Re: Blocking execution of non-exec things
On Tue, Jan 19, 2010 at 11:38:54AM +0100, Martin Pitt wrote: Kees Cook [2010-01-12 10:19 -0800]: As part of implementing the Execute-Permission Bit Required policy[1], I need to make changes to a few MIME handlers and to the nautilus .desktop file handler. The main issue is that of the error message to produce, and I'm hoping to get some input for that from the Desktop team. I actually find the current error message text quite good. Keeping it would also mean to not break all the existing translations. How about we just drop the Start anyway and Mark as trustworthy (translated from German) buttons and replace it with a Explain... button which pops up a message box with further text, or opens a web browser with a wiki page? Sure, that sounds good. For people upgrading from Hardy, I'm thinking we need to preserve the Start/Mark buttons when the .desktop has a ctime (marking a .desktop as executable doesn't change mtime) below a certain date; perhaps the release date of Karmic? For the Wiki, I've built: https://wiki.ubuntu.com/Security/ExecutableBit Currently the mime-support patch points there, but cautious-launcher (for MIME handlers) needs to be translatable. -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
Re: Blocking execution of non-exec things
Le lundi 18 janvier 2010 à 10:09 -0600, Ted Gould a écrit : Maybe I'm confused, but it seems like we're not executing the .desktop file, were executing what is on the Exec line of the desktop file. It would seem that what ever is first on that line should have +x, not necessarily the desktop file itself. The issue with virus .desktop files is that they could run trusted executables with arguments you wouldn't expect. Think of Exec=rm -Rf ~ That would lead to the question, is there a list of wrapper utilities? It would seem that the easiest hack around that technique would be nice myvirus as nice would be executable. (and while I don't want viruses stealing excess CPU, that doesn't solve the real problem). That's another risk, but we don't fear as much third-party programs than our own tools when used with the intent of damaging your files. I can't see how non-Ubuntu programs installed on the computer and run via a .desktop file would be the central issue here: if they have reached to this stage, they could have destroyed what they wanted anyway. So the problem is more with seemingly safe little text files called e.g. My Pics.desktop that wouldn't ask for any privileges, but bite our systems with its own weapons (even if only personal files can be affected). Regards -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
Re: Blocking execution of non-exec things
Hi, On Tue, Jan 12, 2010 at 07:40:12PM +0100, Milan Bouchet-Valat wrote: Le mardi 12 janvier 2010 à 10:19 -0800, Kees Cook a écrit : Hello! As part of implementing the Execute-Permission Bit Required policy[1], I need to make changes to a few MIME handlers and to the nautilus .desktop file handler. The main issue is that of the error message to produce, and I'm hoping to get some input for that from the Desktop team. Maybe you already know about it, but here's the thread in desktop-devel-list where it was decided how to phrase the dialog shown when .desktop files don't have +x set: http://www.mail-archive.com/desktop-devel-l...@gnome.org/msg15440.html There, the message was: The application launcher %s is not marked as trusted. If this application launchers source is unknown to you then it may be unsafe to launch. Sure, it doesn't do what you want, since it provides that bad button Launch Anyway (which was there for transition mainly). Anyway, that might be an inspiration, you could just remove the button. Right, this is about strengthening that message further. I've already uploaded a patch to remove the other buttons. :) Thanks, -Kees -- Kees Cook Ubuntu Security Team -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
Blocking execution of non-exec things
Hello! As part of implementing the Execute-Permission Bit Required policy[1], I need to make changes to a few MIME handlers and to the nautilus .desktop file handler. The main issue is that of the error message to produce, and I'm hoping to get some input for that from the Desktop team. Thanks, -Kees [1] https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required -- Kees Cook Ubuntu Security Team -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
Re: Blocking execution of non-exec things
Le mardi 12 janvier 2010 à 10:19 -0800, Kees Cook a écrit : Hello! As part of implementing the Execute-Permission Bit Required policy[1], I need to make changes to a few MIME handlers and to the nautilus .desktop file handler. The main issue is that of the error message to produce, and I'm hoping to get some input for that from the Desktop team. Maybe you already know about it, but here's the thread in desktop-devel-list where it was decided how to phrase the dialog shown when .desktop files don't have +x set: http://www.mail-archive.com/desktop-devel-l...@gnome.org/msg15440.html There, the message was: The application launcher %s is not marked as trusted. If this application launchers source is unknown to you then it may be unsafe to launch. Sure, it doesn't do what you want, since it provides that bad button Launch Anyway (which was there for transition mainly). Anyway, that might be an inspiration, you could just remove the button. Hope this helps! -- ubuntu-desktop mailing list ubuntu-desktop@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop