proof that that will neccesarily lead to reduced security. As for scripting ... as long as the scripts can not load more code into the address space, especially not from an external source or from themselves, and can not modify or read files beyond the current document without express and non-overridable permission form the user, scripting is fairly containable. But of course, you are welcome to consider both me and Chad to be trolling if you so wish - that doesn't change the fact of what Malte writes in his blog : <quote> The article states that through OOo's support for multiple programming languages more sophisticated viruses can be written. The different programming languages also enable the user to write more sophisticated solutions for OpenOffice.org. For the security it doesn't make a difference. A macro (OOoBasic as well as VBA) can do almost everything with current users credentials, so using other programming languages doesn't increase the risk. </quote> And that this is a security problem. Running a macro does not - and never will - be associated by users with "take over my account". And its shouldn't, as simply enabling macros from a document should not result in those having access to anything outside the document. > -- > Daniel Kasak > IT Developer > NUS Consulting Group > Level 5, 77 Pacific Highway > North Sydney, NSW, Australia 2060 > T: (+61) 2 9922-7676 / F: (+61) 2 9922 7989 > email: [EMAIL PROTECTED] > website: http://www.nusconsulting.com.au > Sander .sigless ___________________________________________________________ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
