Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Neil Greenwood wrote: > The vulnerability at the moment doesn't affect any extensions from > addons.mozilla.org, since they use https to download the update to > your browser. The problem is with some extensions developed by e.g. > Google and Yahoo (del.icio.us). Other big companies also are at risk. Isn't there also an issue - as with all browsers - about 'spyware', tracking cookies, and similar? I use 'No Script', and I have FF set to ask before setting cookies; but I'm not certain that this catches all the rubbish. As I mentioned before, I did have a go at using Nixory - which picked up a couple of tracking cookies on first use; but its spyware database does not appear to be getting updated any more. Can I do anything about browser spyware? Or am I getting worked up about nothing? -- Diana -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On 20/06/07, Ian Pascoe <[EMAIL PROTECTED]> wrote: > Hi Folks > > As this has split into two threads, I'm gonna confuse everyone and reply to > both in one. > > Firefox - hasn't there just been a security breach with FF's extensions > whereby some of them don't conform to using SSL to update so can be duped to > update from a interposing server? Hi Ian, The vulnerability at the moment doesn't affect any extensions from addons.mozilla.org, since they use https to download the update to your browser. The problem is with some extensions developed by e.g. Google and Yahoo (del.icio.us). Other big companies also are at risk. Basically, any extension hosted at a site with an http URL that periodically checks the server for an update could be at risk. The security risk involves changing the user's DNS so that the update URL points to a different server. Since SSL (https) isn't used in the update check, there's no way for the browser to verify that it's a trusted site and it will then merrily download a hacked version of the extension. Google's extensions even suppress the update message, so you can't tell that it's been hacked! Hwyl, Neil. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Hi Matthew Macdonald-Wallace wrote: > with SE-Linux, but it looks like it's gonna take a while to master... Indeed. I'm somewhat doubtful that the PolicyKit chaps can actually wrangle it into a useful form for a Desktop, at least without extensively bothering the user for privileges. I for one am glad we have a top notch security team who respond quickly enough that we are almost always amongst the first to patch holes :) Cheers, -- Chris Jones [EMAIL PROTECTED] www.canonical.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Chris Jones <[EMAIL PROTECTED]>: > Hi > > Matthew Macdonald-Wallace wrote: >> 2) A link is setup from given directories in each app's jail to >> /downloads which is read only. > > How do I now upload my photos to some website, or any of the other > myriad things which internet applications want to do that involves > either reading or writing data locally? > > It sounds like a serious mess. Perhaps Fedora's SELinux/PolicyKit stuff > can do a better job. Quite probably, I really didn't think it through, it was just a five minute distraction from Windows Support really, I'm starting to play with SE-Linux, but it looks like it's gonna take a while to master... M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Hi Matthew Macdonald-Wallace wrote: > 2) A link is setup from given directories in each app's jail to > /downloads which is read only. How do I now upload my photos to some website, or any of the other myriad things which internet applications want to do that involves either reading or writing data locally? It sounds like a serious mess. Perhaps Fedora's SELinux/PolicyKit stuff can do a better job. Cheers, -- Chris Jones [EMAIL PROTECTED] www.canonical.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Hi Scrase, Eddie wrote: > Firefox should only install an extension without warning if the site is on > it's trusted list, which defaults to just mozilla.org. Obviously this > assumes that the attackers haven't hacked into Mozilla's site... Firefox will only install an extension from a trusted site. Period. It will also always display a dialog which requests confirmation from the user to install the extension and the "Install" button will always be inactive for about 5 seconds. Clicking on an XPI link from an untrusted site will produce an error telling the user that the operation was blocked. They can then add the site as trusted in order to continue (although of course they can save the XPI locally and install it from there). It should *never* *ever* *ever* install an extension without a warning. Cheers, -- Chris Jones [EMAIL PROTECTED] www.canonical.com -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Hi Folks As this has split into two threads, I'm gonna confuse everyone and reply to both in one. Firefox - hasn't there just been a security breach with FF's extensions whereby some of them don't conform to using SSL to update so can be duped to update from a interposing server? Running FF securely - isn't the idea of running FF under a seperate usre basically what the kernal peeps are trying to do with their 'Containers' proposals? I admit that like chris R, it seems like a good idea to pursue for that "just in case" feeling, but it's a pain if you want to do something and just need to Google it.. E -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of luxxius Sent: 20 June 2007 17:58 To: British Ubuntu Talk Subject: Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please alan c wrote: > With Ubuntu in mind I would be grateful for more information about the > possible vulnerability - or not - of the sort of malware (trojan) > which is likely to be used in the sort of current, and on a new scale, > attack via infected websites as described in the Guardian: > > http://www.guardian.co.uk/international/story/0,,2106855,00.html > > My initial reaction is of course that linux doe snot install anything > without a password, but then I remembered that in my user activities I > was able to install a firefox extension without a password (I think), > and in principle I can install into my user area with no password > generally. > > So could a trojan be installed easily from an infected website without > my knowledge? Wasn't Nixory intended to deal with malware affecting Linux web browsers? But there no longer seem to be any updates to Nixory. Anyone know what's happened to this project? -- Diana -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/ -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
alan c wrote: > With Ubuntu in mind I would be grateful for more information about the > possible vulnerability - or not - of the sort of malware (trojan) > which is likely to be used in the sort of current, and on a new scale, > attack via infected websites as described in the Guardian: > > http://www.guardian.co.uk/international/story/0,,2106855,00.html > > My initial reaction is of course that linux doe snot install anything > without a password, but then I remembered that in my user activities I > was able to install a firefox extension without a password (I think), > and in principle I can install into my user area with no password > generally. > > So could a trojan be installed easily from an infected website without > my knowledge? Wasn't Nixory intended to deal with malware affecting Linux web browsers? But there no longer seem to be any updates to Nixory. Anyone know what's happened to this project? -- Diana -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On Wed, 20 Jun 2007 17:08:49 +0100 alan c <[EMAIL PROTECTED]> wrote: > Interesting. Any idea if other apps have a trusted list also, and > where such list/s may be located (and firefox's)? For firefox's trusted list look in the security tab of the preferences dialogue, there is a checkbox there with "Warn me when sites try to install add-ons" and an "Exceptions" button. Clicking the "Exceptions" button brings up the list of trusted sites. Robert McWilliam [EMAIL PROTECTED]www.ormiret.com There are very few personal problems that cannot be solved through a suitable application of high explosives. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Scrase, Eddie wrote: >> My initial reaction is of course that linux doe snot install anything >> without a password, but then I remembered that in my user activities I >> was able to install a firefox extension without a password (I think), >> and in principle I can install into my user area with no password >> generally. > > Firefox should only install an extension without warning if the site is on > it's trusted list, which defaults to just mozilla.org. Obviously this > assumes that the attackers haven't hacked into Mozilla's site... Interesting. Any idea if other apps have a trusted list also, and where such list/s may be located (and firefox's)? -- alan cocks Kubuntu user#10391 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Lucy <[EMAIL PROTECTED]>: > On 20/06/07, Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: >> I was under the impression that if you run an app >> in a chroot jail, the libraries are available to it? >> > I believe that you need to provide a copy of any libraries under the > chroot jail too (a quick Google seems to back this up). I stand corrected! ;o) M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On 20/06/07, Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: > I was under the impression that if you run an app > in a chroot jail, the libraries are available to it? > I believe that you need to provide a copy of any libraries under the chroot jail too (a quick Google seems to back this up). -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Lucy <[EMAIL PROTECTED]>: > On 20/06/07, Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: >> > In principle though yes, it would be nice if each app that faces an >> > untrusted network was in their own separate user space or jail. >> >> OK then, why not something like this: >> >> 1) App is installed into it's own Jail >> 2) A link is setup from given directories in each app's jail to >> /downloads which is read only. >> 3) Any documents downloaded are saved to the dir in the jail, but can >> be access by any user via /downloads and copied from there to a home >> dir. >> 4) a cron job runs once a day and cleans out any files that are still >> in /downloads for security purposes. >> > > Each application would still need access to system libraries, etc > though and so would still be a security risk to some extent. You could > look at SELinux, used by Fedora, which AFAIK uses policies to restrict > what an application can do and