On Thu, Feb 13, 2020 at 03:22:23PM -0800, tom wrote: > On Mon, 13 Jan 2020 10:27:40 +0100 > Evilham via Dng <dng@lists.dyne.org> wrote: > > > Hello Enrico, > > > > On dt., gen. 07 2020, Enrico Weigelt wrote: > > > > > What might supposed to be convenience functionality, poses a > > > real-life > > > security threat: > > > > > > A user can be tricked be tricked to download malicious code, > > > unpack it with > > > +x permissions (eg. via tar) and execute it by just clicking on > > > the icton. > > > In combination with other techniques (eg. homoglyphs), even more > > > experienced > > > users can be tricked "open" some supposedly harmless file type, > > > while Thunar > > > in fact executes a binary - with full user's privileges. (the > > > same approach > > > is one of the primary infection vectors used by thousands of > > > malwares in > > > Windows world, which already caused gigantic damages). > > > > > > Therefore introduce a new setting and only execute programs if > > > explicitly > > > enabled. > > > > > > That's great! > > > > Have you tried poking Thunar's developers into merging such a > > feature? > > This is where the developers would like such things: > > https://docs.xfce.org/xfce/thunar/bugs > > > > It'd really be the best place for a setting like this to land and > > benefit all Thunar users out there (which are not limited to > > Debian-like or even Linux, but also include the BSDs). > > > > Cheers! > > -- > > Evilham > > _______________________________________________ > > Dng mailing list > > Dng@lists.dyne.org > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > > If the user is stupid enough to run random binaries from the internet > no amount of nannyware is going to protect them. All this does is add > another layer of inconvenience and complexity literal computers users > have to work around.
The problem is that the user may think he's opening an image and it turns out to be an executable. -- hendrik > > If you have to deal with users like that then set their home > directory's mount with option noexec. _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
