[prev in list] [next in list] [prev in thread] [next in thread]
List: kmail-devel
Subject: Bug#14253: kmail html security bug
From: George Staikos <staikos () kde ! org>
Date: 2000-11-01 10:59:16
[Download RAW message or body]
On Wednesday 01 November 2000 05:33, Andreas Pour wrote:
> > > > So it is possible to exec programms which needn't arguments. E.g
> > > > "/sbin/halt" if I work with "root" were big shit.
> > >
> > > Nobody is supposed to run KDE as root.
>
> I truly don't understand this. If that is so, why is there a kfm-su in
> kde 1.1.x? And why is there kdesu? And why are there control modules
> that only work as root?
>
> I understand that users should not run their entire session as root.
> But doesn't root get mail? And how are ex-windowites to read mail w/out
> KMail -- they should learn to use mutt? Why have KMail if you can't use
> it to read mail securely?
>
> I'm sorry, but that answer is a cop-out. KMail will hopefully be fixed
> to not execute scripts; in fact there was a long discussion about this
> some months ago and I thought it had been fixed.
That's why you have .forward.
If you're in a hostile environment, don't log in [to kde] as root. Use
kdesu when necessary and that's it. If you're ina non-hostile environment,
it doesn't matter because you wont' receive these evil emails anyways.
[Hostile environment => data/code comes in from external and possibly
untrusted sites]
--
George Staikos
_______________________________________________
Kmail Developers mailing list
Kmail@master.kde.org
http://master.kde.org/mailman/listinfo/kmail
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic