[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: SSH kioslave
From: Jörg Walter <ehrlich () ich ! bin ! kein ! hoschi ! de>
Date: 2001-10-11 18:47:48
[Download RAW message or body]
On Wednesday 10 October 2001 23:55, George Staikos wrote:
> > Only none worked until Saturday, when I began coding this one. Or they
> > were hiding cleverly. kio_fish works, and I am confident enough to call
> > it 1.0, both feature- and bug-wise. (Please, do send bug reports or
> > simple "it works") Moreover, FISH is not sftp. FISH is no protocol at
> > all, but using dd, cat, rm, mv, cp, grep, ls, ... to do all filesystem
> > management tasks. I even want try to use rsync for better performance,
> > dunno yet if it is possible. Basically, even if you're stuck with some
> > obscure web server O/S and no admin privileges, you can still work fine.
> I would just like to point out that this is perhaps the most dangerous
> I/O slave to install yet. I haven't seen how it works, but based on
> description, it sounds like a webpage redirecting to this i/o slave could
> do virtually anything.
Good point, though a redirecting webpage will "only" trigger fetching a file.
(Or is there some URL Syntax that triggers deletion of a file?)
kio_fish is a straight networking-filesystem type of ioslave, designed to
resemble file:// in look&feel as closely as possible. So it shouldn't be more
dangerous than the file:// ioslave.
One point to remember, though, is the ease of access this ioslave gives to
you. Having easy access to different remote machines poses a threat in
itself, since mistakes are made easier.
During the last days, I had access to machines I didn't visit during the
whole last year, cleaned up home directories, collected all the files that
were scattered throughout the world. One or two of them were shared accounts,
where a mistake could have wreaked havoc on someone elses files as well. Or
think of root access via ssh (If you enabled it. Don't!).
> So, do we have this hole fully closed up in konqueror yet? If so,
> people should be made aware to only use this slave on current versions.
Is it really a hole? Even if redirecting to some fish:// URL, there is still
a password to be entered. If you are using ssh-agent or kdesud, you should
already know this is a security risk.
--
CU
Joerg
PGP Public Key at http://ich.bin.kein.hoschi.de/~trouble/public_key.asc
PGP Key fingerprint = D34F 57C4 99D8 8F16 E16E 7779 CDDC 41A4 4C48 6F94
>> Visit http://mail.kde.org/mailman/listinfo/kde-devel#unsub to unsubscribe <<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic