On Thu, 2002-05-09 at 11:48, Andy Cedilnik wrote:
> Please explain me would be security holes.
>
> Andy
>
> On Thu, 2002-05-09 at 14:19, Miles Lane wrote:
> > Yeah, we need more security bugs to stay on par with Microsoft.
> > Seriously, why would we want to add this support? It's just asking
> > for trouble, AFAICS.
In any community of computer users, there are many who don't
apply security patches. This means that malicious script
kiddies have a pool of target machines with well-known
and exploitable security holes. Many of these security
holes live in binaries on the target machine that can enable
a script to gain root priviledges. Once this is accomplished,
the script or binary is free to do whatever it wants to the
target machine. On the other hand, even without root access,
a script can delete anything the user has access to.
IIRC, one of the good ideas in Java, .NET and, therefore, Mono,
is the sandbox. This gives restricted freedom to downloaded
scripts that operate within the .NET framework. I really know
very little about it, but I gather the .NET security model is
quite good. If we want to add Outlook-like "download and
launch" ability to Evolution, _please_ make sure it takes
advantage of an very good sandbox approach. Just adding support
for someone to send a script or program and run it on the
target machine with the recipient's permissions would be a
disaster, IMHO.
Miles
_______________________________________________
evolution-hackers maillist - [EMAIL PROTECTED]
http://lists.ximian.com/mailman/listinfo/evolution-hackers
