[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Re: KDE and the executable bit
From: Marc Espie <espie () nerim ! net>
Date: 2008-01-28 12:46:23
Message-ID: 20080128124623.GA29302 () lain ! home
[Download RAW message or body]
On Mon, Jan 28, 2008 at 02:23:32PM +0200, Andras Mantia wrote:
> On Monday 28 January 2008, Marc Espie wrote:
> > Your average user gets a .jpg file, he doesn't want it to execute
> > just because it has an x bit...
> Let me know how the average user gets a jpg file with the x bit...
You are having your security backwards.
Most attack scenarios involve quite a few intermediate steps.
Blocking them only requires that you remove one intermediate step.
You just need to focus about the actual issue. Assume your average user
gets a file that looks like a jpg (or some other MIME-type), and that
has the executable type. If you execute that blindly, then you will
be part of some attacks.
Executing `surprising' files is a bad idea, as windows has proved times
> And again, what if the average user gets a compiled file, and .sh file
> which does rm -rf $HOME ?
This is less surprising. At least, compiled files without any other
MIME-Types don't masquerade as anything else...
At some point, there's probably sense into not blindly executing shell
scripts... after all, everyone filters out .pif files by this point....
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic