On Tue, Mar 20, 2007 at 07:28:36AM +0000, Dave wrote: > On Mon, Mar 19, 2007 at 11:51:37PM -0400, Derek Martin wrote: > > I'd also really like to see a configure option for mutt refuse to > > run binaries in directories where the user has write access, > > I think that's a useful option. > it sort of defeats ~/bin. the most secure solution is already the default: no sane program (except the linker) creates/saves files with an executable bit set. this is a conscious decision of the user - at the point where it is not, the security was already compromised.
> > enabled by default, but whatever. > > Again, it shouldn't be enabled by default, unless the user has already > informed his OS that he'd like the system to go out of its way to > protect him. (Such a flag might also signal rm(1) to do -i by > default, for example.) > this "user is [security wise] clueless" flag sounds a lot like the concept of user expertize levels in general. a lot has been said why this is a bad idea. check the [EMAIL PROTECTED] archive. derek's approach is counterproductive: users will always invent creative ways of compromising security, and are even more motivated to do so if the system behaves non-predictably (unix incompatible, as you say it). otoh, most users *are* idiots (yes, even the unix users - most corporate users don't choose their environment, and the raising numbers of private linux users doesn't exactly help, either), and even the most security conscious ones make mistakes. when weighting the convenience of the users against the future of a company and possibly thousands of secondary victims, the decision is pretty clear. if there only wasn't the previous paragraph ... so the key is to design security in a way that does not get in the way of the users, so they don't try to work around it. an essential part of that design is educating the users, btw. wow, that's what i call stating the obvious. so ... regarding the umask i can only say that i never liked it - it's way too broad and it always gets in the way. i determine default permissions by putting stuff in the right directory ... regarding the paths, i'm strictly against hard-coding anything in the binary. i can accept absolute paths determined at configure time in the default config, but i don't think it is an advantage of any kind. -- Hi! I'm a .signature virus! Copy me into your ~/.signature, please! -- Chaos, panic, and disorder - my work here is done.