where it can write to. Point taken, however I was under the impression that if you run an app in a chroot jail, the libraries are available to it? Again, I could be wrong about this as well! :) M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On 20/06/07, Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: > > In principle though yes, it would be nice if each app that faces an > > untrusted network was in their own separate user space or jail. > > OK then, why not something like this: > > 1) App is installed into it's own Jail > 2) A link is setup from given directories in each app's jail to > /downloads which is read only. > 3) Any documents downloaded are saved to the dir in the jail, but can > be access by any user via /downloads and copied from there to a home > dir. > 4) a cron job runs once a day and cleans out any files that are still > in /downloads for security purposes. > Each application would still need access to system libraries, etc though and so would still be a security risk to some extent. You could look at SELinux, used by Fedora, which AFAIK uses policies to restrict what an application can do and where it can write to. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
> My initial reaction is of course that linux doe snot install anything > without a password, but then I remembered that in my user activities I > was able to install a firefox extension without a password (I think), > and in principle I can install into my user area with no password > generally. Firefox should only install an extension without warning if the site is on it's trusted list, which defaults to just mozilla.org. Obviously this assumes that the attackers haven't hacked into Mozilla's site... -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting alan c <[EMAIL PROTECTED]>: So all in all, viruses[0] and their ilk will come to linux as it becomes more and more popular, however there will alwys be the fact that Linux is inherently more secure than some of the alternatives out there to give you a warm, fuzzy feeling... :o) I'm not so sure of this statement, we must remember that most servers around organisations are GNU/Linux based, but fail to get hosed by viruses. It is a fact in my opnion that Windows is less secure as I have used both systems to compare. General users on Win32 are constantly plagued by viruses and spyware which GNU/Linux does not seem to be affected by. I also read an article not so long ago about a cracker who got caught breaking into the Pentagon systems. Funny thing was he mentioned that his first point of action would be to look for Windows machines as they are generally easier to exploit. This article will explain the theory behind the Windows and Linux systems http://www.theregister.co.uk/security/security_report_windows_vs_linux/ Cheers Lee -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Robert McWilliam <[EMAIL PROTECTED]>: > On Wed, 20 Jun 2007 13:48:11 +0100 > Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: >> Yeah, it will. There's no need to run xhost -local before running >> gksudo, this will lcok the system out (as demonstrated effectively >> above!) > > I was running -local: to remove the +local: I did earlier. To check and > see if the default settings were enough to run it without the "xhost > +local:" I just created a whole new user and tried "gksudo -u st > firefox" and it failed with the same error as I quoted above. Hmmm, then again, I could be wrong... :o) M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Kris Marsh <[EMAIL PROTECTED]>: > On 6/20/07, Chris Rowson <[EMAIL PROTECTED]> wrote: >> This topic makes me think though. >> >> Wouldn't isolating all net enabled applications in this manner pretty >> much secure linux? Why aren't distributions running like this as >> standard? >> >> Chris >> >> -- >> ubuntu-uk@lists.ubuntu.com >> https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk >> https://wiki.kubuntu.org/UKTeam/ >> > > > Security vs Usability. > > If you run your browser under a separate user you wont, for example, > be able to save files to your home directory. > > In principle though yes, it would be nice if each app that faces an > untrusted network was in their own separate user space or jail. OK then, why not something like this: 1) App is installed into it's own Jail 2) A link is setup from given directories in each app's jail to /downloads which is read only. 3) Any documents downloaded are saved to the dir in the jail, but can be access by any user via /downloads and copied from there to a home dir. 4) a cron job runs once a day and cleans out any files that are still in /downloads for security purposes. Just a thought, M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On Wed, 20 Jun 2007 13:48:11 +0100 Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: > Yeah, it will. There's no need to run xhost -local before running > gksudo, this will lcok the system out (as demonstrated effectively > above!) I was running -local: to remove the +local: I did earlier. To check and see if the default settings were enough to run it without the "xhost +local:" I just created a whole new user and tried "gksudo -u st firefox" and it failed with the same error as I quoted above. Robert McWilliam [EMAIL PROTECTED]www.ormiret.com Education is what you get from reading the small print. Experience is what you get from not reading it. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On 6/20/07, Chris Rowson <[EMAIL PROTECTED]> wrote: > This topic makes me think though. > > Wouldn't isolating all net enabled applications in this manner pretty > much secure linux? Why aren't distributions running like this as > standard? > > Chris > > -- > ubuntu-uk@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk > https://wiki.kubuntu.org/UKTeam/ > Security vs Usability. If you run your browser under a separate user you wont, for example, be able to save files to your home directory. In principle though yes, it would be nice if each app that faces an untrusted network was in their own separate user space or jail. Kris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
This topic makes me think though. Wouldn't isolating all net enabled applications in this manner pretty much secure linux? Why aren't distributions running like this as standard? Chris -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Robert McWilliam <[EMAIL PROTECTED]>: > On Wed, 20 Jun 2007 13:24:55 +0100 > Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: >> Quoting Robert McWilliam <[EMAIL PROTECTED]>: >> >xhost +local: >> >> In theory, you shouldn't need to do even this, the gksudo command >> should work without needing to open up X to local connections. > > Doesn't work here: > > [EMAIL PROTECTED]:~$ xhost -local: > non-network local connections being removed from access control list > [EMAIL PROTECTED]:~$ gksudo -u st firefox > Xlib: No protocol specified > > > (firefox-bin:26170): Gtk-WARNING **: cannot open display: > [EMAIL PROTECTED]:~$ xhost +local: > non-network local connections being added to access control list > [EMAIL PROTECTED]:~$ gksudo -u st firefox > [EMAIL PROTECTED]:~$ > > firefox started the second time. Yeah, it will. There's no need to run xhost -local before running gksudo, this will lcok the system out (as demonstrated effectively above!) M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On Wed, 20 Jun 2007 13:24:55 +0100 Matthew Macdonald-Wallace <[EMAIL PROTECTED]> wrote: > Quoting Robert McWilliam <[EMAIL PROTECTED]>: > > xhost +local: > > In theory, you shouldn't need to do even this, the gksudo command > should work without needing to open up X to local connections. Doesn't work here: [EMAIL PROTECTED]:~$ xhost -local: non-network local connections being removed from access control list [EMAIL PROTECTED]:~$ gksudo -u st firefox Xlib: No protocol specified (firefox-bin:26170): Gtk-WARNING **: cannot open display: [EMAIL PROTECTED]:~$ xhost +local: non-network local connections being added to access control list [EMAIL PROTECTED]:~$ gksudo -u st firefox [EMAIL PROTECTED]:~$ firefox started the second time. Robert McWilliam [EMAIL PROTECTED]www.ormiret.com 1 in 4 vets have treated drunk dogs. -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting Robert McWilliam <[EMAIL PROTECTED]>: > On Wed, 20 Jun 2007 12:48:58 +0100 > alan c <[EMAIL PROTECTED]> wrote: >> Would there be a procedure to use browser/s with a different 'user' >> password, with much lower privileges than the normal user, so that >> when browsing the 'user-low' being used is not allowed to download >> anything knowingly or not (without password)? Accepted that the the >> user-low is still using a browser which may have weaknesses. >> > > Yes. I just found this procedure by playing around so there may be a > better one. > > First you need to have another user to run firefox as, and you need to > tell the xserver that local users can connect to it (not just the user > who owns it) with: > xhost +local: In theory, you shouldn't need to do even this, the gksudo command should work without needing to open up X to local connections. M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
On Wed, 20 Jun 2007 12:48:58 +0100 alan c <[EMAIL PROTECTED]> wrote: > Would there be a procedure to use browser/s with a different 'user' > password, with much lower privileges than the normal user, so that > when browsing the 'user-low' being used is not allowed to download > anything knowingly or not (without password)? Accepted that the the > user-low is still using a browser which may have weaknesses. > Yes. I just found this procedure by playing around so there may be a better one. First you need to have another user to run firefox as, and you need to tell the xserver that local users can connect to it (not just the user who owns it) with: xhost +local: then you can start firefox as another user with: gksudo -u browser firefox where browser should be replaced with the user you created for browsing. You can play with what the new user is allowed to do to limit the damage that taking over firefox can do. The same procedure can be used to run any app with reduced or escalated privileges. Robert McWilliam [EMAIL PROTECTED]www.ormiret.com Common sense is the collection of prejudices acquired by age 18. -- Albert Einstein -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Quoting alan c <[EMAIL PROTECTED]>: > Thanks, much appreciated. > > Would there be a procedure to use browser/s with a different 'user' > password, with much lower privileges than the normal user, so that > when browsing the 'user-low' being used is not allowed to download > anything knowingly or not (without password)? Accepted that the the > user-low is still using a browser which may have weaknesses. In theory, you could setup a new user and group that has permissions from /etc/sudoers to only run firefox. You could then setup a shortcut on your desktop to make firefox run using gksudo as this new user, although for the time being I really don't think its something to worry about too much. M. -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Matthew Macdonald-Wallace wrote: > Alan, > > Quoting alan c <[EMAIL PROTECTED]>: > >> With Ubuntu in mind I would be grateful for more information >> about the possible vulnerability - or not - of the sort of >> malware (trojan) which is likely to be used in the sort of >> current, and on a new scale, attack via infected websites as >> described in the Guardian: >> >> http://www.guardian.co.uk/international/story/0,,2106855,00.html >> >> My initial reaction is of course that linux doe snot install >> anything without a password, but then I remembered that in my >> user activities I was able to install a firefox extension without >> a password (I think), and in principle I can install into my >> user area with no password generally. >> >> So could a trojan be installed easily from an infected website >> without my knowledge? > > The answer is that at some point, there will be a vulnerability in > Firefox or any other open-source web browser that allows for this > kind of content to download itself onto your computer. > > This could be a keylogger which then emails logfiles to an irc-chat > room somewhere for _your user_, however it would not be able to > run as root unless you let it or it was working in conjunction with > other exploits that allowed unauthorised access to your system. > > The good news is that the chances of this is rare for the following > reasons: > > 1) Generally, a completely different set of code instructions would > need to be compiled for the program to run under linux 2) As the > vast majority of people use Windows, crackers are less likely to > write a trojan for Linux-based machines (although this could change > in time) 3) The chances of getting the exact two vulnerabilities > that the torjan/bug is written to exploit are pretty remote > > So all in all, viruses[0] and their ilk will come to linux as it > becomes more and more popular, however there will alwys be the fact > that Linux is inherently more secure than some of the alternatives > out there to give you a warm, fuzzy feeling... :o) > > HTH, > > M. [0] and it is Viruses, not Virii as I had though for years! Thanks, much appreciated. Would there be a procedure to use browser/s with a different 'user' password, with much lower privileges than the normal user, so that when browsing the 'user-low' being used is not allowed to download anything knowingly or not (without password)? Accepted that the the user-low is still using a browser which may have weaknesses. -- alan cocks Kubuntu user#10391 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
Re: [ubuntu-uk] Ubuntu (linux) vulnerabilty?? Comment please
Alan, Quoting alan c <[EMAIL PROTECTED]>: > With Ubuntu in mind I would be grateful for more information about the > possible vulnerability - or not - of the sort of malware (trojan) > which is likely to be used in the sort of current, and on a new scale, > attack via infected websites as described in the Guardian: > > http://www.guardian.co.uk/international/story/0,,2106855,00.html > > My initial reaction is of course that linux doe snot install anything > without a password, but then I remembered that in my user activities I > was able to install a firefox extension without a password (I think), > and in principle I can install into my user area with no password > generally. > > So could a trojan be installed easily from an infected website without > my knowledge? The answer is that at some point, there will be a vulnerability in Firefox or any other open-source web browser that allows for this kind of content to download itself onto your computer. This could be a keylogger which then emails logfiles to an irc-chat room somewhere for _your user_, however it would not be able to run as root unless you let it or it was working in conjunction with other exploits that allowed unauthorised access to your system. The good news is that the chances of this is rare for the following reasons: 1) Generally, a completely different set of code instructions would need to be compiled for the program to run under linux 2) As the vast majority of people use Windows, crackers are less likely to write a trojan for Linux-based machines (although this could change in time) 3) The chances of getting the exact two vulnerabilities that the torjan/bug is written to exploit are pretty remote So all in all, viruses[0] and their ilk will come to linux as it becomes more and more popular, however there will alwys be the fact that Linux is inherently more secure than some of the alternatives out there to give you a warm, fuzzy feeling... :o) HTH, M. [0] and it is Viruses, not Virii as I had though for years! -- Matthew Macdonald-Wallace Group Co-Ordinator Thanet Linux User Group http://www.thanet.lug.org.uk/ [EMAIL PROTECTED] GPG KEY: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xFEA1BC16 -- ubuntu-uk@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-uk https://wiki.kubuntu.org/UKTeam/
