[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: KDE and the executable bit
From:       Marc Espie <espie () nerim ! net>
Date:       2008-01-28 12:46:23
Message-ID: 20080128124623.GA29302 () lain ! home
[Download RAW message or body]

On Mon, Jan 28, 2008 at 02:23:32PM +0200, Andras Mantia wrote:
> On Monday 28 January 2008, Marc Espie wrote:
> > Your average user gets a .jpg file, he doesn't want it to execute
> > just because it has an x bit...

> Let me know how the average user gets a jpg file with the x bit...

You are having your security backwards.

Most attack scenarios involve quite a few intermediate steps.
Blocking them only requires that you remove one intermediate step.

You just need to focus about the actual issue. Assume your average user
gets a file that looks like a jpg (or some other MIME-type), and that
has the executable type. If you execute that blindly, then you will
be part of some attacks.

Executing `surprising' files is a bad idea, as windows has proved times

> And again, what if the average user gets a compiled file, and .sh file 
> which does rm -rf $HOME ? 

This is less surprising.  At least, compiled files without any other
MIME-Types don't masquerade as anything else...

At some point, there's probably sense into not blindly executing shell
scripts... after all, everyone filters out .pif files by this point....
[prev in list] [next in list] [prev in thread] [next in thread]