Re: Is there something that can be done against this ???

joseph.bueno@trader.com
Tue, 14 Aug 2001 15:16:55 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Jan-Benedict Glaw: "Re: [OT] DMCA loop hole"
Previous message: Frank Jacobberger: "emu10k1.o and 2.4.8-ac2"
Maybe in reply to: Mircea Ciocan: "Is there something that can be done against this ???"
Next in thread: Helge Hafting: "Re: Is there something that can be done against this ???"

David Schwartz wrote:
>
> > The question is not : "is this script dangerous ?",
> > but "are you ready to blindly execute a shell script
> > (or any program) that you receive in your mail ?".
>
> Sure, as a user created solely for that purpose, it should be entirely
> safe.
>

How many users are there that use a specific user account to read
their emails on their Linux workstation ?
I don't, I use my account to read mails, write documents,
develop programs,etc. So even if a malicious program does
not do any arm to the system, it can at least destroy or corrupt my
own files and I will loose time restoru=ing from last backup and
rebuilding recently modified files.

> > I don't care if this script is dangerous or not because I will
> > never execute it,
> > or any program that I receive my email before checking its
> > contents and making sure
> > it is OK.
> > (And my mail reader will not execute anything automatically, not
> > even Javascript).
>
> Why? Is it because you don't trust your system security? Your operating
> system shouldn't let the script do anything you don't want it to do.

Yes I trust my system security. But even the system is not affected,
since the script will run with my userid, it will be able to do everything
I am allowed to do.

>
> > If somebody is dumb enough to execute any program received by email,
> > don't loose time trying to find some weaknesses in the system; just
> > send him a shell script with "rm -rf /". It will do enough harm !
>
> That should do no harm. What you mean to say is "if somebody is dumb enough
> to execute any program recieved by email under a user account that has
> permissions to modify files he cares about, consume too many process slots,
> consume excessive vm, or has other special capabilities".

It was just a one line example. Even if does not do any harm to
system files, it will harm my own files !

BTW, how many people are positively sure that they can
run "su nobody -c rm -rf /" on their system without loosing anything ?

>
> > Best protection against mail virus is not technical (although it
> > may help),
> > but user education; and this is true regardless of which operating system
> > or mail reader is used !
>
> If a user can run code that can harm the system, then nobody who isn't
> trusted not to harm the system can be a user. That's not how we want Linux
> to be, is it?

Well, you are right; but even if a user does not harm the system,
he will harm himself and there is no way the system can protect him
against it. So we are back to my point: user protection comes from
user education.

>
> DS
>
Regards

--
Joseph Bueno
NetClub/Trader.com
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Next message: Jan-Benedict Glaw: "Re: [OT] DMCA loop hole"
Previous message: Frank Jacobberger: "emu10k1.o and 2.4.8-ac2"
Maybe in reply to: Mircea Ciocan: "Is there something that can be done against this ???"
Next in thread: Helge Hafting: "Re: Is there something that can be done against this ???"